Analysis Overview
SHA256
c18eadfdcee5050757e12c48fc44db31612863eb37db0fbc2dcbaad7ff5ae821
Threat Level: Known bad
The file Client-built.exe was found to be: Known bad.
Malicious Activity Summary
Quasar payload
Quasar family
Quasar RAT
Executes dropped EXE
Drops file in System32 directory
Drops file in Windows directory
Unsigned PE
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Enumerates system info in registry
Checks processor information in registry
Creates scheduled task(s)
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-20 21:45
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-20 21:45
Reported
2024-04-20 21:48
Platform
win10v2004-20240226-en
Max time kernel
152s
Max time network
157s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\window security.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\window security.exe | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| File opened for modification | C:\Windows\System32\window security.exe | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| File opened for modification | C:\Windows\System32\window security.exe | C:\Windows\System32\window security.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32 | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| File opened for modification | C:\Windows\System32 | C:\Windows\System32\window security.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\window security.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\window security.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "window security" /sc ONLOGON /tr "C:\Windows\System32\window security.exe" /rl HIGHEST /f
C:\Windows\System32\window security.exe
"C:\Windows\System32\window security.exe"
C:\Windows\System32\schtasks.exe
"schtasks" /create /tn "window security" /sc ONLOGON /tr "C:\Windows\System32\window security.exe" /rl HIGHEST /f
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4420.0.139893765\391655219" -parentBuildID 20221007134813 -prefsHandle 1872 -prefMapHandle 1864 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {99764600-2c0d-48ce-89e3-5e7b99a2bed1} 4420 "\\.\pipe\gecko-crash-server-pipe.4420" 1964 18be6dd9358 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4420.1.2048140710\1961094550" -parentBuildID 20221007134813 -prefsHandle 2352 -prefMapHandle 2340 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf96a93b-f99b-4382-b612-b53c2d423a4a} 4420 "\\.\pipe\gecko-crash-server-pipe.4420" 2364 18bda371c58 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4420.2.2042228525\1882891753" -childID 1 -isForBrowser -prefsHandle 2996 -prefMapHandle 2872 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {65c3b4e0-9562-4afa-84c9-b2d62bb4d493} 4420 "\\.\pipe\gecko-crash-server-pipe.4420" 2984 18be6d59458 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4420.3.503966835\1877543414" -childID 2 -isForBrowser -prefsHandle 3592 -prefMapHandle 3588 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {db5b5b36-951b-4147-a5f4-0eb0aca0978f} 4420 "\\.\pipe\gecko-crash-server-pipe.4420" 3604 18bda362258 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4420.4.110759247\1023639588" -childID 3 -isForBrowser -prefsHandle 4312 -prefMapHandle 4308 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a796236b-d1b8-4c20-969b-8c1e257958b5} 4420 "\\.\pipe\gecko-crash-server-pipe.4420" 4300 18bebfec658 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4420.5.874469985\2107388083" -childID 4 -isForBrowser -prefsHandle 5064 -prefMapHandle 5060 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3ec3c84-2e55-40c3-8870-c9837edee9f7} 4420 "\\.\pipe\gecko-crash-server-pipe.4420" 5076 18bed391758 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4420.6.1279530681\734125218" -childID 5 -isForBrowser -prefsHandle 5228 -prefMapHandle 5232 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ce70376-e6d5-4222-afe2-fed039914eab} 4420 "\\.\pipe\gecko-crash-server-pipe.4420" 5216 18bed392658 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4420.7.951141115\299101342" -childID 6 -isForBrowser -prefsHandle 2824 -prefMapHandle 5404 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {46a12b30-2ed3-480a-8dfb-1f97a2d2f1c9} 4420 "\\.\pipe\gecko-crash-server-pipe.4420" 5496 18bed393e58 tab
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3788 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| N/A | 192.168.1.154:4782 | tcp | |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| GB | 142.250.187.234:443 | tcp | |
| US | 8.8.8.8:53 | 150.1.37.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| N/A | 127.0.0.1:49860 | tcp | |
| N/A | 192.168.1.154:4782 | tcp | |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| US | 44.233.67.78:443 | shavar.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 34.117.237.239:443 | contile.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 34.107.243.93:443 | push.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | 78.67.233.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| N/A | 127.0.0.1:49867 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | aus5.mozilla.org | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 35.244.181.201:443 | aus5.mozilla.org | tcp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | 201.181.244.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ciscobinary.openh264.org | udp |
| NL | 2.18.121.73:80 | ciscobinary.openh264.org | tcp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | 73.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 142.250.200.14:443 | redirector.gvt1.com | tcp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | r5---sn-25ge7nzs.gvt1.com | udp |
| N/A | 192.168.1.154:4782 | tcp | |
| GB | 142.250.200.14:443 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | r5.sn-25ge7nzs.gvt1.com | udp |
| FR | 74.125.4.234:443 | r5.sn-25ge7nzs.gvt1.com | tcp |
| FR | 74.125.4.234:443 | r5.sn-25ge7nzs.gvt1.com | tcp |
| US | 8.8.8.8:53 | r5.sn-25ge7nzs.gvt1.com | udp |
| FR | 74.125.4.234:443 | r5.sn-25ge7nzs.gvt1.com | udp |
| US | 8.8.8.8:53 | 234.4.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | firefox-settings-attachments.cdn.mozilla.net | udp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| N/A | 192.168.1.154:4782 | tcp | |
| N/A | 192.168.1.154:4782 | tcp | |
| N/A | 192.168.1.154:4782 | tcp | |
| US | 8.8.8.8:53 | 136.71.105.51.in-addr.arpa | udp |
Files
memory/1600-0-0x00000000008F0000-0x0000000000C18000-memory.dmp
memory/1600-1-0x00007FF9872D0000-0x00007FF987D91000-memory.dmp
memory/1600-2-0x000000001B9F0000-0x000000001BA00000-memory.dmp
C:\Windows\System32\window security.exe
| MD5 | 4d037c46eaf6b2e5ae5db85ef045c0d1 |
| SHA1 | 7bc3b6647192157a2cc4894f4c58365d9932a2cf |
| SHA256 | c18eadfdcee5050757e12c48fc44db31612863eb37db0fbc2dcbaad7ff5ae821 |
| SHA512 | 163d60321af8d3da76d10ea550b4c792dd0b6a18abe603ab049043246b2136fb2543f8089e3e5d3fbd6e6bfcf1786f4f7b8a96cb28e353cefbe1a2553e753ab3 |
memory/3640-9-0x00007FF9872D0000-0x00007FF987D91000-memory.dmp
memory/3640-10-0x000000001BA30000-0x000000001BA40000-memory.dmp
memory/1600-11-0x00007FF9872D0000-0x00007FF987D91000-memory.dmp
memory/3640-12-0x000000001BB40000-0x000000001BB90000-memory.dmp
memory/3640-13-0x000000001C750000-0x000000001C802000-memory.dmp
memory/3640-14-0x00007FF9872D0000-0x00007FF987D91000-memory.dmp
memory/3640-15-0x000000001BA30000-0x000000001BA40000-memory.dmp
memory/3640-16-0x000000001D080000-0x000000001D5A8000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\f55b2e08-2546-4ed9-8683-69aec6970509
| MD5 | 4dc5100848732d9d02ea6b6abf113901 |
| SHA1 | 44ff952c6df297489d80f02b3911d87b7ff8172e |
| SHA256 | 05ab63a89c81539ec728bf034e92ac6a9d6404b9a10901d156f548954c0a4e44 |
| SHA512 | 4dcf8ee3fbc9be7181ae277c4acdbf5e55cdfce3a65b64bda67ba21db95d1b73d77a747ca8aa82c5917f3e0fb007d3c7918161c01f393aec2696423cabf9d537 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\db\data.safe.bin
| MD5 | 064332ba90f38c7c67c23134cb127cca |
| SHA1 | 6dcae9d8ccb19011ab4022a88501ff2c508bab9b |
| SHA256 | d2e65aa40fab5ae1a7a83e9e2c506978e4aa3b1f8e67ca45e54e5f0ae8d12ce1 |
| SHA512 | 931b191d5db0a56d1a8b48b7b3a2301d272fc628764d3a942778a30d635c9562d4b0cdeb21fe3e8089193261274fa3c5a5d6612d5f305c73153ed17c7ef59fd8 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\66a90592-66ca-42c9-97f0-c7045cbe2448
| MD5 | 53acb3edfc57ff3397f1bd7223162313 |
| SHA1 | 461777b1b0718950ec86bc78f7c8567a6549857b |
| SHA256 | 8f4d216902ab1d444da26d9767947f2f64b1ed60aae9af09a4da2aa44266e1c0 |
| SHA512 | 6202d0138085a33a410fa2aa37801e72514e6e8e82cf9bc72b4ab9e683c68fe9166ee89284a97be170ccc38fd4bf90cf030463fd0624a470d4d1e34b0b3ff397 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs.js
| MD5 | aeda38a9d6bc30a5f54b384f20a1b4b8 |
| SHA1 | 0dcc2f57c2c387ffd3facb09dd19907011fc2ecc |
| SHA256 | b3f66a3cf61cafe8024e5db7275dac2edb33366fb51162e758a0cb1e3216b0de |
| SHA512 | 3e311e5d079f2fea14fa828a6deea443888cd96395b24b22983ece06d8959b54f4929753ab6f31d5dbe257116179857535ae657f188e305e32e117b39bb29ede |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js
| MD5 | 9bcda68cde7944353f61d96e94394afe |
| SHA1 | 1b33794d32c8576ebbb35498b6280e23f174ddd0 |
| SHA256 | acb4c752b5c4d359186be0e0789eed60aacb7d34cc6f2ce8cdf36fe34f9eeab2 |
| SHA512 | c619d48f348a266fd8042bbe1c3ac6133be17823797a0395d8b4521016112d71e71cde2981197ec8289098baaecbf9d3a4f24f56962431f3d8ee0c3d81705bf1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 37c66f7997481d5f6dc28260ce40bcda |
| SHA1 | e5bbad45018ef7b220c348ce830cd05276067cb3 |
| SHA256 | aa6718b9ee2a6b30fbd6498934d17a72b1368f582b4713dcfcfac0902115a457 |
| SHA512 | 532fb049834bee7e6e0f9424e5eb8bdbbfdeddf2f2de0ac4863cee77ee92cf2c0bfb2bca7b67056d861e16bb03c61e30c73ad0356ead7c7a5e1ff106badf508f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js
| MD5 | e3486a221a3064bc9f42ee13c9cd33b1 |
| SHA1 | 964e7da68f61325f00d0168c5d6c26bbe71a5ed9 |
| SHA256 | 3f950cb627022dfd499e725474bd996a6aea63b9e5c8036d13455ba3fdb4934f |
| SHA512 | 6673afcd7a4dfa4b69a8484e4b7d46ee209f94138a9cca78c0d9781058b792424d4dc85e8a4dedb021129674741fe7fd56d39ca405092cbc2d6aec5bf4250b7f |
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | 85430baed3398695717b0263807cf97c |
| SHA1 | fffbee923cea216f50fce5d54219a188a5100f41 |
| SHA256 | a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e |
| SHA512 | 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
| MD5 | fe3355639648c417e8307c6d051e3e37 |
| SHA1 | f54602d4b4778da21bc97c7238fc66aa68c8ee34 |
| SHA256 | 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e |
| SHA512 | 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
| MD5 | 3d33cdc0b3d281e67dd52e14435dd04f |
| SHA1 | 4db88689282fd4f9e9e6ab95fcbb23df6e6485db |
| SHA256 | f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b |
| SHA512 | a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4s2odj76.default-release\cache2\entries\C72D4296C2EBC6FD41A9F780CD0C8F30F0FF937C
| MD5 | 0b415232f95ebdcbe3a633519bf7ca72 |
| SHA1 | 69b4569e310ba3d5d5af10808f06f9ba6d684573 |
| SHA256 | 63c7fe9535ced68f5abd4e714f8c45cff6472aa071c6f90d268128a3000f1ddb |
| SHA512 | cd5be39b0f1688e52d3b1bf8d066f6bb3745b6458f53be2770ac233cc644fe7c39914033b55a967d0734f4e725e14ccd4ecfea89adf0ed79d7a5fa11b17a597c |
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
| MD5 | a01c5ecd6108350ae23d2cddf0e77c17 |
| SHA1 | c6ac28a2cd979f1f9a75d56271821d5ff665e2b6 |
| SHA256 | 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42 |
| SHA512 | b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
| MD5 | 49ddb419d96dceb9069018535fb2e2fc |
| SHA1 | 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6 |
| SHA256 | 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539 |
| SHA512 | 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
| MD5 | 8be33af717bb1b67fbd61c3f4b807e9e |
| SHA1 | 7cf17656d174d951957ff36810e874a134dd49e0 |
| SHA256 | e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd |
| SHA512 | 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
| MD5 | 33bf7b0439480effb9fb212efce87b13 |
| SHA1 | cee50f2745edc6dc291887b6075ca64d716f495a |
| SHA256 | 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e |
| SHA512 | d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
| MD5 | 688bed3676d2104e7f17ae1cd2c59404 |
| SHA1 | 952b2cdf783ac72fcb98338723e9afd38d47ad8e |
| SHA256 | 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237 |
| SHA512 | 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
| MD5 | 937326fead5fd401f6cca9118bd9ade9 |
| SHA1 | 4526a57d4ae14ed29b37632c72aef3c408189d91 |
| SHA256 | 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81 |
| SHA512 | b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js
| MD5 | d5ab38fb161a8a9fa43003c8bc42a001 |
| SHA1 | a9e24a1023f8c239ba6f199bde0b3d1303ab7271 |
| SHA256 | a2a6be9a0625a9ba6c4500a5b900d6acf8bf858f692874e2d01dab33ccc007ae |
| SHA512 | 50ba3ef11dfe06f474fac08f612d5be4bc2a0c7fc99551af63c20e7e0d4cf327a3d2d5540b4aad953a1d42c81398946d601455a1d9532e9520ebf26abf873c0f |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-20 21:45
Reported
2024-04-20 21:48
Platform
win7-20240215-en
Max time kernel
84s
Max time network
153s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\window security.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\window security.exe | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| File opened for modification | C:\Windows\System32\window security.exe | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| File opened for modification | C:\Windows\System32\window security.exe | C:\Windows\System32\window security.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32 | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| File opened for modification | C:\Windows\System32 | C:\Windows\System32\window security.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\window security.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "window security" /sc ONLOGON /tr "C:\Windows\System32\window security.exe" /rl HIGHEST /f
C:\Windows\System32\window security.exe
"C:\Windows\System32\window security.exe"
C:\Windows\System32\schtasks.exe
"schtasks" /create /tn "window security" /sc ONLOGON /tr "C:\Windows\System32\window security.exe" /rl HIGHEST /f
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef1f99758,0x7fef1f99768,0x7fef1f99778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1200 --field-trial-handle=1268,i,15587189051714377758,11777162849711758113,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1540 --field-trial-handle=1268,i,15587189051714377758,11777162849711758113,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1640 --field-trial-handle=1268,i,15587189051714377758,11777162849711758113,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2288 --field-trial-handle=1268,i,15587189051714377758,11777162849711758113,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2296 --field-trial-handle=1268,i,15587189051714377758,11777162849711758113,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1504 --field-trial-handle=1268,i,15587189051714377758,11777162849711758113,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3260 --field-trial-handle=1268,i,15587189051714377758,11777162849711758113,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3500 --field-trial-handle=1268,i,15587189051714377758,11777162849711758113,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3524 --field-trial-handle=1268,i,15587189051714377758,11777162849711758113,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3456 --field-trial-handle=1268,i,15587189051714377758,11777162849711758113,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3748 --field-trial-handle=1268,i,15587189051714377758,11777162849711758113,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3888 --field-trial-handle=1268,i,15587189051714377758,11777162849711758113,131072 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| N/A | 192.168.1.154:4782 | tcp | |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 142.250.200.14:443 | apis.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| N/A | 192.168.1.154:4782 | tcp | |
| N/A | 192.168.1.154:4782 | tcp | |
| N/A | 192.168.1.154:4782 | tcp | |
| N/A | 192.168.1.154:4782 | tcp | |
| N/A | 192.168.1.154:4782 | tcp | |
| N/A | 192.168.1.154:4782 | tcp |
Files
memory/2212-0-0x0000000000140000-0x0000000000468000-memory.dmp
memory/2212-1-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp
memory/2212-2-0x000000001B1A0000-0x000000001B220000-memory.dmp
C:\Windows\System32\window security.exe
| MD5 | 4d037c46eaf6b2e5ae5db85ef045c0d1 |
| SHA1 | 7bc3b6647192157a2cc4894f4c58365d9932a2cf |
| SHA256 | c18eadfdcee5050757e12c48fc44db31612863eb37db0fbc2dcbaad7ff5ae821 |
| SHA512 | 163d60321af8d3da76d10ea550b4c792dd0b6a18abe603ab049043246b2136fb2543f8089e3e5d3fbd6e6bfcf1786f4f7b8a96cb28e353cefbe1a2553e753ab3 |
memory/2364-8-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp
memory/2212-9-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp
memory/2364-10-0x0000000000F70000-0x0000000001298000-memory.dmp
memory/2364-11-0x000000001B3B0000-0x000000001B430000-memory.dmp
\??\pipe\crashpad_2684_YKFANYFXOAGZCBSG
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp
| MD5 | 18e723571b00fb1694a3bad6c78e4054 |
| SHA1 | afcc0ef32d46fe59e0483f9a3c891d3034d12f32 |
| SHA256 | 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa |
| SHA512 | 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp
| MD5 | aefd77f47fb84fae5ea194496b44c67a |
| SHA1 | dcfbb6a5b8d05662c4858664f81693bb7f803b82 |
| SHA256 | 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611 |
| SHA512 | b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3 |
memory/2364-106-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp
memory/2364-110-0x000000001B3B0000-0x000000001B430000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | ae91bfcb0b2f1e45fe33e155f0cd90a6 |
| SHA1 | 3010bb9d1bc91cf74dbf485e435bc98301b25db5 |
| SHA256 | 97c48ca8a2db9bd9dfd894da62c7bf5106424c8980bda0f507aa9d053fa7b9b9 |
| SHA512 | 08f6b6899d464701af16d44a8b639a005cf490bf61872a25edaf7a37dcabb8ecd1cd3ce8efa8e77f536a04ac5953714299eee30c758be91fc08bd8b33f63552b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 9863317487d62d4e7316c3db4c4087f1 |
| SHA1 | 49c8787b7a46755fe9ed121ca17c860250a4049f |
| SHA256 | 0136dd6678b2a90364f0b18dce680fdaeff656d089e03537c561333aad3efcf1 |
| SHA512 | cc62b5689fab2adeda1c214666a5ffcbfcc7104c6d3010f556585785651ab291306eadc4cd18f2fd49534d7e1eae90a6140f5b0606c847235bcadea464f16bc6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 42f21bb8e8a6848858bc28b8f6f03af8 |
| SHA1 | 3ee9b09659ddde09da4ea2ddae0a3587ab51d625 |
| SHA256 | 09b3e3763e9d5633edbcbe004f29e2b3d3779b00b494017fb6619142c24ab829 |
| SHA512 | 999ca27270bea5230aa1a0aecb75449c9b603a53d5e1fec35e78eff594ef087b324ea7a7c98add803c587bc03dec60b29663f46f5f58356e52c8fccafa48f370 |