quasar | d8fce9dd9c65ca143343f7711859a7cffc3c5e656a8b84108183fb769a12ed8b

max time kernel
769s
max time network
736s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
01-02-2025 15:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test.txt
Size

18B
MD5

5b3f97d48c8751bd031b7ea53545bdb6
SHA1

88be3374c62f23406ec83bb11279f8423bd3f88d
SHA256

d8fce9dd9c65ca143343f7711859a7cffc3c5e656a8b84108183fb769a12ed8b
SHA512

ed2de1eec50310ced4bde8ef6ae4b7902920b007df7b6aeb200cfe9fcc0d36ef05af7526c4675be2feac52831668798d5fe3523175efad6f6549b30f30a0b5d6

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

10.127.0.74:4782

Mutex

5ac3c1a9-02ed-44a0-8756-608736e9ea7d

Attributes

encryption_key
06E2210085C96FFF2079E2BB385DB2B954D581E2
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 4 IoCs

resource	yara_rule
behavioral1/memory/3744-671-0x000001EE12BD0000-0x000001EE12D08000-memory.dmp	family_quasar
behavioral1/memory/3744-672-0x000001EE2D110000-0x000001EE2D126000-memory.dmp	family_quasar
behavioral1/files/0x0004000000025cd3-1059.dat	family_quasar
behavioral1/memory/4892-1061-0x0000000000B70000-0x0000000000E94000-memory.dmp	family_quasar

Executes dropped EXE 2 IoCs

pid	Process
4892	Client-built.exe
2244	Client.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
10	raw.githubusercontent.com
1	camo.githubusercontent.com

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2872	ipconfig.exe
980	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133828958078188330"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	Quasar.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	Quasar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\1 = 7e00310000000000415a987811004465736b746f7000680009000400efbe4759e560415a98782e0000002c5702000000010000000000000000003e0000000000dc8379004400650073006b0074006f007000000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370036003900000016000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	Quasar.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\0 = 6600310000000000415ab57810005155415341527e312e3100004c0009000400efbe415a9678415ab5782e00000079ef000000000400000000000000000000000000000036374c005100750061007300610072002000760031002e0034002e00310000001a000000	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Quasar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic"	Quasar.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\1\0\NodeSlot = "4"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Quasar.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Quasar.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	cmd.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 020000000000000001000000ffffffff	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Quasar.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6	Quasar.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Quasar.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\1\0 = 6600310000000000415ab57810005155415341527e312e3100004c0009000400efbe415a9678415ab5782e00000079ef000000000400000000000000000000000000000036374c005100750061007300610072002000760031002e0034002e00310000001a000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\1\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2	Quasar.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Quasar.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Quasar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic"	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 000000000200000001000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 0100000000000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\1\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Quasar.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg	Quasar.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616209"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Quasar.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Quasar.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Quasar.v1.4.1.zip:Zone.Identifier	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3524	NOTEPAD.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3552	schtasks.exe
2072	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4056	explorer.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2140	msedge.exe
2140	msedge.exe
4592	msedge.exe
4592	msedge.exe
4412	msedge.exe
4412	msedge.exe
3104	chrome.exe
3104	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4056	explorer.exe
3744	Quasar.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4592	msedge.exe
4592	msedge.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3744	Quasar.exe
2244	Client.exe
2244	Client.exe

Suspicious use of SendNotifyMessage 30 IoCs

pid	Process
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3744	Quasar.exe
2244	Client.exe
2244	Client.exe
2244	Client.exe
2244	Client.exe
3744	Quasar.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
4056	explorer.exe
4056	explorer.exe
4056	explorer.exe
4056	explorer.exe
4056	explorer.exe
4056	explorer.exe
4056	explorer.exe
4056	explorer.exe
4056	explorer.exe
3744	Quasar.exe
2244	Client.exe
3744	Quasar.exe
3744	Quasar.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4900 wrote to memory of 3524	4900	cmd.exe	78
PID 4900 wrote to memory of 3524	4900	cmd.exe	78
PID 4592 wrote to memory of 2248	4592	msedge.exe	82
PID 4592 wrote to memory of 2248	4592	msedge.exe	82
PID 4592 wrote to memory of 808	4592	msedge.exe	83
PID 4592 wrote to memory of 808	4592	msedge.exe	83
PID 4592 wrote to memory of 808	4592	msedge.exe	83
PID 4592 wrote to memory of 808	4592	msedge.exe	83
PID 4592 wrote to memory of 808	4592	msedge.exe	83
PID 4592 wrote to memory of 808	4592	msedge.exe	83
PID 4592 wrote to memory of 808	4592	msedge.exe	83
PID 4592 wrote to memory of 808	4592	msedge.exe	83
PID 4592 wrote to memory of 808	4592	msedge.exe	83
PID 4592 wrote to memory of 808	4592	msedge.exe	83
PID 4592 wrote to memory of 808	4592	msedge.exe	83
PID 4592 wrote to memory of 808	4592	msedge.exe	83
PID 4592 wrote to memory of 808	4592	msedge.exe	83
PID 4592 wrote to memory of 808	4592	msedge.exe	83
PID 4592 wrote to memory of 808	4592	msedge.exe	83
PID 4592 wrote to memory of 808	4592	msedge.exe	83
PID 4592 wrote to memory of 808	4592	msedge.exe	83
PID 4592 wrote to memory of 808	4592	msedge.exe	83
PID 4592 wrote to memory of 808	4592	msedge.exe	83
PID 4592 wrote to memory of 808	4592	msedge.exe	83
PID 4592 wrote to memory of 808	4592	msedge.exe	83
PID 4592 wrote to memory of 808	4592	msedge.exe	83
PID 4592 wrote to memory of 808	4592	msedge.exe	83
PID 4592 wrote to memory of 808	4592	msedge.exe	83
PID 4592 wrote to memory of 808	4592	msedge.exe	83
PID 4592 wrote to memory of 808	4592	msedge.exe	83
PID 4592 wrote to memory of 808	4592	msedge.exe	83
PID 4592 wrote to memory of 808	4592	msedge.exe	83
PID 4592 wrote to memory of 808	4592	msedge.exe	83
PID 4592 wrote to memory of 808	4592	msedge.exe	83
PID 4592 wrote to memory of 808	4592	msedge.exe	83
PID 4592 wrote to memory of 808	4592	msedge.exe	83
PID 4592 wrote to memory of 808	4592	msedge.exe	83
PID 4592 wrote to memory of 808	4592	msedge.exe	83
PID 4592 wrote to memory of 808	4592	msedge.exe	83
PID 4592 wrote to memory of 808	4592	msedge.exe	83
PID 4592 wrote to memory of 808	4592	msedge.exe	83
PID 4592 wrote to memory of 808	4592	msedge.exe	83
PID 4592 wrote to memory of 808	4592	msedge.exe	83
PID 4592 wrote to memory of 808	4592	msedge.exe	83
PID 4592 wrote to memory of 2140	4592	msedge.exe	84
PID 4592 wrote to memory of 2140	4592	msedge.exe	84
PID 4592 wrote to memory of 4768	4592	msedge.exe	85
PID 4592 wrote to memory of 4768	4592	msedge.exe	85
PID 4592 wrote to memory of 4768	4592	msedge.exe	85
PID 4592 wrote to memory of 4768	4592	msedge.exe	85
PID 4592 wrote to memory of 4768	4592	msedge.exe	85
PID 4592 wrote to memory of 4768	4592	msedge.exe	85
PID 4592 wrote to memory of 4768	4592	msedge.exe	85
PID 4592 wrote to memory of 4768	4592	msedge.exe	85
PID 4592 wrote to memory of 4768	4592	msedge.exe	85
PID 4592 wrote to memory of 4768	4592	msedge.exe	85
PID 4592 wrote to memory of 4768	4592	msedge.exe	85
PID 4592 wrote to memory of 4768	4592	msedge.exe	85
PID 4592 wrote to memory of 4768	4592	msedge.exe	85
PID 4592 wrote to memory of 4768	4592	msedge.exe	85
PID 4592 wrote to memory of 4768	4592	msedge.exe	85
PID 4592 wrote to memory of 4768	4592	msedge.exe	85
PID 4592 wrote to memory of 4768	4592	msedge.exe	85
PID 4592 wrote to memory of 4768	4592	msedge.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\test.txt
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4900
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\test.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffdfb33cb8,0x7fffdfb33cc8,0x7fffdfb33cd8
  2⤵
  PID:2248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,12013167392761853257,16092639258989158425,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,12013167392761853257,16092639258989158425,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1876,12013167392761853257,16092639258989158425,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:8
  2⤵
  PID:4768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,12013167392761853257,16092639258989158425,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,12013167392761853257,16092639258989158425,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1876,12013167392761853257,16092639258989158425,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3408 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4412

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4168

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffcd95cc40,0x7fffcd95cc4c,0x7fffcd95cc58
  2⤵
  PID:4728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1960,i,1450102461660840606,2137023421883843515,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1956 /prefetch:2
  2⤵
  PID:1852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1768,i,1450102461660840606,2137023421883843515,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1992 /prefetch:3
  2⤵
  PID:1908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2240,i,1450102461660840606,2137023421883843515,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2252 /prefetch:8
  2⤵
  PID:4736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,1450102461660840606,2137023421883843515,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3136 /prefetch:1
  2⤵
  PID:4468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3144,i,1450102461660840606,2137023421883843515,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:4000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4468,i,1450102461660840606,2137023421883843515,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4448 /prefetch:1
  2⤵
  PID:2592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4788,i,1450102461660840606,2137023421883843515,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4796 /prefetch:8
  2⤵
  PID:1832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5004,i,1450102461660840606,2137023421883843515,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5012 /prefetch:8
  2⤵
  PID:2052
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Windows directory
  PID:4500
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff729584698,0x7ff7295846a4,0x7ff7295846b0
    3⤵
    - Drops file in Windows directory
    PID:3352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4828,i,1450102461660840606,2137023421883843515,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5108 /prefetch:1
  2⤵
  PID:1112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3236,i,1450102461660840606,2137023421883843515,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3748 /prefetch:8
  2⤵
  PID:3344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3724,i,1450102461660840606,2137023421883843515,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3208 /prefetch:8
  2⤵
  - NTFS ADS
  PID:3792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4880,i,1450102461660840606,2137023421883843515,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4384 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2416

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3676

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4768

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:4696

C:\Users\Admin\Desktop\Quasar v1.4.1\Quasar.exe
"C:\Users\Admin\Desktop\Quasar v1.4.1\Quasar.exe"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3744
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe" /select, "C:\Users\Admin\Desktop\Quasar v1.4.1\quasar.p12"
  2⤵
  PID:1176

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4056
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" cryptext.dll,CryptExtAddPFX C:\Users\Admin\Desktop\Quasar v1.4.1\quasar.p12
  2⤵
  PID:1780
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" cryptext.dll,CryptExtAddPFX C:\Users\Admin\Desktop\Quasar v1.4.1\quasar.p12
  2⤵
  PID:2880
- C:\Windows\System32\ipconfig.exe
  "C:\Windows\System32\ipconfig.exe"
  2⤵
  - Gathers network information
  PID:2872
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:224
- - C:\Windows\system32\ipconfig.exe
    ipconfig
    3⤵
    - Gathers network information
    PID:980

C:\Users\Admin\Desktop\Client-built.exe
"C:\Users\Admin\Desktop\Client-built.exe"
1⤵
- Executes dropped EXE
PID:4892
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3552
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2244
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
a9d50ead56485f33369d6879fcadb163

SHA1
5b6268b92c7c68ea5ff28dd6ece3e951d0e8c836

SHA256
4bd357e528a5dacc7d0b10b3f52b8e99f52d86b2e40daab838e3d466766d2dfb

SHA512
7050b71583339425ca1caf2bda880a752e1a591301cc05bb9c6edab49ea8474665de9b2205a82489cf1e215e68a9720febc404fd9e5aa6e11ca95b9b8f1976eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
3d5c17aacceb158a0b632b0db704ec55

SHA1
f188ba8efe60ca5daa6f917c2d9c938da3777ae1

SHA256
29511d331c2a03f5950e5380c6448e3ae4957f7b5706baa7ad3960df5807ce31

SHA512
da793580c8fbe72a63dd39ed3143ccae8a49d08b5b75187d87e0e3cb2411602dc4b5273fc44fec4ebe4d722c9da9041e5b2bcb0232f0df46fe7f972e31d115db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
24ce4dfe7ec2d21985eb0a6cd846d66e

SHA1
33b3ea5aa5923c03320377f69107322c9d8f1795

SHA256
f70b6d259a29e7c00990c41c9908e94dbb1bf125fa5b3dee99f59335323dd4dc

SHA512
c5ebbc75dd8fef870c6e6d772d680717af65e93cefab1307ff068acf0a9cbc98c67e57e0d006215e4cfe6c8f10e8c0fe9bfb88fb529628a6caac7ee1f3afecc7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
9c1d110acf3d5dddd6b75009179f285e

SHA1
462a24b150d39b949dfa2d5b060b01d449af072f

SHA256
7a22ce09e97fe8df67e3f9e36bc48777756475fef300cf0e9680a20cb823ad2b

SHA512
d703f2dcde9e3079bc2f3e0c01ec643917f2e9ee0c3691f73c2a3fcd714ac1dfec32d69808b9bf86d2c1cf6292e9b929b117f5e5d9150b2b698ea18a25e9d207

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
2c8d6e40b4ef3bb5b53f8f0cd17b395f

SHA1
15fac56ddf03bbb3806e90cb178336b0cd58f6f0

SHA256
295da2cf2ba2a4418fd40888a29f1858d099b84fbc7962632151874ba7dba380

SHA512
b2afd8ff7852693b40fa9318b3b3f1456637dea64c3b48d5b133eeca1c73256b0ec15e4aa09cb3ae5870b17fa7b6a819fb31550232bce99424b0d7530b4cce7d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
d19f5ed08c5cdafd0a7a37c49021df87

SHA1
45dc43caf7c2d717a9e88d5770a4711418504370

SHA256
f97523ca40a6fcaf73e8d378a672afa5871d4ce05cd78f2958523c7f29a31318

SHA512
3f47912bb00d8a10ea8b7879830d1395dcc6c21d72f65e149c75f1b7e7b16270214022b2855250b7f542aa8827894516b702f57d355c9436434cd8bff5a89b71

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
d699b80b07b27c48cc27bfb2004f39db

SHA1
676e5b166e03a82bad936b23c3f96c75426ccedd

SHA256
8b5c5f941aadc7d3870acf542bd0f0bcdf4d6cd87e2aa501e0b3b3ee04425494

SHA512
ae8707f8b2ead20b9ea3dd29246f1d72bb2936cee0e01c61cc61f745fd211920a23e96b900817f762184545aec04229608441ad503805f6ac31006a3c0aae5b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
8ead240ce2e0a611c5a72d392b03fa24

SHA1
4a0d90df9d1dfd6afc6dc94df64d138dd19eaec7

SHA256
6cbb03b7bb5df8ad4052c174345b9e4ee058b87b265f5aa283c5019b604f6fe6

SHA512
53bd25ea49cfec45d6dbba08f98ed0895f1d18a52383298b5cc4756f4f1d2ab90d8f73cf3d42083e41f35928576cd6def36cb8d3504e11bb3e7439da7b795c36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
9d67baeec5ac821abc5171c93e1b8ee0

SHA1
984c21a39501da62e9ca92dbdbaeb3028a523095

SHA256
95c3ad060518a6bec427ad3dadd123acb9f7fce0eedf8e0fba004db395ac421f

SHA512
01cc681a687b2c6764b0fc4a6150dcc6cd4e394da89a788fc4bb3d373ab0e2e95034173a4947659a82cf48143b62db1daf740d87889cf4448ba84757bfab8cde

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
15bc00f0c1fc8c96075854e4b82a3741

SHA1
7f0ed539730fb8062076a819e5d042ecec42f06c

SHA256
f32a340c83509e57df6b830bc678adda1378f4e1412bc0159a90879d130c726d

SHA512
74011776cc63fc7378ffd640b5858331a2fde906a8754067240022e8d05564b63a8a4bf0f08594a817f7340a6d8fba7fc9899042c484de8ebd4b6c1d88fcb687

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
2935f1443a0b51cbe1d567b3d567984c

SHA1
578057cef90f47c721ea526f9406cd75383eeb40

SHA256
d8af0f3184ef283323334ed69da9a44c71ce18796bd985908b80d049417b8369

SHA512
39149ebf5eafe5f665bbb4514e2a33bf2b0e20162a688279394a704b8184cfeeac30521c8e53962334a1af7e928d428f212f1c51e58eb11aefe3cf7fb565820b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
3ba7f01c4fae39501c8cc1cb665865da

SHA1
dde99501ea8f5a7eb852aab2dc940667f8ceb2b1

SHA256
30328919507a602b12ea515df97b35ae5ac43547a073d1f1c6b3fa43934e8a4a

SHA512
e064b55392fab7f67ff00f3ddd1c74d3243405a97d1ca6ae0512a5a679de430f464ffdf67eb3312aeed1a0d5ab9a02d7e6eeb22d90b3a17fcb9ae98ad17bc0be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
5681ab9eb3acda52f4ac22bfd138898a

SHA1
75bd6c6ec45af46525e4df9aafde247845943ac0

SHA256
264f5c14155b1cf1aa66359ea9799a47d03be1b3447e07a1bdf1d28799ffffa7

SHA512
4c917e56c2fa38897e5c00a23c7187e5abbdec133a742b8b28572e021eaa7b010d65ac74ba6c768e5b8ca761e4570e86abebafcad6fedcca3489b71dd4c99aea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a8ef18ba65e9d5ca9301ab62a29446c8

SHA1
caa5e2a49316f2449e747e2340a0bbed146d535e

SHA256
529c45dc668f73653ab8d1bbd70dc96ce52ed52c123b25f878667354f1def1d3

SHA512
ac080a4762ab2e71fd62395019ac822528bcc009fcfd7c656026a3bf0fe293d0fec6fd3b2aa1a01f041610168253311061493788ee1f9738862257ba14810737

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c5a25128063d97f6698addde743320c5

SHA1
e1c8dbbbffb6f9015212e3480dccbd7f201d018b

SHA256
11774d8946c90b1ac18d91f15ca7319fba4496d86f486fbab433b812252a7d0a

SHA512
105658f5e0d5d3ead460d767f70c74537fe6077f92ea9cbcceee40ab5e8ddf97ca2fc7c20cbb325a15a36d8463d689000b4d8fb0ec9ed7db2c1ceb07bf95204f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
22aa68576948e417a62be0761e55d324

SHA1
2bc89e60864d9a391c6c899f5c8f3eba5ac33dd7

SHA256
5ab0dc9a691924ba6c1a0c23d94770bec26564295ee18c9b0d34ffd0a51dc024

SHA512
a2f5db61329fe30f67d6f97674aadc12b7544c49622ab9d2fa991318ebda71f44d8b23f6098ede6c4f9553a842d18244ed16252d3809cb64a04f67487e58b8ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
79d18806e0d967bfa66cdd2b7f0285ea

SHA1
e34e39bea9e28cc298d07ee0416ed9fdb37440f7

SHA256
bb1bb58beaf5a8baac79c683e531aaf8dd716448696ce736bf866d4cfedd2ad9

SHA512
d5098f0aec03b61980eb8ffaab242b5d2995716ccc462b4cdb9990db445d3c339688787a6de39d5c534f7517ca17331260d6dc9754231b07f0f6815a3ba93534

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
cb3e59fc684eee5e3c888b0d7a896a4b

SHA1
cc500b4b1d3a4f735a7262d37fbb8ce577a38d8a

SHA256
806921ac7dea7dfe6448bb0af6b355cb2d23a30cb4a9ab4d77c7bf2432ee374c

SHA512
5691a4cbc471613ab5b6368d2ce093a9c0d187489155cf2d07a772c683f2eb35bbf063fd5b7730a746829abf066223db2eb0de542e159c12bcd6efc5a4f30c5b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c086860687b71f395d7a56f319572e4c

SHA1
cce495c6ae875df51f0a805d775abe7e5e60b800

SHA256
fb12dfe110f46b694add604a16018c471a755001d840ff8f75e70afbd3532e77

SHA512
eb33f35ae896525980e26d2a45664a8106431670ee59aa50090b0fc755a44be3436b88a04241b49ff141e756d5762057b9072bdf1b0b95754e01f913ee7cd826

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
033e87558e02abe1fe9ec87d79a8d87e

SHA1
98e01ce95319d6277e6362bc06a93a694fa9067d

SHA256
9933b3faf6725b0ecb739a2dafe20b405416df087f477e1f634608bc078a35fd

SHA512
dff424acc94b259a79c2de4c0137a202263f75e398bb602c7975e0b6fe8d7913a25a5ab035ca64a0b6855b08a2b2c7da1a1ec8725ce746c0ea11a0d0d4e35fcf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
da607f732300d9e5b4d873ec4c5a0ba2

SHA1
0d33f8575051975db3b51a55edfb3641d50374b3

SHA256
ff3af0793f6f739020bb2b73f88b162f8efc45cf3a8a559f826ab32534424161

SHA512
cbfc29a3d264db1bd1500a7983c4595dbe6d268227c4748d018e1aa8c96544c5aae296f331756b1dedee41489c879e27e6acf69133431b8c37d4b19e22209311

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
9e6240490413e6342d93aab02218be52

SHA1
ccbb871c74dcaaacb4ac2b6f9f52ed70f55c9504

SHA256
d901ce45e4cf0a3527e2abaeb840300ce7d78b96ef7bf115ea26b0d344bc5741

SHA512
6844109b4bd649b7ca390753052e39ba69ecb100b56133f5733a9220f90530417c37b24123aa523502b05f26ae7b9e387f1d519a7ca4cfcca3a984afccfff225

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
7e229fd532809cc78c9299676142661b

SHA1
4b32edf666199f8e4a2030659485dcc6b291f2d3

SHA256
628a12b090229215289f46c9de1b011d435b807c2c0a9c06b2606c8171619ad4

SHA512
3f66882d9be5235471522db422d92e7a56f50bf3f6829fb9865f17bc6397ffa3ef1ac1a22c5c485951288660b009942869e52c05a7cdfbbc881128a28100f94e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d2bf12d4af88ceb43f290097ea4d90ed

SHA1
c8984d1f6416918d04b7350baf2034ffecf34ab7

SHA256
37e320098c32baab2cb3fd6374294060b1b154f033ef6d398708b6372b43afcb

SHA512
15b2507b1e6d1e5ea1d2d04b9c3b368d781c60324011ba2957e7c329f0718522a3dfffeab8b0c40aa423dbb8ab819a16e16de9b126158a5b0a7d317089f1dbeb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
89470bda7b153b63004f4037605b5c22

SHA1
420562ba249af80a7b5834974c26c753a8a8db15

SHA256
061f91c93556c1be1f897915caf13655c9cbc54883a3baecf02230f9312b4638

SHA512
814f3d92282fd83ea703b992bc6e410ce785639df6a826154cead8c3cc1ccaa7b120f12dfe6d847e50a7160077e84a42c629f35cdac2e245717bc60b83e05608

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b6f1fcfed28c49740aebc3bbadd915e3

SHA1
247f2c0b3774ec138cf34e4311db75e5667f4bd4

SHA256
011e3cd0f24552012f58fbe3e90de3054139cb1d3564b7bcb722619ff83829d4

SHA512
b9dd53ea3fb225c8635cea0933910099e67b5b7c9e81e0da8866a6989bc39fba53b1eaa151aacacc281aeede0cf6c3bc7602dd153bdd7de86e57971b64f21d0e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
8f12c1898c1adb44a206cf637d057054

SHA1
51edd777e940f627189d1a066772947bad1f5ed1

SHA256
9866e3d6811f8df7a705e184f2a533c4506a518df0972eedf33f9f786f4a3c18

SHA512
b3b31dbb7a0fecab5a4d7144b40b4edaa28ce83a59918241d10de41dba1d64563b3a8b5e72fccdfbbd7425d5a45c0485a30564037f3b1ed5f1c5b775c0bfae3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1e28d7efbae9b6086741370ce8c2f6cb

SHA1
f6184e97add34727d07092799fcae97f3573c25b

SHA256
3b69abbe5881c7c9ac9fcb1367d25f5823fbb68dec7f63a762c03ceaa5c8b0da

SHA512
bc938f77d6dd494d090e46670c99967b3da9d9a5bf2a4c5adc8121449cdecd7cbce13dd3359ce244e1ce3b15f60de40d55b6bd0860bff0910ddcfceda97ae604

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
5f5d6e23893cf76665ef0009006d00d2

SHA1
86c03a892d7668e9e979ab6aadbeb25444fa6dff

SHA256
9973373f1ab8265a8744bfddc64861ef4a643ab7b7b2247e9a3f719b9229703b

SHA512
c14d5869b5e5cee0e44a3091b3d2bc33d7734b97d9d5737516ed01cdb091617cff33cfb37d19f0c16af00d6766ba60043e86b6d1e5d2ac3c016805a227360ec2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
9ac829aeee9969d5e0e8604fa5309629

SHA1
810b6a9e54d22f5a668571f3ae964729a537cb9f

SHA256
062b46a27705a5b104af28c6429d0c69f86b3873a017891ebfe86ec558eb7e25

SHA512
82033c285b0a451751a2e35d5824cc346324512c294661935b2fc6d1fa7139f4a9c4f8297e7cb70819a3a6650d79fc713f4771794151f62e9e80bde1d8e8fa21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
5609f22822826397c06d90e824c4c99a

SHA1
80cd4c48420e7e46413f9ed99328ff496b000063

SHA256
e0dca469b16f61ff6b163eec0bb487fc5e1d4973f0ffabebf19551161cf61488

SHA512
73731168911b078c063a9b2dcddae98785c2834aca2fa09b012d0543c7f7fa9c76f5d6c838dbbabccd17b2a1b20253ca14ac782a0e9b875aed1de1ac908cba9d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ad4057bbc95e234041f20cffed89a653

SHA1
82ed01cbbfe702cdbb2fd5ddce2d9a38471f0bd3

SHA256
f738f6188ebf86039ceabb20b20ff40e4e5f957754401520875afc5caf3e1b5e

SHA512
56abaff08552f4dc986b7b10d4e9115bd206a26170fba9837c4616f03b3a75cdbcf4d8b85590a7e7dd348dc1c51fd1402890d00f2550d7760071463e85b80413

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
95e96beeb49e856a8aa50794ef96c998

SHA1
0986b2fdfdab89f190e31c0b1eaae3a8e629020b

SHA256
a5a0f514eb428e0d38f8fc9cb4006f59bdf0c60e613627e73efc90f401632446

SHA512
3da021d5d2b488112e2932f50d0b48713309722c4a498f100b35398e05f77588646b29312eb651ace89a4d8e820becc9e9784d486bcc15b6cd5f125cc793ef59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d81613e049550cad6bfccb6a507cba32

SHA1
719db45c876a0919dbf22566fd250d07f7b10265

SHA256
a568ecc5ff365499b97d83256469780f6c1009e4057fb3a0223bfc43de40f3b1

SHA512
1a04d8e87e5f6ccf0ad9869b3c2ce76a61e4ff6f0ae2f4e8bb1133cb5c58e775379fb861a5321b970821a57a3a7f087cd85852e8154639c5ae9e1877302a8204

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
63390dedd0de5de5f627b1c4a8f085af

SHA1
83bc68093bf5e543fc7c1e4488d670f051dd3533

SHA256
2a2ff58b08145a7559f0c6bac60ae1ad3fd58c0cd30a20fb1ff9cd0cc218e2cd

SHA512
ae9b64039f41512819a4e742e1c968ab2be538dc2139d669a748cebcca15ae05b1a83be41a9007e823ad4615c9953cb2fb7b4001bc276921d4603fc3ce6ecf3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
0bd4066f24386d3285ea984ae10472ba

SHA1
bd962c1412b4b4c8c3a0acf1343c8487c975137b

SHA256
ddc76e1ff824c481f6147ae5b55c3560f9f75362546c1818a65020d2025fd879

SHA512
6cd013363d4f308cb676c1d96c2c8725bf9b33e670341a7dae8c9f0a80767fdedcfa457967572e4ffe8d158a666a0afff38b1f237c1879d929e1beeebc0fe33e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
dbd6e48e968fb2ea3f5860bcd7aa83e8

SHA1
e74b4773402c698232318ac70e76b83606f22db0

SHA256
742d6e287468a806750586cdc4936b714ae43aa8bfb8c38b72cec365c9fcd949

SHA512
fdf0dd18907369a75578c278d8f732317fe1cd8659880cc211ac43aa101c981d20a91e2b5c0134c75f7aadf9cd6df06e82691970a22413dffc3cc4f51dedcad4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
dc431738b8ba63e515f5a80ff9f99482

SHA1
ce70732840e522c3c9505b70b9a8f7addf9f925d

SHA256
e40d8b91e95c54d377ac6eb9970f807fd179ba0519256db45b47876ab635eefe

SHA512
3cb30b637c4d0e9aa59bee35ce3db7772205d289a6feaa43d8160f6bf2fbb6fe49cc407f27317dc44d6185acfd4a497ed5301c39759a0c623c7c314f137450ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
4aa8f2a7023c882aba4dad22b2ba83c0

SHA1
9b485a090b5e866182ebc1d85041b31c178606b4

SHA256
ea1c4829f4808b3824b59b2f1bd6843b56a728ed761942cae46256aa997b7f31

SHA512
bc29f329155cf460f2fe20cf7dd67f9d7993fc1909728a7c4d0c9fa4cc4da981987c0c28874a2d1e69168dd7b9bb0189a4a9de06b079770e04da603e5768b713

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
9c62a0a9b556da3d96e1fcb05d544818

SHA1
9787eac6964afea7dbb81088930231f5df470af3

SHA256
a46c24002264febb443bab89031ccb0746f13c9d52445f50659bb0abe254f227

SHA512
9429f755d9c30f862eb9caa70d3adbacd79d5ccc06c2c7063179fb073df47b64636631b9b77d6af8b620e198f87e463d2e6facb1f3993c1d5f12b2028c39f688

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7d7c57085db6881adc8e70c1a340c9a2

SHA1
ceec16c4960851885ddbbc401547573e5763e094

SHA256
7baa32b7c4a6aee729243ee5f2d70e78c2625a89bbc3a65ed367dedd8f566375

SHA512
577c90bacc77d60a79550058547c09cad804d05251a858a6758b76e052b02ec2d53438acb20d5342934ef35961dcf1aabb5f2d450cc9c37567155fd38664510f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f4e8fe561e2140f03ccaf94263e5046b

SHA1
7da7330b48f4551e20f01aea83799b86c2e7c3ff

SHA256
116f11d8c790e6281a0e293410c29f3e9be05d3f19e1d0bda9018b666b763af0

SHA512
dc28de9c1b1c03c7e92bca7ad1d37d7358b54aed9664a1cf0d627f4523db2b16a607a33c0106df0ddbbbef5b5c549c2dd9c6edd8731d3a6549c4c5f7d47b52bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
13b28a277157a3072cb3918b67129d66

SHA1
52876fec030f233b6936805f34190a504ff07611

SHA256
a737959a790844016ae24151b2f569cf20119e0bdc10f063410ee8e406fe8b76

SHA512
f83dd0929597a663910122c5193cdbe5a53ab213d6b8acaa46581c3c6d4104a06739036b37bed93446b0ff525d10361a15d1b5edd2e16bebd14fbacaa8d8b6b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d9d74b26287ddc7effa00ed303f460c3

SHA1
5e3679478d714d4ebb972a0e8e80ef358e5a1d0e

SHA256
61d0bca73d033ce082ddccc9ca5ec45714565ce35e9a4fcf0ab8837b05731053

SHA512
78f3b475ca8cf5f44b9c3659d5c70ddf69d9ff5117250179db90ebfcb243f31c5c22153c6a73e08a1749d3697de64f59d3f7ebc1327f77789dd86d287e2bfb16

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c422e5e8ea551ed69927d119c281cd21

SHA1
097d84cd1dd701b002be9a5576856203eae3e86d

SHA256
f4b786ae4d11412a5afa74602261bb8f83f36f73e6fd8403e13bbfd7eae05339

SHA512
c35610e0ce06b4cfc1bbfae75543d88f751980eb329716f60382eec7aa3ed05671221285cdaf75995087c24bf701379a4ac7d42eebdc6ebe33290af23da06916

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
58c6851ca97951c93560f47554b2be00

SHA1
42643d36b19ea0f46804dfc49a18c53da0a6251c

SHA256
1d1f816549fc25ebf4f501de7cf6b6aad7277bb6cb626c043c9d55d479393888

SHA512
7a90f4286b409cbe00a76b4b4fd3d39064a16653bf8f7dae0bdadc975629b9a29bbb9ad2e4de238a55dedb8f326cfff4351b5af499b09b3035f631c81be85166

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
2e5a126372aeaec7ee9440bfab01e363

SHA1
4dde326593802d39d95797f525d7b3750e95eeee

SHA256
4895d7144be9e3bbf25827d49d2e582f7a7934b750f632148fafaa0468cdb1ed

SHA512
9f6efbed28c4f02895705cf6459017a58ed7daa486fc37394d5429116d4bf6f9c65fb0bd2587822ad63a98fcd139075d803a4a19b1782803b742bd1714b190f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d7d01b8a4e80e309e872cf555653ac39

SHA1
01869f4d970214cb338cf42beb01354722211bc4

SHA256
fd3074242935001a97f1c3c2e22d35054951d602df80f13744e5bf320427f4be

SHA512
198098903b30235e9aafa2a96e9e4ae5a281021842a4a150274cd2aa3005c31a92f2ae6b46a3cbd6a82175e390f8e141569274fc1565a61bcd17aad858ef8942

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
bd04b6e23525948fff97009663038273

SHA1
9eb6ff3fa70779bd50f80b0bbd72312139f1c831

SHA256
2bdaaa8b3db6cc76b217e1b334b6caffbb95d186a1746ad3c5905d1df169c287

SHA512
ec94740dfa0cc113f5c32ea7d9892fe2bae9c9a020edd234d390ba7e36a7f09439a8f4cc9b8b9927cf6c63119121c6c1ec692df1af744928577b6b0022df7785

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
cdc8dc28d928fb1037fa0f6620f8f8ae

SHA1
698678e16f20006f460eb0cc97a313c370e7f345

SHA256
1f96ef71dfe21040a5553b6fffa2e53e78f60be29bba20fccfc15a04a4c236ae

SHA512
bb491f6702c8a0aec0161bde9004b4615dff1058f525c853919b853af55903a03db89b6ae5cbd1427f5b55a830439320fd92cc66ed62431090a6c9fe77cb4415

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\f3c69c18-11ea-43fc-b9c3-6808cbb97108.tmp

Filesize
10KB

MD5
044873f2be5f1df1f2f5f5af26eb7f8a

SHA1
9ba9ed6099c1bcb5af5a9a60c645e83fb564c330

SHA256
0d805c4f8d8723eaa0220b0e14f71d75e703637d42ba1f5854527d22da1fc6d7

SHA512
317251eaf00a6dced9b599626205fd5a45ccdcad163fd1519cada65865393c78e9f8634f21ec035d9d54c7832b50d98ec1f7c292149e19a88331803679ce073c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
236KB

MD5
22f901f78c607bf886a4f18cfcd5c4ac

SHA1
bb5771abe70c9ea58daa288ad3778b264619ad79

SHA256
3feb867b1a3a846c442ae7ff97ced1279f00b7f8472465d6ec583b1be1c01a63

SHA512
9a407504754f225f1c6c55be4176214d962d16297af72b2cb2b6cacbeb0cb28d04ceac797de8e5dcaa5e6d0d9a90911163ee34500259d57d1f9207b94ca25964

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
236KB

MD5
c80942ad734291f61481537f0dcf7957

SHA1
de3780d5203c30128fe5a46c61778fd9d39f8b88

SHA256
c463d64d99f201babe889cde96a03d05c2356d2561a3097de45c540cbc49778d

SHA512
1e8fb43a2f6213e4b4ecb3417f9e66afcb877f3d15bb100714b24f2d0b63305c303aed38ab7d443d5775f22e230bb6dbf0675bd7ce6b28615fb5cb3b8030f9b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aad1d98ca9748cc4c31aa3b5abfe0fed

SHA1
32e8d4d9447b13bc00ec3eb15a88c55c29489495

SHA256
2a07cac05ffcf140a9ad32e58ef51b32ecccf1e3ab5ef4e656770df813a8944e

SHA512
150ebf7e37d20f88b21ab7ea0793afe1d40b00611ed36f0cf1ac1371b656d26f11b08a84dbb958891c79776fae04c9c616e45e2e211d292988a5709857a3bf72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cb557349d7af9d6754aed39b4ace5bee

SHA1
04de2ac30defbb36508a41872ddb475effe2d793

SHA256
cfc24ed7d1c2e2c6585f53db7b39aa2447bf9212487b0a3c8c2a7d8e7e5572ee

SHA512
f0cf51f42d975d720d613d09f201435bf98c6283ae5bc033207f4ada93b15e49743a235a1cfb1b761bde268e2f7f8561aa57619b99bff67a36820bc1a4d0ec4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
de3803d130e48ca8ef0b19461abf3601

SHA1
e7fd81de4bf29a4fdf65d45a1bee37342e54d052

SHA256
6a2433cf595076e7a883ad2c98c8bc1b31f71227045080fdb6d194eb2ab79572

SHA512
d915a57334e08751c6ce54b26285d3da40f2eaa3b6e658ef1e7fde5519dd73485bb9cefeaa834ae6f8b6fba3f9226e574a95e86f6127a88c5f23e91a75acc9cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3ba913c37fcf7536e0a57c2e1820c00c

SHA1
becd2b2416b63923fe70af6727abc5273b736483

SHA256
9bf5f9eb5940d90d1dfda5a4ac5dd73a27e5d0a7f47ef36a8efcf418aa189cd9

SHA512
309462c24a2e0c0de4b47bd2ce1d8b38de57956af34ac355a71c318a65d306cb4f1cfc28a1d7a223fde8e4547a31333b1f1cde3293e5dcd743f806e54a3d1201

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
05fcb893d181e1d0270c04837b1477b0

SHA1
5d51797e0de218645cca7346ce1e72489fc42cd9

SHA256
c11e9b79a8927d41bf85b28da864ad2986e2128953e86fc5ab3a2f5cb0e137ba

SHA512
53f8016be1b9b6d584b7606e9b0c9f06d71055cfc9af981140a5f8bc17f06530fd81e70f3d404da883894442c965b9907a9178862e553c0b3b57fa31fdd4f098

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2499603254-3415597248-1508446358-1000\c71ec9eedc634c4e442c4da96c0be162_8c9ee1bc-5364-4b37-aae7-4f6a9eeffa14

Filesize
3KB

MD5
9a8de14d5b340e83dd37754af1adfad5

SHA1
d1d1e9383dec4788e4cce1ee76de9e3d1804fcba

SHA256
e2772adb830ed8e3c37ea81956cb46f5590a0899878e0b8aa229bd46716b4a1e

SHA512
212b758025d476b037d06c879c09deadeabcea6325eaa8b1cc7638546f90e902657976699d910966353a49c70694952a8e8b16c67be6beb73179aeaf963e4411

Download Submit
C:\Users\Admin\Desktop\Client-built.exe

Filesize
3.1MB

MD5
09fa3aafdd34471ffb58dba0a7f93b6f

SHA1
2466e71c750a84edec3c63cde5b8e8bb5a4a2ab8

SHA256
1b31d00699669a2ce16590300e2a82807b9b1251945fe7fe841e93667fef7ebc

SHA512
2d5813fa17a3b001d05bf59b9c2e745894c99b9264f0d097e36b4622e858f7a323d6677c79a52545b260bae6ccee3791e16c6e786a7e98758dd7858753d37565

Download Submit
C:\Users\Admin\Desktop\Quasar v1.4.1\Profiles\Default.xml

Filesize
1020B

MD5
ef1d73cad817c141c20f4e9e1c8465f0

SHA1
1f46812dc52d6f299613e8580d5ef0484417648a

SHA256
d9469c1fa838c8a15dd427d1df8255ba26a3deb9aa191546306de777b45fdf1c

SHA512
9e31dfb583f5991d6feff8fa0e9824fcb7fe6369593565392bd816672eec35bfb784ab8b25bf5c425e995688e794a7e5a3f4c2d61e426a5d166a1d4621d905ec

Download Submit
C:\Users\Admin\Desktop\Quasar v1.4.1\quasar.p12

Filesize
4KB

MD5
4d2fbc8fb468e4ea45825d884b72b3e4

SHA1
6a6328981a37f461b6c12cb9d12d3969d3eac849

SHA256
f44dea234e8b90aa63cfca0b3ba6e832053d4c9340e08476b83d3663e08bc94e

SHA512
142e0034ff42a36a3e6556ace6144e2785469f35281ac2c0bebca3ea384ff832dbd1b31606d99c93a9666dd6aac77b589d08371887b9c64badff76f6b1997cf8

Download Submit
C:\Users\Admin\Downloads\Quasar.v1.4.1.zip.crdownload

Filesize
3.3MB

MD5
13aa4bf4f5ed1ac503c69470b1ede5c1

SHA1
c0b7dadff8ac37f6d9fd00ae7f375e12812bfc00

SHA256
4cdeb2eae1cec1ab07077142313c524e9cf360cdec63497538c4405c2d8ded62

SHA512
767b03e4e0c2a97cb0282b523bcad734f0c6d226cd1e856f6861e6ae83401d0d30946ad219c8c5de3c90028a0141d3dc0111c85e0a0952156cf09e189709fa7d

Download Submit
C:\Users\Admin\Downloads\Quasar.v1.4.1.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/2244-1069-0x000000001CC50000-0x000000001CC8C000-memory.dmp

Filesize
240KB

Download
memory/2244-1068-0x000000001CBF0000-0x000000001CC02000-memory.dmp

Filesize
72KB

Download
memory/3744-968-0x000001EE34BC0000-0x000001EE34C1E000-memory.dmp

Filesize
376KB

Download
memory/3744-673-0x000001EE30A20000-0x000001EE30D4E000-memory.dmp

Filesize
3.2MB

Download
memory/3744-672-0x000001EE2D110000-0x000001EE2D126000-memory.dmp

Filesize
88KB

Download
memory/3744-671-0x000001EE12BD0000-0x000001EE12D08000-memory.dmp

Filesize
1.2MB

Download
memory/3744-1107-0x000001EE2E720000-0x000001EE2E732000-memory.dmp

Filesize
72KB

Download
memory/3744-969-0x000001EE2EDF0000-0x000001EE2EE0A000-memory.dmp

Filesize
104KB

Download
memory/3744-737-0x000001EE32300000-0x000001EE32350000-memory.dmp

Filesize
320KB

Download
memory/3744-736-0x000001EE30930000-0x000001EE30948000-memory.dmp

Filesize
96KB

Download
memory/3744-738-0x000001EE32350000-0x000001EE32402000-memory.dmp

Filesize
712KB

Download
memory/3744-739-0x000001EE305D0000-0x000001EE3061C000-memory.dmp

Filesize
304KB

Download
memory/4892-1061-0x0000000000B70000-0x0000000000E94000-memory.dmp

Filesize
3.1MB

Download