Analysis
-
max time kernel
505s -
max time network
502s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05-08-2024 13:39
Static task
static1
URLScan task
urlscan1
General
Malware Config
Extracted
quasar
1.4.1
Office04
192.168.178.55:4782
ab76f5ad-f7de-4353-8bc6-3813fdc49e70
-
encryption_key
143C5DA04AAA598C7074C462FBB65D53601828BC
-
install_name
HappyClient.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
HappyClientMOD
Signatures
-
Quasar payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/4692-60-0x000001D652040000-0x000001D652178000-memory.dmp family_quasar behavioral1/memory/4692-61-0x000001D652700000-0x000001D652716000-memory.dmp family_quasar C:\Users\Admin\Desktop\Quasar v1.4.1\HappyModPC.exe family_quasar C:\Users\Admin\Desktop\Quasar v1.4.1\Client-built.exe family_quasar behavioral1/memory/208-560-0x0000000000970000-0x0000000000C94000-memory.dmp family_quasar -
Executes dropped EXE 4 IoCs
Processes:
HappyModPC.exeHappyClient.exeHappyModPC.exeHappyModPC.exepid process 208 HappyModPC.exe 4152 HappyClient.exe 3088 HappyModPC.exe 696 HappyModPC.exe -
Drops file in System32 directory 2 IoCs
Processes:
chrome.exedescription ioc process File created \??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF chrome.exe File created C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133673387643088767" chrome.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe -
Modifies registry class 64 IoCs
Processes:
explorer.exeQuasar.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 Quasar.exe Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" Quasar.exe Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" Quasar.exe Set value (data) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0 = 66003100000000000559046d10005155415341527e312e3100004c0009000400efbe0559f46c0559056d2e0000001d340200000009000000000000000000000000000000ab014c005100750061007300610072002000760031002e0034002e00310000001a000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff Quasar.exe Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\NodeSlot = "3" Quasar.exe Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Quasar.exe Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" Quasar.exe Set value (data) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0 = 7e003100000000000559f46c11004465736b746f7000680009000400efbe02597b630559f46c2e00000071e101000000010000000000000000003e0000000000bd401a004400650073006b0074006f007000000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370036003900000016000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616209" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff Quasar.exe Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" Quasar.exe Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 780031000000000002597b631100557365727300640009000400efbe874f77480559ec6c2e000000c70500000000010000000000000000003a00000000009ef4710055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\MRUListEx = ffffffff explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Quasar.exe Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 explorer.exe Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings Quasar.exe Set value (data) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000 Quasar.exe Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg Quasar.exe Set value (data) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" explorer.exe Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" explorer.exe Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Quasar.exe Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} Quasar.exe Set value (data) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 = 500031000000000002597c6c100041646d696e003c0009000400efbe02597b630559ec6c2e00000067e1010000000100000000000000000000000000000074d22c01410064006d0069006e00000014000000 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\NodeSlot = "2" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0" explorer.exe Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell Quasar.exe Set value (data) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = 00000000ffffffff Quasar.exe Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 Quasar.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Quasar.exe Set value (data) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 Quasar.exe Set value (data) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\MRUListEx = ffffffff Quasar.exe Set value (data) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Quasar.exe Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags explorer.exe Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0 explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 Quasar.exe Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" Quasar.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3964 schtasks.exe 4480 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
explorer.exepid process 2192 explorer.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
chrome.exechrome.exepid process 4648 chrome.exe 4648 chrome.exe 1868 chrome.exe 1868 chrome.exe 1868 chrome.exe 1868 chrome.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
Quasar.exeexplorer.exepid process 4692 Quasar.exe 2192 explorer.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
Processes:
chrome.exepid process 4648 chrome.exe 4648 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exeQuasar.exedescription pid process Token: SeShutdownPrivilege 4648 chrome.exe Token: SeCreatePagefilePrivilege 4648 chrome.exe Token: SeShutdownPrivilege 4648 chrome.exe Token: SeCreatePagefilePrivilege 4648 chrome.exe Token: SeShutdownPrivilege 4648 chrome.exe Token: SeCreatePagefilePrivilege 4648 chrome.exe Token: SeShutdownPrivilege 4648 chrome.exe Token: SeCreatePagefilePrivilege 4648 chrome.exe Token: SeShutdownPrivilege 4648 chrome.exe Token: SeCreatePagefilePrivilege 4648 chrome.exe Token: SeShutdownPrivilege 4648 chrome.exe Token: SeCreatePagefilePrivilege 4648 chrome.exe Token: SeShutdownPrivilege 4648 chrome.exe Token: SeCreatePagefilePrivilege 4648 chrome.exe Token: SeShutdownPrivilege 4648 chrome.exe Token: SeCreatePagefilePrivilege 4648 chrome.exe Token: SeShutdownPrivilege 4648 chrome.exe Token: SeCreatePagefilePrivilege 4648 chrome.exe Token: SeShutdownPrivilege 4648 chrome.exe Token: SeCreatePagefilePrivilege 4648 chrome.exe Token: SeShutdownPrivilege 4648 chrome.exe Token: SeCreatePagefilePrivilege 4648 chrome.exe Token: SeShutdownPrivilege 4648 chrome.exe Token: SeCreatePagefilePrivilege 4648 chrome.exe Token: SeShutdownPrivilege 4648 chrome.exe Token: SeCreatePagefilePrivilege 4648 chrome.exe Token: SeShutdownPrivilege 4648 chrome.exe Token: SeCreatePagefilePrivilege 4648 chrome.exe Token: SeShutdownPrivilege 4648 chrome.exe Token: SeCreatePagefilePrivilege 4648 chrome.exe Token: SeShutdownPrivilege 4648 chrome.exe Token: SeCreatePagefilePrivilege 4648 chrome.exe Token: SeShutdownPrivilege 4648 chrome.exe Token: SeCreatePagefilePrivilege 4648 chrome.exe Token: SeShutdownPrivilege 4648 chrome.exe Token: SeCreatePagefilePrivilege 4648 chrome.exe Token: SeShutdownPrivilege 4648 chrome.exe Token: SeCreatePagefilePrivilege 4648 chrome.exe Token: SeShutdownPrivilege 4648 chrome.exe Token: SeCreatePagefilePrivilege 4648 chrome.exe Token: SeShutdownPrivilege 4648 chrome.exe Token: SeCreatePagefilePrivilege 4648 chrome.exe Token: SeShutdownPrivilege 4648 chrome.exe Token: SeCreatePagefilePrivilege 4648 chrome.exe Token: SeShutdownPrivilege 4648 chrome.exe Token: SeCreatePagefilePrivilege 4648 chrome.exe Token: SeShutdownPrivilege 4648 chrome.exe Token: SeCreatePagefilePrivilege 4648 chrome.exe Token: SeShutdownPrivilege 4648 chrome.exe Token: SeCreatePagefilePrivilege 4648 chrome.exe Token: SeDebugPrivilege 4692 Quasar.exe Token: SeShutdownPrivilege 4648 chrome.exe Token: SeCreatePagefilePrivilege 4648 chrome.exe Token: SeShutdownPrivilege 4648 chrome.exe Token: SeCreatePagefilePrivilege 4648 chrome.exe Token: SeShutdownPrivilege 4648 chrome.exe Token: SeCreatePagefilePrivilege 4648 chrome.exe Token: SeShutdownPrivilege 4648 chrome.exe Token: SeCreatePagefilePrivilege 4648 chrome.exe Token: SeShutdownPrivilege 4648 chrome.exe Token: SeCreatePagefilePrivilege 4648 chrome.exe Token: SeShutdownPrivilege 4648 chrome.exe Token: SeCreatePagefilePrivilege 4648 chrome.exe Token: SeShutdownPrivilege 4648 chrome.exe -
Suspicious use of FindShellTrayWindow 41 IoCs
Processes:
chrome.exeQuasar.exeHappyClient.exepid process 4648 chrome.exe 4648 chrome.exe 4648 chrome.exe 4648 chrome.exe 4648 chrome.exe 4648 chrome.exe 4648 chrome.exe 4648 chrome.exe 4648 chrome.exe 4648 chrome.exe 4648 chrome.exe 4648 chrome.exe 4648 chrome.exe 4648 chrome.exe 4648 chrome.exe 4648 chrome.exe 4648 chrome.exe 4648 chrome.exe 4648 chrome.exe 4648 chrome.exe 4648 chrome.exe 4648 chrome.exe 4648 chrome.exe 4648 chrome.exe 4648 chrome.exe 4648 chrome.exe 4648 chrome.exe 4648 chrome.exe 4648 chrome.exe 4648 chrome.exe 4648 chrome.exe 4648 chrome.exe 4648 chrome.exe 4648 chrome.exe 4692 Quasar.exe 4692 Quasar.exe 4692 Quasar.exe 4692 Quasar.exe 4692 Quasar.exe 4692 Quasar.exe 4152 HappyClient.exe -
Suspicious use of SendNotifyMessage 30 IoCs
Processes:
chrome.exeQuasar.exeHappyClient.exepid process 4648 chrome.exe 4648 chrome.exe 4648 chrome.exe 4648 chrome.exe 4648 chrome.exe 4648 chrome.exe 4648 chrome.exe 4648 chrome.exe 4648 chrome.exe 4648 chrome.exe 4648 chrome.exe 4648 chrome.exe 4648 chrome.exe 4648 chrome.exe 4648 chrome.exe 4648 chrome.exe 4648 chrome.exe 4648 chrome.exe 4648 chrome.exe 4648 chrome.exe 4648 chrome.exe 4648 chrome.exe 4648 chrome.exe 4648 chrome.exe 4692 Quasar.exe 4692 Quasar.exe 4692 Quasar.exe 4692 Quasar.exe 4692 Quasar.exe 4152 HappyClient.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
explorer.exeQuasar.exeHappyClient.exepid process 2192 explorer.exe 2192 explorer.exe 4692 Quasar.exe 4692 Quasar.exe 4692 Quasar.exe 4152 HappyClient.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrome.exedescription pid process target process PID 4648 wrote to memory of 4544 4648 chrome.exe chrome.exe PID 4648 wrote to memory of 4544 4648 chrome.exe chrome.exe PID 4648 wrote to memory of 2808 4648 chrome.exe chrome.exe PID 4648 wrote to memory of 2808 4648 chrome.exe chrome.exe PID 4648 wrote to memory of 2808 4648 chrome.exe chrome.exe PID 4648 wrote to memory of 2808 4648 chrome.exe chrome.exe PID 4648 wrote to memory of 2808 4648 chrome.exe chrome.exe PID 4648 wrote to memory of 2808 4648 chrome.exe chrome.exe PID 4648 wrote to memory of 2808 4648 chrome.exe chrome.exe PID 4648 wrote to memory of 2808 4648 chrome.exe chrome.exe PID 4648 wrote to memory of 2808 4648 chrome.exe chrome.exe PID 4648 wrote to memory of 2808 4648 chrome.exe chrome.exe PID 4648 wrote to memory of 2808 4648 chrome.exe chrome.exe PID 4648 wrote to memory of 2808 4648 chrome.exe chrome.exe PID 4648 wrote to memory of 2808 4648 chrome.exe chrome.exe PID 4648 wrote to memory of 2808 4648 chrome.exe chrome.exe PID 4648 wrote to memory of 2808 4648 chrome.exe chrome.exe PID 4648 wrote to memory of 2808 4648 chrome.exe chrome.exe PID 4648 wrote to memory of 2808 4648 chrome.exe chrome.exe PID 4648 wrote to memory of 2808 4648 chrome.exe chrome.exe PID 4648 wrote to memory of 2808 4648 chrome.exe chrome.exe PID 4648 wrote to memory of 2808 4648 chrome.exe chrome.exe PID 4648 wrote to memory of 2808 4648 chrome.exe chrome.exe PID 4648 wrote to memory of 2808 4648 chrome.exe chrome.exe PID 4648 wrote to memory of 2808 4648 chrome.exe chrome.exe PID 4648 wrote to memory of 2808 4648 chrome.exe chrome.exe PID 4648 wrote to memory of 2808 4648 chrome.exe chrome.exe PID 4648 wrote to memory of 2808 4648 chrome.exe chrome.exe PID 4648 wrote to memory of 2808 4648 chrome.exe chrome.exe PID 4648 wrote to memory of 2808 4648 chrome.exe chrome.exe PID 4648 wrote to memory of 2808 4648 chrome.exe chrome.exe PID 4648 wrote to memory of 2808 4648 chrome.exe chrome.exe PID 4648 wrote to memory of 1400 4648 chrome.exe chrome.exe PID 4648 wrote to memory of 1400 4648 chrome.exe chrome.exe PID 4648 wrote to memory of 1100 4648 chrome.exe chrome.exe PID 4648 wrote to memory of 1100 4648 chrome.exe chrome.exe PID 4648 wrote to memory of 1100 4648 chrome.exe chrome.exe PID 4648 wrote to memory of 1100 4648 chrome.exe chrome.exe PID 4648 wrote to memory of 1100 4648 chrome.exe chrome.exe PID 4648 wrote to memory of 1100 4648 chrome.exe chrome.exe PID 4648 wrote to memory of 1100 4648 chrome.exe chrome.exe PID 4648 wrote to memory of 1100 4648 chrome.exe chrome.exe PID 4648 wrote to memory of 1100 4648 chrome.exe chrome.exe PID 4648 wrote to memory of 1100 4648 chrome.exe chrome.exe PID 4648 wrote to memory of 1100 4648 chrome.exe chrome.exe PID 4648 wrote to memory of 1100 4648 chrome.exe chrome.exe PID 4648 wrote to memory of 1100 4648 chrome.exe chrome.exe PID 4648 wrote to memory of 1100 4648 chrome.exe chrome.exe PID 4648 wrote to memory of 1100 4648 chrome.exe chrome.exe PID 4648 wrote to memory of 1100 4648 chrome.exe chrome.exe PID 4648 wrote to memory of 1100 4648 chrome.exe chrome.exe PID 4648 wrote to memory of 1100 4648 chrome.exe chrome.exe PID 4648 wrote to memory of 1100 4648 chrome.exe chrome.exe PID 4648 wrote to memory of 1100 4648 chrome.exe chrome.exe PID 4648 wrote to memory of 1100 4648 chrome.exe chrome.exe PID 4648 wrote to memory of 1100 4648 chrome.exe chrome.exe PID 4648 wrote to memory of 1100 4648 chrome.exe chrome.exe PID 4648 wrote to memory of 1100 4648 chrome.exe chrome.exe PID 4648 wrote to memory of 1100 4648 chrome.exe chrome.exe PID 4648 wrote to memory of 1100 4648 chrome.exe chrome.exe PID 4648 wrote to memory of 1100 4648 chrome.exe chrome.exe PID 4648 wrote to memory of 1100 4648 chrome.exe chrome.exe PID 4648 wrote to memory of 1100 4648 chrome.exe chrome.exe PID 4648 wrote to memory of 1100 4648 chrome.exe chrome.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/quasar/Quasar/releases/download/v1.4.1/Quasar.v1.4.1.zip1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff93cf6cc40,0x7ff93cf6cc4c,0x7ff93cf6cc582⤵PID:4544
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1636,i,5446513625404428759,10286416840033050975,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1632 /prefetch:22⤵PID:2808
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2136,i,5446513625404428759,10286416840033050975,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2148 /prefetch:32⤵PID:1400
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2228,i,5446513625404428759,10286416840033050975,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2200 /prefetch:82⤵PID:1100
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,5446513625404428759,10286416840033050975,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3140 /prefetch:12⤵PID:4260
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3132,i,5446513625404428759,10286416840033050975,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3176 /prefetch:12⤵PID:3064
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4620,i,5446513625404428759,10286416840033050975,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4856 /prefetch:82⤵PID:1168
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4632,i,5446513625404428759,10286416840033050975,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3696 /prefetch:82⤵PID:2404
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5000,i,5446513625404428759,10286416840033050975,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4640 /prefetch:82⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1868
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:2572
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:4696
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1884
-
C:\Users\Admin\Desktop\Quasar v1.4.1\Quasar.exe"C:\Users\Admin\Desktop\Quasar v1.4.1\Quasar.exe"1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4692 -
C:\Windows\explorer.exe"C:\Windows\explorer.exe" /select, "C:\Users\Admin\Desktop\Quasar v1.4.1\quasar.p12"2⤵PID:1456
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2192
-
C:\Users\Admin\Desktop\HappyModPC.exe"C:\Users\Admin\Desktop\HappyModPC.exe"1⤵
- Executes dropped EXE
PID:208 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\HappyClientMOD\HappyClient.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:3964 -
C:\Users\Admin\AppData\Roaming\HappyClientMOD\HappyClient.exe"C:\Users\Admin\AppData\Roaming\HappyClientMOD\HappyClient.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4152 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\HappyClientMOD\HappyClient.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:4480
-
C:\Users\Admin\Desktop\HappyModPC.exe"C:\Users\Admin\Desktop\HappyModPC.exe"1⤵
- Executes dropped EXE
PID:3088
-
C:\Users\Admin\Desktop\HappyModPC.exe"C:\Users\Admin\Desktop\HappyModPC.exe"1⤵
- Executes dropped EXE
PID:696
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5529b4fb6ba9ab8ed4081b6c8cbf53b21
SHA12bd8e5c67dc53d45cd746ecfb20f30f761ffc4fc
SHA256cf2345a2915b222d789e85f6d8df29431932beedfa593fa896186ecefd6b51fe
SHA5120dd15183a9534d8017aac8423146a61f9157b01adb0827b89915ce967fc43455a61bb7966ca69eb76f2ee8d9f53c3e362b2cb632161c6f8f1e854e5ce7f0f943
-
Filesize
1KB
MD5db0d334ad7f1ca46c968ccce301bc6ce
SHA1a36cfb19ab0fe31322e5e32525dff0d280c7bea0
SHA25637839f0ce562ef17f4fda90bfe5d9a814148ddc8fa60d608389b70e936a70145
SHA5128c21b956a0a7626d856276e7d7a7f79d8fbaf2fbeef3250a9d431f87454e25f3f5d403951baa3df73d5a97d1105f9f93916363374a3971a2d743db1588a330fc
-
Filesize
1KB
MD5af6cc8e42b90ef5a2f5445ed89f21c1a
SHA13812f7516d2c36830f18fa6e552b3be928c7c9bb
SHA2560556abd7a3a1ac304b005a27cbc23860a1e68378976a9bae49dc2b42761aea92
SHA51277b9e6a3d8713be6361d6d77dcf2dc32c47c944238faa2f5a9470c1c932fe87d9975dc989f2d3f18e59658843faf02ee006bf177bf441ee29f53134c1f5041ec
-
Filesize
1KB
MD538a40789fb524d1cbafe1156a07ac848
SHA153d98b68dd8025fb3d4eb9cb246c848e1dac2934
SHA2564f53ce9b79b3807b531e3f500833fadde3425a431f291dff53a5b25d961811ae
SHA5126742461d0e0882c68f4d9683078372ab7c63b7d7a16ac9aaf3e8d3b7ec1428b966f08a31fdb7e35dbd733f3cf5a1e2600fd9d5d2adbb234b3711f832e4b8ca75
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
523B
MD5224f6ffafa2a60f3414d889269cf446d
SHA15d9b85493aa64f1bf480a2de31f4cf4919b3f482
SHA256fdf95d052168b9e2b73b9aba215e1787b25c79b6970aae4f7328fa16535a3f42
SHA512024f365db27cef7a4545aa659d3e5a006fdf0851d37e2496ea98046311f69421187209da66e72a139169c0cd5092238b9b51f3225a99e9be7380ab8d77d73b87
-
Filesize
8KB
MD5f7b2fb5abbf2ce24373fdc14eb5d8ab1
SHA19a8b7c0569e8993db2c43f280fc50f38c5a5eaba
SHA2566ea03cd2a6c9b116be92b910da706dc73f892216bff5436f4f08aec9d7d50470
SHA512d43cbcfb62bef3c21236728245d948d9fefebe9ae9be4480b45f3e71198aeeea2b980b9146321857b33e11df18494aab3f33adef18c2a54828d500fd40a1f66c
-
Filesize
8KB
MD5e75e67c0dfa7c510703fb3250e79e166
SHA117a0c5d1c04acf54dece3b3d4037d610645045b5
SHA2563e889b1d4b9d13ac81d4285b9898ac4255f30465ee89cb6fcc775c63602b6f29
SHA512adcfdf76bfb38c4dec8a95b217422015a9fccb6aec351836521e71b6c74d2ea679b850b935dfc7da48b9c4922df0bf5d448b1d6cbffe93a8e0d836313cd89dd8
-
Filesize
8KB
MD5347a291f5706642fe2667cbc84377d95
SHA1c208949fe79dc3e906858593c7829798d02f12e6
SHA25651b1833eaa3463c29d3e54287dc20fb32043e23684f842b50406274f724b9537
SHA5122d9bd3e0ab074ea11e7e8f1e4a8beb04d0aaa5a1a39354b2106ae0b5ccac9baeac75403143bcaf614c90a988af7e7266a09861d8a06eca6813da34ca695efd99
-
Filesize
8KB
MD55ad38385762000463ecf076b3baa9563
SHA12682c320d1cd7dcac922fc64bd8b231411d3f392
SHA256f7c2198ceee0db4237d4b3aa174ec74c20bb8e5fda404da50001a474f85bbacf
SHA5124f8f7bef152906b883b79503b2984dad38f5e0d4c480fe4c4f0c76300d2495791ac4e784d604adc790d73629a96d900dd86eba2aedcd7f8ee39a6605912b1c77
-
Filesize
8KB
MD59cbbda1aa50c1393ba7dea1945456c1d
SHA13fc3fb6cc3fdd4a75b4728e7c26cca68f315a6e8
SHA25664a79f98c5451f778a06240698243878e306d9b26f40368c3db499a44b072885
SHA51278629a2fd80623a55fbfa20bf3ab2c8f9a7cb24c7a8b1666461fa254630a91066ff2452871db84f283691da775d7c5ff22f71c6b2dc24c99b77000e2f09d4c6a
-
Filesize
8KB
MD5b0f73f519c3aeeb069a3780d5fbce4b1
SHA1dece0014c856867e8f554a211359074d709c4e0d
SHA25638dc09d58b4549d71b7df32c25a076428bb6293d03ab53b354da13f1039e60ed
SHA512b161a1a5869ab4fa7830a266ce6455c9656ea30fd1de97c8ba4a5247c6f4464ffe20c51b4bcd878b668101fe392a5abdb5da273718b148f07e8052738fd7b1be
-
Filesize
8KB
MD543ec14a2c4e9acd1a9f95a2ce799494a
SHA18e681ea8ec09394337c0bade70eefcbfd7461828
SHA2564c2ea4701464f15177afb1ebb377b922522af89b56e805ff52433cc5f7e58c56
SHA512273d950ceb7adde1f2c696522781e9858ea9b6321294856a13211a4ee1f0b855fcc30f0f247c3b557be00b5d5122a2f19429afc7bb3b4221536b162bd57aa1f4
-
Filesize
8KB
MD5ce83634ae731eaafd29dc921bb4babb2
SHA1088f801b024ebe90d349df5a7737c0195ce40a4f
SHA256b0d18196f2760e8446c6a0508ab9a68a79a60bb41ff253826b60c4640aa22c2e
SHA512b03f02ff67cd22aaacf88ab07e52289dff41fb122047f4d1800218e1aac75745c7ef4e0c662ffc13f1e862bad46e16bd72f86a95ee5c1ad03d1ba6a557037f85
-
Filesize
8KB
MD5f9b1a21aa51117fd5dbf2cf32bfa0f0c
SHA13a9ce0d1ef1474677ffc666b98ff152c8b942b32
SHA2560e2d6269834e7d48cbaf35d2bc400374083197b3ca2fd85bc9b362527d5363be
SHA51214fb91d03e122389873242cd9c05e696a587bafbc301c20a656cf73b33518963270ac7165ff057b7dce79a7af64a387f0f6e4b0ef509c2d669b327b5911a4123
-
Filesize
8KB
MD51c00c2cfa106aeca68d48a6fbf617dfa
SHA145411efb61c69589dcc9941730dc047c114fdad2
SHA25644fe4309baa0b14a62878ce46f60fed903ef7cc3f2677b1fb85855354d5a78d1
SHA512f0426fcc49164bd781b35a45353f90d6c0af22f8739bfe45b6307cc990270b631f9333bf265bc93f7997c0ed459fd0b6c307da00aa762cff41cdce9a9ee06a3d
-
Filesize
8KB
MD5e23a66c8bf3df379e26e59f1ae5f51d3
SHA1ef42bc4ae873ced657e00d78c745067cb8a85f76
SHA256663cf25e0272a97341011c21bc0f35ebe3496fdd25f7732cf6dc1284f4de4ef1
SHA5129b845ec9f21b055851858b9e30a4439ead5a89f32413c085c804cb01494a102889cf404a3d7764c32e50bedb3ef7203d6fd26e1f1763b8156927c31ee859275a
-
Filesize
8KB
MD5813f9be7e29e53f395c08274645dd57d
SHA1d47b359739020ed0716f865d15353f41a0ac3620
SHA2562d70ff0bed1d338ce324b1039d07f097efef29184b491f0f0152aa28ace8b7c2
SHA51238de97eb19581bc7aaf1fc12ec3b84a309e37f96f31f8d7a5ca7613b21d7cd04da1e9a5325b8556b63318c312d2c8e8358ddde683b5286286496f707cc2cff48
-
Filesize
8KB
MD5c04d036d15250f4dab6d4c22f61ee519
SHA1a452057a018b5003c6dcf1dd8a346fe30f43cf49
SHA2560e0accfbd997f13b7702fb5ae10dea0ec2e0bacba02dfcf315817c1c8c591ca4
SHA512d96464fdc2f47705ce67c9bc2e2d5835ceb76efd385741d21e29bbd2826a8abff0a875e73f8877c739c585816f9e51742f81c45da4b000ad883ca294ed215a10
-
Filesize
8KB
MD5610ffada52b170ca1537410f0d5bb5f5
SHA1386d6870d0b35b0313e13cf007ea9916f8257d89
SHA256a92c7ae7198d65c108922ec5ded0fa382048e175aa6c50dce33b199ef63c1b07
SHA512a9926dfe070de4f7b72875c6d4a0809af2d02c4941e5513e76c63fde6aba73d4dd903c64a0e9fa90a007536d7dbbc0971d2542ea7017f0a9d1bd2ffa40238a0f
-
Filesize
8KB
MD59225eb394b2ace4464634b6520535671
SHA1dcd0580442318f307250628f9ae9ea91d4f56df7
SHA256c33f682be4c76050664798e1c2ee81db0e28f1f1b25e6c2f065d49d08f5510b2
SHA512f07751d46e22822ce53ef0fee31f0e69a20ba397980c421e3914339ff845a5ef926ab9e69021c0e54112c1b15580424b22fdceebd4cbfb42f790cfda469df572
-
Filesize
8KB
MD5eb251866080e8d4e16937edbe1616f2c
SHA11a2745cf8d80ab5f5829a6e859624579a3068adf
SHA2569b4cd50cfc8bfcbdb224972d23c6ac8affc4ca0d7918fb9d1a5907796bda3445
SHA51246da5cab7804ae7148c33142ddc9053311005688bf8bf128f2703aa74d2e6fa1fdd1a397bdad0ca51fe7f9dc47cfcebcd293887accbaaec2b45579cda765bd6b
-
Filesize
8KB
MD51836b33a14cca3126e5ada8e4754213e
SHA16594572c4b7c1b3be6c471f4c5f09719aec9b5d5
SHA256c5e249ff7345e1ba1113ce7f2ce064544cdbd12c912d303558778f270fb38190
SHA5124b71946190f3a94ececd660be3b1bd1491fa5e4df7049ac948545578c8cb0c8ded05f0c2b09a48625b3d04729ec0a88a019d563f8de2c2690e33a4df0fe4f0ce
-
Filesize
8KB
MD544778e74d85822fd455e6941b9743473
SHA10bc890148943d9205a8ba91245ffd952867271f3
SHA256d363b89e66a51459a049d80538383bf4bb96424f165df4d6c61db94aa233cde9
SHA5127aeab92ba160375da9b3c4678b2ca2d16aed38cfdb18da04fc18bc89dd7d276ef36e142b50b05715caa271ddb27dc339772611f076d55684e4fcf8e03a970697
-
Filesize
8KB
MD5970802a91c06092e82bb49c83e05793f
SHA1f5a9c2e9fc882117d6afa1a8041e73530550b818
SHA256628e90f881f8cd7845111bdcf837628b0ae381d8c928c716a09443ce161b4083
SHA5126a08e0a73c8bb4543ef2323e88da361055eda2ef95c46cea27cd663cafa3e13ccc33c0b3cac115f5a77c6c9a3c9f9f537f226a8e69a84eaed903f15377cd8312
-
Filesize
8KB
MD535da26a6352c07f5ffce1294c1aca3da
SHA1494a108a520bd44a65339dcbab60c2ba8718a3a6
SHA25658b060e4f6dd31bc96f6f54ad527a9f4281355f9c88dd65ac310bc6f435ca720
SHA512201439498150a094eabf1ed9a8feb91324c6370b088962a03713bb52f371822540233308534e3b2938e0cd02cbee352c711732532c56d268cf2aeb0224bd8117
-
Filesize
8KB
MD547b69a9a77cd8212ec6986ccdab41fba
SHA1cbb1145bd8c91c1f4cf4d7424aaea23aa2f4772b
SHA256f341c2823027fea1a68c9f6ae765810bbe097f04d881d30f8aa2abc57010430b
SHA512110f7abe73f9fe34ca526f408aac364750591be43a58618850d11c967e25a2a176aeb3f0daedb77c4e99dca473b20897b86c3869f98ea16ccec3276c82885c7b
-
Filesize
8KB
MD50e9b40d5aae93c9a98aea0f35d25ccde
SHA1c2b44b77c572929dbec35ea4c290c4a832b78533
SHA256d2941b0381156694ff5aca86cb9e968f50e3cdbfcdb82b810bf801d4edc4a72e
SHA5127e6973813f8a2f180b3ba81526f2162d0799abf938772df701e373ebceb99e24f5bee48889b76ba2de6019f75c699a933358379af5ffc8e3db1dc6287e93388a
-
Filesize
8KB
MD5e59d74e684260e4685315993e24070c1
SHA13ae89c966f18719876d121cb4430e03d797ac434
SHA256119ad5ca54025748f3408b8cb8a77775897ed3eb2300aecf26c4c54ef8edd800
SHA512ea3962834e480f44cefa6b8727939fd7a5715832f2dc30299ab5001ec833bf007120564100768d5b84165ee4deb101a8a7b72b22f7a704c5c12fc296128baca9
-
Filesize
8KB
MD55248a288748af4e4ce85daafe1674a25
SHA16b08455f10f90f6b00ae9df31fdaadc3ded45efa
SHA2563718627d51faa9fe8e9d800aea91d2656813e8d70e35d0cc14d540f59d0c9ebe
SHA512d8d9dc162f569714334d71bb82c6f20272a64d392d8876048b8f896be55c8a767341a0b743ea4fb4259c0954b6d0393c90a98fe53f5cd4be19d1ddddcd101609
-
Filesize
8KB
MD560eb95513787db37a0286f2e0892ba7a
SHA1a928c4415a1e3b6297a581d68d433cad9907f520
SHA2564baeffba4a1a09bdd371f834f0a6cb3561b03526c1bf6999dd8503f6291ef894
SHA512773ba209414aaa37826e0ae8e6222e84b98b4793bc9ead8c7f756380f7d2e4d4d1d32813c4d7cafe0e960e232a06a89e51d2fe1308ce9ac3da43dbd3421b28f7
-
Filesize
8KB
MD5532bb08d6b5ddad12327e004b7798a70
SHA11d4d503569efdd1fe9c9649cf2b0248aa0b86c5d
SHA256632e4b4ed6001f835c6bb30388c3b953fc158f355babd05f750b395233ddfb37
SHA512506e51d0778798fee4135d97cbb60c73451a6bd8877b804797725f73d746f14d0505c4197d20586ba6e20dc0ffe5d6a4420c0580cde4ff96f74012f10c7192e8
-
Filesize
8KB
MD598f0e994e7cd7054a8061c7f8fd36979
SHA1fdbc4837f9d6438c0c47a577ae464053fe14bb68
SHA2561c7f9e9952f040522958c1e1794b4fa1498d3b9840376a0c1a6d684ee53a43da
SHA5120f7091b628b7f696b0b4d3ff7d9e7d4595958c98db572b7ace1c489fcce4afccbbd9a909f423a2d35bdebef5d9de2ee09fbec0dac7c783d0dbc65199d3843edf
-
Filesize
8KB
MD5a527ae18568abdcbdfaf52beceb4a75d
SHA16f122db77c7dbe5101632a42a7f4b1dff4732603
SHA256c507b520bd7743da219850cf2214a11c52816b4148ca84c744d58d2e2115798f
SHA512198e4dfffba6ad5c1eedab14985c63ba15099fbb4dec00d62cf9cffdd31cb181bb7efac21ee6bebad37ea35fe9ec56943a546a29fe07ce1cc369a1405ab3ba39
-
Filesize
8KB
MD5194cbb5f6a0dcfbf0a7a716a11f7dd90
SHA1d1a434c1e2198e8e2b373c3d674596ac8cb97768
SHA256c545be08d7d831d82b9057bebdc5599e722b0a68df58dbf8a9a8976cc0a1dc1f
SHA512bc127a339d59989412d41668a3b66298227b86329a66690a3a3d2f1bcefdea1d330bb5e23fed528c52f4c78c6cbe0b5237fc097ea02b9d86c6c629ed10a6cdf4
-
Filesize
8KB
MD5efb9f4375e8e985f314c84205accbc66
SHA1d4152199841784f2d4b87b0588b5e5ccc1deb344
SHA256d69cda4be5f6ec41a17a1c5781b4fc10af5c40db04316c57764e9be819d2987f
SHA51230f9eabf7294793a68402d82474b66c3e96ceb6096926237b5752f9a22f23ee46c46d0856901433d1338b728acaf7718b0d7136b2fefcee00808ad33675b1391
-
Filesize
8KB
MD54ba7376b886a751ab0882002fce17c7b
SHA162b6fe522657b5791c33ff2487cf5cccb72b6df8
SHA256c8e47401fcbf45f9b601f8923b47aa8177de033b1893e8098c57ffcdb99d5bb4
SHA5120dc96376688fc820834bd4a6e4e5ec0f003b214b7215b46160538c92ff0531b93e3fcadeb384ac91b9d2b5470bdea4868e9f592dedd34a7d1b2dbd85c7473be0
-
Filesize
8KB
MD547dfd874e1f01d8536d007a7f57ccb2e
SHA143687fe5d82efa4ec0db4fd6700f27df5118f9a2
SHA256423d1df9ae18ee03dec17b1edfa8d7cc2a2895cf2337a15e8904e70757427f32
SHA51235c8f4cb7d7ca21761bac54ad3577dea079b837f83f27d2aa3565680eed76a4d7137b592e725889f4197641b9c002ea6bbd6fdc67355d8caf98f654e2089caac
-
Filesize
8KB
MD50844e08a0f3203c922f7a53d853785aa
SHA1cafb54839eceacf43c573d6c80c08c2d40b9dec7
SHA256d7037ef169550a4ba99e56078b3688916f6b8ad34972e72a205210320fcf7172
SHA512a636c929ec9523387fc2b3ac90e7d6954dad106997789428b599e0d77b8a3e837247745cac59a73f0bffd80e810bd77878fadad8a8a2d46c11512558f0ccb05f
-
Filesize
99KB
MD542c39b45c252fcb119e23f3933e0c18f
SHA10ea13c04e1cb77d2b728ed4acdbf02c8b8f1a1b7
SHA256aa99c3060da37377eec79e091cb09c21af06d7eabba481bf781ce81bc207b905
SHA512ca74241956b302ecb896ee6af483b2c3761233a1a7af9454d34fdfb43a6a482a942b86382138a549927e0b89cc1837d887fc6a66c815cd73e30cc4eb6ca345c9
-
Filesize
99KB
MD55e5603e5668c90e8db18f0388fd85d70
SHA1d47768ffdc352247af4445feeddbb8e272ddc49e
SHA25653d0a8d1ecfc8001ba4d198e367a1d8530820258d81402cd7f26cf2caffee5e9
SHA512f2d44231a0d18d90fe02560fcdfceb55bb97f6134cee26565507a4a198ecd38ade3a49acd3024f3068dcdd780dd30c783a1fe6b8ca54180aaee1316069c42a51
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-523280732-2327480845-3730041215-1000\6e40c34c4a45d0829945e2c834ef77ef_a5c5e2ae-85e3-447c-9e0b-c9a7b966d823
Filesize3KB
MD5faec054882c494a395edd3d9654ebced
SHA12b918c8da7a7f846afdcb07bead37ac1b538243e
SHA25685987d738a7918ac6edfd37d8dd5b3deaab144d3d09a568ca9d58306ee5f4627
SHA512ef4cbb1127a538f05e92c4b6f0d123d9d9b3eef301f8a7cd3c97a7d2b51a96de3e020d7c645f1550bf6440f77d890ed08c83962c32a729c48ee83ac94bb2778d
-
Filesize
3.1MB
MD50735d03f8c1a7d6b9cb821b225609025
SHA1e2210103608856d2ee7e6540cd85a8ea8b6b87ed
SHA256af3888838c7fe4eeeb3be52b3a4104fda2e8f1e6a1fc9e7e58f501957529efd6
SHA512560fd6ec90ce3fb9008faae5683f483e0fc48758b98f8bcbb8f3c816d0911f744e81995409f54bb41a6fb12eed41837027c192a9846c359d64b1eb8b31b68b25
-
Filesize
3.1MB
MD528ac126d9a1ee8f1265f4722e16660e3
SHA1973b057b1915d4662a742add67ea40eeb0bd1b46
SHA256d49f5eb7241cef8a7b226a28312a8f7be72ede00fcb812ffadff679fe75fd424
SHA5129e7d11a1ac57663e952c9abe09d04cc73b39663e861ae31ceee1b5063153f468ef4224cabd69d8ed6c898f8a320e4c509dd429f0919a85038e0811b162adba7f
-
Filesize
286B
MD5ba3e748d12a5add54e5ae232dd398f39
SHA140dabd6adb750296c0ae2c19a1e27c27ee287c3b
SHA256cf8b3fcb710e90b524ebf882d9af174ef69338163fa8a048a8e9c86cf2f5b516
SHA512ec6fc01f79aa2994cfb342011488f069b6bcdcc4b5051f51a550fd5949e4987ceb602c3a9179acdc530093c754dd5bdeed61addf7589be732185a36d15d69630
-
Filesize
921B
MD57de1f7dfd99511fd37275e53a225b53a
SHA16e5c4ca03a5379fd8bc319dd76d107a0d82fb768
SHA256acf6f60d1906de182e4e5c3eed1d9ff1f49c106ca7cb2a3fc5037b3ffab4c435
SHA5125b5f8bf444b1622b33967c00fb8ea15cb05a47e6654f42b2a88e610583f863ff70e6792832ae98ef6f1ecb1ae2727c7b3b89433ad9a35271ab7eb444772cfbe8
-
Filesize
1KB
MD586565fe5c1b85fc841c56f0aef67d0fe
SHA13c94ef2d0279ea6c894a4c3c27fc764d6f211fa8
SHA256e81a1f2cf4126d858ee6769fd56e0fb39365e5cddf6512361ad383e107beece7
SHA51265942e123d74ba588992ae4683b559387610e73f6681e44dd482963c119aa61ddce8a9eecbf287839a05ea4f96b479a7e137eb99a8eb96c714e8ce9ccfaae40c
-
Filesize
1KB
MD5b370d51d20afcc232de0d297740dcc97
SHA131a5d9bd430437423d439626e4a86d842cb903bd
SHA256dfd0b9fb92dcc5340721878da96f456b9f52b5e71168df57fae4bdf95ff3e19d
SHA51286d59f930bf31e2c1377bf314da7baa4d92dd38b9fefbbb3b1498386480290185c19660e798334d0e81d4d89f1d123879d35e4a970f918f6d913cec253a546ae
-
Filesize
4KB
MD5299e464a8948afebd6630459eb324c72
SHA19d53120b537487e356a6d66a872339eb3a771ecd
SHA2561219b3a104f3472e3603b767d1abfb13f7e895a22c06a298a431b65ac7f7fecd
SHA5127bf1e79f223c4201c4839f78d82a4bd7ad568bbd477ffa7c581101784be2fad30487c5a039b8057a154731ab92bb2dbec4ff6d70129468818bbf2d705d53cdc6
-
Filesize
371B
MD518c426164762dc586e22f124a698a19d
SHA1f0e24dad24d3b0be2d38474a567d0c176514605a
SHA2562b093ec45e57e131ce359f42c6efa90d34b749354b29a1290542a8c0e4c2cfac
SHA51272986bab19d75be46a58eb34e56a9273af7968ab6c18162e59227c7e581bf73eafb7b42217d9b738e8e78bb7e59816f029184cd4a7144c71169a5da3f845809a
-
Filesize
3.3MB
MD513aa4bf4f5ed1ac503c69470b1ede5c1
SHA1c0b7dadff8ac37f6d9fd00ae7f375e12812bfc00
SHA2564cdeb2eae1cec1ab07077142313c524e9cf360cdec63497538c4405c2d8ded62
SHA512767b03e4e0c2a97cb0282b523bcad734f0c6d226cd1e856f6861e6ae83401d0d30946ad219c8c5de3c90028a0141d3dc0111c85e0a0952156cf09e189709fa7d
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e