Analysis Overview
SHA256
bba5ce847c62bb82236b5c5e9469f24d7f8f3d605bfaf4b5c5901b4fad1b84ac
Threat Level: Known bad
The file Client-built.exe was found to be: Known bad.
Malicious Activity Summary
Quasar payload
Quasar family
Quasar RAT
Executes dropped EXE
Adds Run key to start application
Drops file in System32 directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Modifies registry class
Creates scheduled task(s)
Modifies Internet Explorer settings
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-14 07:31
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 07:31
Reported
2024-06-14 07:39
Platform
win7-20240611-en
Max time kernel
410s
Max time network
421s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WindowsManager\winrmt.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Sidebar = "C:\\Program Files\\Windows Sidebar\\sidebar.exe /autoRun" | C:\Program Files\Windows Sidebar\sidebar.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\WindowsManager\winrmt.exe | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| File opened for modification | C:\Windows\system32\WindowsManager\winrmt.exe | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| File opened for modification | C:\Windows\system32\WindowsManager | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| File opened for modification | C:\Windows\system32\WindowsManager\winrmt.exe | C:\Windows\system32\WindowsManager\winrmt.exe | N/A |
| File opened for modification | C:\Windows\system32\WindowsManager | C:\Windows\system32\WindowsManager\winrmt.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Windows Sidebar\sidebar.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | C:\Windows\system32\taskmgr.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Windows\system32\taskmgr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" | C:\Windows\system32\taskmgr.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 | C:\Windows\system32\taskmgr.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 | C:\Windows\system32\taskmgr.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 5600310000000000ce58133c100053797374656d333200003e0008000400efbeee3a861ace58133c2a00000027090000000001000000000000000000000000000000530079007300740065006d0033003200000018000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = ffffffff | C:\Windows\system32\taskmgr.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Windows\system32\taskmgr.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff | C:\Windows\system32\taskmgr.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 | C:\Windows\system32\taskmgr.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff | C:\Windows\system32\taskmgr.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | C:\Windows\system32\taskmgr.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Windows\system32\taskmgr.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 5200310000000000cb5827ba100057696e646f7773003c0008000400efbeee3a851acb5827ba2a0000008a020000000001000000000000000000000000000000570069006e0064006f0077007300000016000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff | C:\Windows\system32\taskmgr.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 6200310000000000ce58133c120057494e444f577e3200004a0008000400efbece58133cce58133c2a0000004b22010000000c000000000000000000000000000000570069006e0064006f00770073004d0061006e006100670065007200000018000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell | C:\Windows\system32\taskmgr.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_Classes\Local Settings | C:\Windows\system32\taskmgr.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\system32\taskmgr.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\system32\taskmgr.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\NodeSlot = "1" | C:\Windows\system32\taskmgr.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\system32\taskmgr.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\system32\taskmgr.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff | C:\Windows\system32\taskmgr.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 | C:\Windows\system32\taskmgr.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Sidebar\sidebar.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsManager\winrmt.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Windows Device Manager" /sc ONLOGON /tr "C:\Windows\system32\WindowsManager\winrmt.exe" /rl HIGHEST /f
C:\Windows\system32\WindowsManager\winrmt.exe
"C:\Windows\system32\WindowsManager\winrmt.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Windows Device Manager" /sc ONLOGON /tr "C:\Windows\system32\WindowsManager\winrmt.exe" /rl HIGHEST /f
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Program Files\Windows Sidebar\sidebar.exe
"C:\Program Files\Windows Sidebar\sidebar.exe" /showGadgets
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xc4
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | daongochuy.ddns.net | udp |
| VN | 1.54.24.98:5899 | daongochuy.ddns.net | tcp |
| N/A | 192.168.1.70:5899 | tcp | |
| VN | 1.54.24.98:5899 | daongochuy.ddns.net | tcp |
| N/A | 192.168.1.70:5899 | tcp | |
| VN | 1.54.24.98:5899 | daongochuy.ddns.net | tcp |
| N/A | 192.168.1.70:5899 | tcp | |
| US | 8.8.8.8:53 | daongochuy.ddns.net | udp |
| VN | 1.54.24.98:5899 | daongochuy.ddns.net | tcp |
| N/A | 192.168.1.70:5899 | tcp | |
| VN | 1.54.24.98:5899 | daongochuy.ddns.net | tcp |
| N/A | 192.168.1.70:5899 | tcp | |
| VN | 1.54.24.98:5899 | daongochuy.ddns.net | tcp |
| N/A | 192.168.1.70:5899 | tcp | |
| US | 8.8.8.8:53 | daongochuy.ddns.net | udp |
| VN | 1.54.24.98:5899 | daongochuy.ddns.net | tcp |
| N/A | 192.168.1.70:5899 | tcp | |
| VN | 1.54.24.98:5899 | daongochuy.ddns.net | tcp |
| US | 8.8.8.8:53 | gadgets.live.com | udp |
| US | 8.8.8.8:53 | money.service.msn.com | udp |
| US | 2.22.144.37:80 | gadgets.live.com | tcp |
| N/A | 192.168.1.70:5899 | tcp | |
| VN | 1.54.24.98:5899 | daongochuy.ddns.net | tcp |
| N/A | 192.168.1.70:5899 | tcp | |
| US | 8.8.8.8:53 | daongochuy.ddns.net | udp |
| VN | 1.54.24.98:5899 | daongochuy.ddns.net | tcp |
| N/A | 192.168.1.70:5899 | tcp | |
| VN | 1.54.24.98:5899 | daongochuy.ddns.net | tcp |
| N/A | 192.168.1.70:5899 | tcp | |
| VN | 1.54.24.98:5899 | daongochuy.ddns.net | tcp |
| N/A | 192.168.1.70:5899 | tcp | |
| US | 8.8.8.8:53 | daongochuy.ddns.net | udp |
| VN | 1.54.24.98:5899 | daongochuy.ddns.net | tcp |
| N/A | 192.168.1.70:5899 | tcp | |
| VN | 1.54.24.98:5899 | daongochuy.ddns.net | tcp |
| N/A | 192.168.1.70:5899 | tcp | |
| VN | 1.54.24.98:5899 | daongochuy.ddns.net | tcp |
| N/A | 192.168.1.70:5899 | tcp |
Files
memory/2900-0-0x000007FEF5613000-0x000007FEF5614000-memory.dmp
memory/2900-1-0x0000000000E50000-0x0000000001174000-memory.dmp
memory/2900-2-0x000007FEF5610000-0x000007FEF5FFC000-memory.dmp
C:\Windows\System32\WindowsManager\winrmt.exe
| MD5 | 7f113430d45982dd16a92095a0734593 |
| SHA1 | 7c054a7e0ded31b23b94f59159b47df5e37135dd |
| SHA256 | bba5ce847c62bb82236b5c5e9469f24d7f8f3d605bfaf4b5c5901b4fad1b84ac |
| SHA512 | c17264d90431123207abd10998c4f8e068a7fcba7ab9763952741c52eccd80791bc48e2a053eec51499d9c2ae8a7f454f9ab74b0970fc219c57dd49a244753a1 |
memory/2032-8-0x000007FEF5610000-0x000007FEF5FFC000-memory.dmp
memory/2032-9-0x00000000003E0000-0x0000000000704000-memory.dmp
memory/2900-10-0x000007FEF5610000-0x000007FEF5FFC000-memory.dmp
memory/2032-11-0x000007FEF5610000-0x000007FEF5FFC000-memory.dmp
memory/2652-12-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2652-13-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2032-14-0x000007FEF5610000-0x000007FEF5FFC000-memory.dmp
memory/2652-15-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2652-16-0x0000000000390000-0x00000000003A0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows Sidebar\Settings.ini
| MD5 | c62b5df88a35790a21b1d0a0ff6b7bf2 |
| SHA1 | fc6b659ef674accb7c034c91e47f2ef135021c04 |
| SHA256 | acb6f3b8be42a22a318ad883e5b5271dda3991bdc53891596cd07d2dc141ebe1 |
| SHA512 | 7a07322e7ea6bb3d147c2f941a09a6ccd6d1ed7704f8f80bbdb038322b6d64c42fcc70c5143a4de86519c8fa991a977b3e6c42ddcccd063ba98fb6f5496ddccb |
C:\Users\Admin\AppData\Local\Microsoft\Windows Sidebar\Settings.ini
| MD5 | dba203cf3b82eaae4717368a733fcb0e |
| SHA1 | 88eff85365144e807e8c31cfb79befbfc1c7a2e8 |
| SHA256 | 186078bd3d20cbb95303ac43ef617146c62388559d50286f8d61e0a79d617b2c |
| SHA512 | 3833ea195a8c6671e85afb7eb9a2d22e3e3f71046dd57252cd3adc8915d4bc9b74004b2843345e76cf9b8d533f9ee7212b1a87b310f0b083e6577a183d8764b1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Sidebar\Settings.ini
| MD5 | ad1148468aac7031a72ef9838f5ae5aa |
| SHA1 | 847ec1e619a1f93deabc9be55a09abe25d5a4961 |
| SHA256 | ca34c2bc5eb0035e624f802a859f0b1f5a7b352aa4227c73b1b5399834ca8e02 |
| SHA512 | 8fb0a9e513853cf786794712c576756150484bb4d2e9072c016a592afdf67bbd32f0490eab7d21a2f6503d5cc41c2e0fcdc791e6d0e822250be84d2a62d1f033 |
memory/1792-123-0x000007FFFFF50000-0x000007FFFFF60000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows Sidebar\Settings.ini
| MD5 | c336168814db64d7726f8ed52c567bd9 |
| SHA1 | 2acbb4fa6e428e8337aad94f1339ddb8ecb03b6d |
| SHA256 | 5d11272e8cceb8da6af2fa6f9c6a79017226642494164a7ddf98be9083632e42 |
| SHA512 | 4a161a026cfc42795d226278a0336702e91fc4e25e4261c22b33aca10c3216b20d34a508800eb4ca6cd9b520372960f82d83dddb59d30571310361f538d409e5 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Sidebar\Settings.ini
| MD5 | 0c04c72f66e28c85521a4d73c4fe7984 |
| SHA1 | 82405a46d13be36b01318ce6cec157623b4eac49 |
| SHA256 | d69cad7d6d56af49756637fafe56045202a3206fcac4f31a810ea5997a9b0c54 |
| SHA512 | 88700571fe6ae6896a05ebc546524fd4354b8f1254dd9dbc5a7ed5d89982aa4bdc53e0af729ec661fbfc8ffc1281f855cb75c32e9dbd8a1d5f11caaa026f4c6e |
C:\Users\Admin\AppData\Local\Microsoft\Windows Sidebar\Settings.ini
| MD5 | e8db950aad2cb15c188b0b3908452698 |
| SHA1 | fe1349f4a019ba11e8a59b6c98598a0683e61468 |
| SHA256 | 2d699b866d961b65ffba1d41106f6807d090d3874fc26b341e2bc10efd973848 |
| SHA512 | f93c5c5402302f37c36e8aa10fa8648d4f758d75b2f9d500786c9a95908200e7e846a2569138efd00d93e7716314bded372c6cbe730243f4b83730288b945d4f |
C:\Users\Admin\AppData\Local\Microsoft\Windows Sidebar\Settings.ini
| MD5 | dd9b9b2f23788eb1b768d9de74e703af |
| SHA1 | cbab5fa9e4ec3f6cc8e54d8b5d1831ba3d9affc7 |
| SHA256 | a22856a4caa9ceefb593183b59de5a344d2192cd50f82d3e3fa3717c5c8d7eb2 |
| SHA512 | 4f130434d15c813eb0a8433f7b50f9aea93a08b20798f011aa1f98356cd62814d35bb90e034101c7c85c7edd13340e2253cea32080939ba0ae453f94445c7074 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Sidebar\Settings.ini
| MD5 | 88fcd3b59d8a38f548a6fda9247db67e |
| SHA1 | a9ebb838f2821b1f4384f3db4d728ae3dcb25ec9 |
| SHA256 | f13267579dcda5f625192810f0312685b77ccb55ee58010cbb33d763c7003d12 |
| SHA512 | b82539645676fc6c5fa4ce71d50fd50a895723fe969f0ed6e148dab9adadb4115ea159f1e1f39cd4f55c80f3fca299c3683c0b2c58961b316962922c97cd19b1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Sidebar\Settings.ini
| MD5 | 46b30a6c8471527e47a94f45991a2d20 |
| SHA1 | 0884e7bdce4230c27c51fdcbcc38e26b722e1176 |
| SHA256 | d54035e2be09d16285cf54ed0879f6de1c9805c210769c5d705071ae400af36f |
| SHA512 | bd4b44d9494d212257b5f88c628a7bb37f81e550c637ada96b7f0a70619932c1f88875d127bbf647590d46428a35b87ba145e96b1c60e92dbbbbccd6f54c1406 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Sidebar\Settings.ini
| MD5 | f3ca05b63f506cf34f4eb2cec1754ee9 |
| SHA1 | e4eeb1abbe05c21022eb92a3208aa2e752279762 |
| SHA256 | b9874e0ffa702c1fcf05f48482e06bb290982b77bcf68cff2aba4b13a7dabcd0 |
| SHA512 | 1264d3b367ecee9ec0e7f49b89a33a3e820b7e182b22c1a73379c2589aef7cbf4038e81b825673c0747610c735972592d8d58252ad2ea7502955b1ed59273d55 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Sidebar\Settings.ini
| MD5 | 499c5a08529498b8ffce038675190f99 |
| SHA1 | 504d9c728013f140868e64351776e9f9495c2cf8 |
| SHA256 | f3b09f3bb704bea0c91ff780ff4b7fc566b735bf2fe33a6a7cb9f6f4155a9c37 |
| SHA512 | eb8ca0aea9d8c123eda5e562d2cac53b8e7be1e4368f8a8a51c1780dd6c4da563a67fca6278db29ea671fbfdcb59264d77eec3025f383171e88d5267de86f093 |