Analysis
-
max time kernel
699s -
max time network
724s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
-
submitted
25-11-2024 05:55
General
-
Target
https://github.com/AJMartel/MeGa-RAT-Pack
Malware Config
Extracted
quasar
-
reconnect_delay
5000
Extracted
quasar
1.3.0.0
sheisnaked
10.127.0.238:4782
QSR_MUTEX_7fak0DswHgXJ2Lg3vN
-
encryption_key
cuNM9s5QevWTWb87e4sy
-
install_name
Java Updater.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Java Updater
-
subdirectory
SubDir
Extracted
quasar
1.4.0.0
HackedPC
10.127.0.238:4782
oopDvZ0Pv9LZd6ZHiE
-
encryption_key
UkupB7550cfCLLVj3Nla
-
install_name
Updater.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Updater
-
subdirectory
SubDir
Signatures
-
Quasar RAT 4 IoCs
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 5 IoCs
-
Xmrig family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload 53 IoCs
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 18 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Indicator Removal: Clear Persistence 1 TTPs 1 IoCs
Clear artifacts associated with previously established persistence like scheduletasks on a host.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 6 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
-
Modifies registry class 64 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 4 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 62 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 25 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/AJMartel/MeGa-RAT-Pack1⤵
- Quasar RAT
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffb1b8246f8,0x7ffb1b824708,0x7ffb1b8247182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,15379030436771262577,15419745765688019151,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,15379030436771262577,15419745765688019151,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,15379030436771262577,15419745765688019151,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15379030436771262577,15419745765688019151,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15379030436771262577,15419745765688019151,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,15379030436771262577,15419745765688019151,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4088 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings2⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff7e4995460,0x7ff7e4995470,0x7ff7e49954803⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,15379030436771262577,15419745765688019151,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4088 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15379030436771262577,15419745765688019151,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4012 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15379030436771262577,15419745765688019151,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15379030436771262577,15419745765688019151,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3564 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15379030436771262577,15419745765688019151,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3596 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15379030436771262577,15419745765688019151,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,15379030436771262577,15419745765688019151,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5076 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15379030436771262577,15419745765688019151,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6384 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,15379030436771262577,15419745765688019151,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6760 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,15379030436771262577,15419745765688019151,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4952 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15379030436771262577,15419745765688019151,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15379030436771262577,15419745765688019151,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2688 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,15379030436771262577,15419745765688019151,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5608 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,15379030436771262577,15419745765688019151,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3032 /prefetch:32⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap26543:112:7zEvent326661⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Desktop\Quasar 1.3 modified by Deos\Quasarx.exe"C:\Users\Admin\Desktop\Quasar 1.3 modified by Deos\Quasarx.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /End /TN "Microsoft\Windows\MUI\WindowsUpdate" & schtasks /End /TN "WindowsUpdate" & exit2⤵
-
C:\Windows\system32\schtasks.exeschtasks /End /TN "Microsoft\Windows\MUI\WindowsUpdate"3⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /End /TN "WindowsUpdate"3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /Delete /TN "WindowsUpdate" /F & exit2⤵
- Indicator Removal: Clear Persistence
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "WindowsUpdate" /F3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System" dir=out action=allow program="%windir%\SysWOW64\TiWorker.exe" enable=yes & exit2⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="System" dir=out action=allow program="C:\Windows\SysWOW64\TiWorker.exe" enable=yes3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System" dir=in action=allow program="%windir%\SysWOW64\TiWorker.exe" enable=yes & exit2⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="System" dir=in action=allow program="C:\Windows\SysWOW64\TiWorker.exe" enable=yes3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /Create /XML "%windir%\SysWOW64\MicrosoftWindows.xml" /TN "Microsoft\Windows\MUI\WindowsUpdate" /F & exit2⤵
-
C:\Windows\system32\schtasks.exeschtasks /Create /XML "C:\Windows\SysWOW64\MicrosoftWindows.xml" /TN "Microsoft\Windows\MUI\WindowsUpdate" /F3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /Change /TN "Microsoft\Windows\MUI\WindowsUpdate" /TR "%windir%\SysWOW64\TiWorker.exe" & schtasks /Run /TN "Microsoft\Windows\MUI\WindowsUpdate" & exit2⤵
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\MUI\WindowsUpdate" /TR "C:\Windows\SysWOW64\TiWorker.exe"3⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Run /TN "Microsoft\Windows\MUI\WindowsUpdate"3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil –addstore –f root MicrosoftWindows.crt & exit2⤵
-
C:\Windows\system32\certutil.execertutil –addstore –f root MicrosoftWindows.crt3⤵
-
-
-
C:\Users\Admin\Desktop\Quasar 1.3 modified by Deos\Quasar.exe"C:\Users\Admin\Desktop\Quasar 1.3 modified by Deos\Quasar.exe"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\TiWorker.exe"C:\Windows\SysWOW64\TiWorker.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
-
C:\Windows\system32\ipconfig.exeipconfig2⤵
- Gathers network information
-
-
C:\Users\Admin\Desktop\FacebookCracker.exe"C:\Users\Admin\Desktop\FacebookCracker.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\Desktop\FacebookCracker.exe" /rl HIGHEST /f2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Java Updater.exe"C:\Users\Admin\AppData\Roaming\SubDir\Java Updater.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Java Updater.exe" /rl HIGHEST /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\Desktop\Quasar 1.3 modified by Deos\Quasar.exe"C:\Users\Admin\Desktop\Quasar 1.3 modified by Deos\Quasar.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap31963:116:7zEvent274271⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\Quasar Golden Edition 1.4.1.0\Quasar Golden Editionx.exe"C:\Users\Admin\Desktop\Quasar Golden Edition 1.4.1.0\Quasar Golden Editionx.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\Quasar Golden Edition 1.4.1.0\Quasar Golden Edition.exe"C:\Users\Admin\Desktop\Quasar Golden Edition 1.4.1.0\Quasar Golden Edition.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\Quasar Golden Edition 1.4.1.0\Include\dotNET_Reactor.Console.exe"C:\Users\Admin\Desktop\Quasar Golden Edition 1.4.1.0\Include\dotNET_Reactor.Console.exe" -q -control_flow_obfuscation 1 -flow_level 6 -obfuscate_public_types 1 -obfuscation 1 -stringencryption 1 -exclude_serializable_types 1 -exclude_methods 1 -file "C:\Users\Admin\Desktop\sad.exe" -targetfile "C:\Users\Admin\Desktop\Quasar Golden Edition 1.4.1.0\Include\tmp\tmp.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\Quasar Golden Edition 1.4.1.0\Include\dotNET_Reactor.exe"C:\Users\Admin\Desktop\Quasar Golden Edition 1.4.1.0\Include\dotNET_Reactor.exe" "-q" "-control_flow_obfuscation" "1" "-flow_level" "6" "-obfuscate_public_types" "1" "-obfuscation" "1" "-stringencryption" "1" "-exclude_serializable_types" "1" "-exclude_methods" "1" "-file" "C:\Users\Admin\Desktop\sad.exe" "-targetfile" "C:\Users\Admin\Desktop\Quasar Golden Edition 1.4.1.0\Include\tmp\tmp.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\trv33glf\trv33glf.cmdline"5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCF44.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7F08C729242B4CF79A7FFA4B277769EA.TMP"6⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
C:\Users\Admin\Desktop\Quasar Golden Edition 1.4.1.0\Include\mpress.exe"C:\Users\Admin\Desktop\Quasar Golden Edition 1.4.1.0\Include\mpress.exe" -q "C:\Users\Admin\Desktop\sad.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\Desktop\sad.exe"C:\Users\Admin\Desktop\sad.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Updater" /sc ONLOGON /tr "C:\Users\Admin\Desktop\sad.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Updater.exe"C:\Users\Admin\AppData\Roaming\SubDir\Updater.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Updater.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\Updater.exe" /sc MINUTE /MO 13⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /K3⤵
-
C:\Windows\system32\chcp.comchcp 4374⤵
-
-
C:\Windows\system32\ipconfig.exeipconfig4⤵
- Gathers network information
-
-
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Updater.exe"C:\Users\Admin\AppData\Roaming\SubDir\Updater.exe"1⤵
- Executes dropped EXE
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x324 0x2ec1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\SubDir\Updater.exe"C:\Users\Admin\AppData\Roaming\SubDir\Updater.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\sad.exe"C:\Users\Admin\Desktop\sad.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Updater" /sc ONLOGON /tr "C:\Users\Admin\Desktop\sad.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Updater.exe"C:\Users\Admin\AppData\Roaming\SubDir\Updater.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Updater.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\Updater.exe" /sc MINUTE /MO 13⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Updater.exe"C:\Users\Admin\AppData\Roaming\SubDir\Updater.exe"1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Indicator Removal
1Clear Persistence
1Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
1Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD59d533e1f93a61b94eea29bf4313b0a8e
SHA196c1f0811d9e2fbf408e1b7186921b855fc891db
SHA256ae95a7d192b6dfed1a8a5611850df994c63ba2038018901d59ef4dae64b74ed3
SHA512b10de657d0cef4255e96daa1b6ad0c99c70b16c13b8e86790ea226e37e9ded1a8f8bed1e137f976d86ebc3ea9a4b5eb67ce2f5b0200025d35dc8e94c947ff3f5
-
Filesize
152B
MD5fccab8a2a3330ebd702a08d6cc6c1aee
SHA12d0ea7fa697cb1723d240ebf3c0781ce56273cf7
SHA256fa39b46c6f11977f5a2e6f4cd495db424063320fbac26a2eae7466e82ffeb712
SHA5125339b52bad5dff926b66044067aa3e1a6147c389a27ebd89b0f16e1267621d7ce7af9810010bee81cba7b08c77a33ede8ef4675fe049b9fb2ed510fcaef93d6e
-
Filesize
38KB
MD54a6a239f02877981ae8696fbebde3fc9
SHA15f87619e1207d7983c8dfceaac80352d25a336cf
SHA256ac546e02b937ee9ac6f6dd99081db747db7af6a4febf09cbe49e91452d9257b8
SHA512783cf2ae4ba57031c7f4c18bdac428a1074bb64f6eb8cef126ad33f46c08767deeac51917bef0f1595295b9f8a708cb297b7cf63fc3f7db0aa4ac217ce10f7cf
-
Filesize
37KB
MD5d34875fe1c47517f4081a1e2c5bc91f9
SHA1204fed3cda5eea26388e139dd1600682e7665cf6
SHA256aff6fc26fb0c69a279bdf9b32b4d2560cd47039470cca8248534daf8d0876186
SHA512aa164260951708910e1cc3d83c17f2d176427dcbe53e1e13cb539d65317a1750bd1e482850049e9c126aa5e70fbdd72db13d50367b90c8b8b37f01a264ecb148
-
Filesize
20KB
MD5b701fd5ce841ce90ff569c641bf0cbfd
SHA1923ef9dff528ad65b6f135828aa39340be591a9c
SHA25626ac894bd46903e9b8d08bf85cf4c7795e88f7c9dd85717b7560e16acc007fe3
SHA51267d8cbd5ca9334aa5c784bb73b2057d28e2a3687341cd62358b5c5211ba833e10909dada2069b49b0ef328c1a40d8e02b58d27385e3d944eacde240a4bcf2fde
-
Filesize
24KB
MD54b3e8a18f156298bce6eda1280ff618d
SHA1c929ff9c0cb0715dc5ab9fa66a469cb18106ed0e
SHA256eb8429f5918f8dfb14c7f8b32620f3516303c812869e9e8d1059e759a1550b49
SHA512e51a54976d11fe25486d35ba92f99b8de28222a7dca8c272dfc43d8f0bc1d34b6259797fd5a7aad9c1553c0881772875ba90e7d99f6175d16ffdd00586fe8ba3
-
Filesize
18KB
MD52e23d6e099f830cf0b14356b3c3443ce
SHA1027db4ff48118566db039d6b5f574a8ac73002bc
SHA2567238196a5bf79e1b83cacb9ed4a82bf40b32cd789c30ef790e4eac0bbf438885
SHA512165b1de091bfe0dd9deff0f8a3968268113d95edc9fd7a8081b525e0910f4442cfb3b4f5ac58ecfa41991d9dcabe5aa8b69f7f1c77e202cd17dd774931662717
-
Filesize
59KB
MD55bead0d2b2685032fc3f12b5a4f72a21
SHA1118ba82f13acc96cc2b28a1192947b81fbe88c2a
SHA256b74d05151579f9564a39b1287d81d6574c90ecebfdff9106480e29bf816fb610
SHA512653583a04218e9cacfd813458e28bf8b784cde06a74672948a5b864216ead351a00f8d62ef6e06ea8e85e43048df27d8b6b0c8432d5842c8f3ee7bbbfae325fc
-
Filesize
38KB
MD5f6c1297fae3fc10f55d4959d9dc771ce
SHA12df076464b94b7b06d771f3ef68e7a1403ec3d82
SHA2569aa5a405e664c215a315b794668de2faf252ee0bc0694596d82a1c0e91564ae3
SHA512d0d3e4a6fda2f9abb60d05befceaec9f1dec9d5dd4a31df5eeb94f0c1c545cfdbf70b862d0340a460e6d0cc62b8df16d3ea839683fa534c67030e70a181659db
-
Filesize
53KB
MD5cfff8fc00d16fc868cf319409948c243
SHA1b7e2e2a6656c77a19d9819a7d782a981d9e16d44
SHA25651266cbe2741a46507d1bb758669d6de3c2246f650829774f7433bc734688a5a
SHA5129d127abfdf3850998fd0d2fb6bd106b5a40506398eb9c5474933ff5309cdc18c07052592281dbe1f15ea9d6cb245d08ff09873b374777d71bbbc6e0594bde39b
-
Filesize
16KB
MD5da4fb15960b623d2d1e45e712eab4e9e
SHA14daa448effcf03190d1a8b38b4cd377d8a1bf0b8
SHA25604a50722e2d7f3138fb002ddfd8dab1b0bf44803960fae3dd1f336118d8940db
SHA51205a0acdcee52bc0708da2ee4a1da468e07ae8ed525e0d4552f36fa9bd3f465d5f982e2d58f07cecfe78b0834003754f1d0adacdfac70b3b1bc2a85973e4f1ab0
-
Filesize
88KB
MD576d82c7d8c864c474936304e74ce3f4c
SHA18447bf273d15b973b48937326a90c60baa2903bf
SHA2563329378951655530764aaa1f820b0db86aa0f00834fd7f51a48ad752610d60c8
SHA512a0fc55af7f35ad5f8ac24cea6b9688698909a2e1345460d35e7133142a918d9925fc260e08d0015ec6fa7721fbeae90a4457caa97d6ce01b4ff46109f4cd5a46
-
Filesize
101KB
MD59a861a6a772b86aaa2cc92e55adf3912
SHA185156e7eaf0d3bff66bd6119093610e8d9e8e5d2
SHA2566e7cc83f3b23d5f48bafdd934321de60485eb8d9ced04c6299e07dc6bcbc0d1b
SHA512b0a051e2e703227a55674fe235a97643ab1478af2384a5a974605cdd0e4ed79916d65e2adf61d19f59779da920699e74ac72cce05ec078f22f9b6678c5022a26
-
Filesize
19KB
MD51e53408e78feddaa3dea2f0014d5dead
SHA13dbd20f4511465b8b18e4681ea24f9e0140307cf
SHA256deb39cbf92259253ae2c5627f31489104612379e8d781a7b2bce775682c2d833
SHA512601a7dd43d4e43ad479b4241d02652c5523b2bd900118bb2cfd579bfa451e96a6328723c61146ebc113e79c03bf718464504d43502836250fd6b3752e13d6467
-
Filesize
2KB
MD557bc85dc1efef9cae2a201011ee1fc22
SHA14d338ad0b286c4e6cbad73dcbb8f579938ad71d6
SHA25684b086d0b334644b6addb676adb13d4d36f2cbe2fdec39603c5f093ad3412b8d
SHA51267f7c0bc65bb73bd46d0a038525f452f81976cd86b663fce71036f70ea956e98a330e732d70967717e63b1efbbb2872b2c912aa0c055fe098c539855da76f6e7
-
Filesize
2KB
MD533a2c7adab6a29e2e9ad885a7f6ef544
SHA1d84b40445a7391ffc2aa04aca712d61ead5bfcde
SHA2563bd9baf97488444bd14613d7cf29bc0db617c6c957dc0f71fe4979dd381ffb44
SHA5126831d7f71c94ddf4a7f3a847e193cddb7f76077ba5c359b782fcc0842f0c876b15566096a9ece0a944df24e10ef46af73336ebf3a9214b70fa77199680254d83
-
Filesize
48B
MD5837f279b9ada818c979c7ff96833cf1b
SHA1040b2aa937a9853e6cb537f014315c38fe506c30
SHA25648645a85185d88d69dbfe1a1ab5b8f517a2eda552a0d5077f23c5e494ee394c9
SHA5124ce456a99179dab3be42b9fe44f331cfd7b19400262b13473757fa70078e3b51f5d2466790c7362a632c03626ba111d180dbacba42fe7ee2b3c265f198e1988d
-
Filesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
Filesize
579B
MD546fa4f5f7344089589d117bd7599b3a9
SHA1b6cc1fe19e527d4a372c97e4d195ed94eee40030
SHA256223280d95a13f1af6af06459bbf230874500c212a2e16f63914eff3f22e8b57a
SHA5126b680aedde7e806802652aab9ab31cb21438bc8756b063955e6f03bbbdf1273f7d47c40ec1a19fe27537afeb8d6cc219a246d31f7c6822b481649fe296e2a45c
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
5KB
MD597d8b7d8366b15256f89f0fc27cf32bb
SHA12fb1e77017c55d331b472c01afb55862f14ba774
SHA256c15424eb1c3e9836cc1432b4818991e54274c4ee717f92daead073e75eba1f7f
SHA5121373e2e0fd583050f5e568843a7e1bc7917d33c0dcfbfad85fdc0f792c23fbbaa07f908deba3bcda1b57123d685e464e1d7cde9602654bfab2e24e503b4403ce
-
Filesize
5KB
MD50a8814578d9a7366ff65957b442b1bf1
SHA1db8c99c134b7e05a42d9f4e76b2c565b9871b6b5
SHA2561d0b00474b6f6728495b4a5b85b340753b5dfb1ebe5c2b201c75b736fc1fd713
SHA51261d37d8aaafbc0e24fcc53c4f044403ef5122867cd3bb1c87f9f94b104e04ac584fe35d9135404e2470617613dcda5047d2dad7124b5dbc5069d86a303994109
-
Filesize
5KB
MD54c81a44c1cd15fb1343a96b4aa42a51c
SHA110a40ed706614b260c9cbd46ce8f7b6871b9f2a9
SHA25641de42f4af49bc9d5badc51a403241ec05778c74b3145ae8216d8f551419d31d
SHA51223215a20f2362005ac2e044dd9390912ee1a1e9584918f0d6d4a8fe558edc730ea5dd02878273fb053763d600d1ef99171a386fe27d5315b5de26f31b1191915
-
Filesize
5KB
MD5b2953faa633972571e7d56bbd5eb693a
SHA1ce1cd46cd5f9116bedcca8ee2e2de9d76dfcbac6
SHA256932323c5cecce36de16f206c2b3f8531719c38df062277fb292588ea3b8fdc47
SHA51264336df89f0a1b5623dcb166588fbbffe508e5f93c5eb215894f4466693f90d10047257afdb9a3e2a14bc24a3fd067487601750202e0115631a9640ec16539c5
-
Filesize
5KB
MD51f244863a6047ff7172a74d9581957f4
SHA1eb9628d7c011f6ecb7d0aa87fb0f531f74424e7b
SHA256a76c325b414e03691c269687e254622294166e402fe85a6537fc8d22e64b2182
SHA5120c05dccba9d5292035cc96ed4c00b9c2bf3a979e14c5cd3af3683b45b96a22a0185458dd8897d3bd02fb4295e38423149a2f462121d0e2b676cc741582d87596
-
Filesize
24KB
MD5ed659b1d7a51e558246bd24f62fff931
SHA184685d6f04379c290e4261ff04e9e1879d54d42c
SHA25623fafd9073812d5ff8b523b84bc981e4cb410bebbf3675db2b29cfac0dae9690
SHA5121c3203328583241895db9fb165fcfd595f642e218ee3a453ab6873cbac10ddab693cd2f913bab15c8bb7b5a12c5768b3dfcb278aad754dec1fbffe66b81843cc
-
Filesize
24KB
MD57ec09c7cbd7cb0b8a777b3a9e2a1892e
SHA13b07979e57b6c93be7d5a6cd8fa954dee91bd8dd
SHA256a623633f34a241b0dbc9fd26f34446d716955f94e90b2ff9ac8b9df801bdae5e
SHA5125fff0a38a3b6e4b29d402eef2650011e4d9df514e0624767c84ea31cb73cbba10c7e0b5711cb487976d637f0f60a85c431cf0db54b519411245684c116c07b7b
-
Filesize
1KB
MD5c6a7dd53039d733efb3ae1829ddead74
SHA1588dcefda5fda0e844f7111452d3d5c5413c40f4
SHA256d1839a2576a4133984b81cca8a337cbd20263d2b7f8b75a21d508b37b10ee462
SHA512e6ac1cd64efb84b0dbe0b99a7c6f47e0f540610dc2d868f6fa379081c1bf16363f236c118935fb9fd81af693ef8bf2369c932914650726815f10d6edadf7136e
-
Filesize
1KB
MD50d5a303f6fca8d009181eaa9bb659763
SHA1e7913af9d5c1c87ba11a24d2c719ea21d4ec48cb
SHA25631a63e9c034eb79d0572d070b641da65d1b54b3f9fbc2de984c7eb46c288c6b4
SHA512d34bd8e6afde9f7e45f447ac62d22119a60834809471c1ae9093572898c9e45b3248dbedaa3d5443228def3e0ffc4b612961332906b56f277509302086312984
-
Filesize
1KB
MD507c9af7b65d1a747d62f2abc07b11ffa
SHA171c74641d14aab9913aabe290194bbf154622d27
SHA256759c4858a9f78b3b100a4f62f688e84475c1551463f489c3ee4357e550f68446
SHA5129219627147b43dfc3e0aea3728863d4c9958ec730764e6ac08801e98fbb7dea6dd48f4d8614ce94b44a219d17be79ce74228d32d2faf09b578e8e795201bb2d0
-
Filesize
1KB
MD5512b8ed6d0dec5fe9fb01703a495bbb2
SHA17fe55615ecb6e5a35420fddba118d0497d5864ff
SHA256ce14588ccbacd3a2f313340317c53fb50448d1f9d09d1ce6fabeb52b369f9ead
SHA512c3f80ec8935eba5152a015a764ecf20ad043af0a04f86c3001dccb2ae085562f7fe2ec3660ab47c0d8e9bf6dbf7b372d40262c299fcce40709b9c41089e6e6e7
-
Filesize
874B
MD59195f1be86fe57735a85e60c37d2e726
SHA190cdf2c2c9cfd7e4832e7b76e8aab875b4e6b7ef
SHA256773ecf178b14bacab0442ea2ca2aab14208c62abf6e38975dcc7407b9d634509
SHA512d5fc781457dd17cfaa5c149c35b1dd984f17e4a8e653a2dfbcc9cedc08a14afceba849d707e19b8fc555878f1a54a865fdb0941e3f6991c7b0d5f82ada9f957a
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
8KB
MD580bfc679a86f00eb68ea7625c0614dee
SHA1bb113a5c75d3f8a57f3b86fe36e039aa585e7e7a
SHA256808b0fbda5d99f41343e88afa17533f09c846cd446492febeb427dd2aa9d81b8
SHA512dc8cce44cee20bf9db156e10b43277618e7030f7e9b989d447e08540c7a63e0b9018b0654223c0bcbb7580242e774f1aa9678c20011dc593c8730f0955232e9f
-
Filesize
10KB
MD5652aa72906a2f56e9fd854986ba80e56
SHA16e17f913affd67c98e171d5c7550a6abe62f1fc4
SHA256b8fd7dd16ea2c3bc9dd9f0ba92332a075bc8563243edd7a122639a22d85dbe16
SHA512920b76d89c662eb000bf121156cce7eca0d2fbe0eb95abaa32f07c9b26ab719b8c2b6fc1cb97fa2e261a1d789385e3150c7f995a33ac44a6f29d73504f07149c
-
Filesize
1KB
MD531c82cb41fd3b4c66d3519e8829cd0ea
SHA19d530b0f62ef720894cccaaa4cbc240d9d11f0db
SHA256a4647a3e64a52c88d2daa9619d8631acb4a9dad98144367351c31c84f35cc6b3
SHA512ef409dac77b1c5ac60eb5891d7ee96fc10eef95b8f7f1e9eec7655dc4b5d7cd582062ecb2c6309e9a09503861cf6bd98a0a8588c792a6664d286d01982269576
-
Filesize
3KB
MD5c8dccd89b20838267b27bb3618508c4a
SHA12e4202f992eaaf2f84330509a26d52bb16dcc8b1
SHA25674bccd97256a4466cbf7f25729cf7f434626985853e70574adbd3344d2b555c7
SHA512da222b66a194f9d9cea5be55256685df30b8ce5af108ae60d819945adb853f75ebb7929ec5a40aca24184fb8d04ca4531012b2d1dd4d4971ea5f54393d74f9a3
-
Filesize
3KB
MD5f184ac0a1f76b5c91b4e52b1f445b443
SHA1e392bacdb58a9d8426327d359e8a8a366f448ed3
SHA2561cd136854b65bb9e6cadb8ba027e55110b3843b6c93b44803298dbdce7aa6f41
SHA512656020f8f5b1920b646fc9ac5c4abab8e18c08f4023d801b3a50f40abdc4ae0b08e518d007760636a063726d349ea37958deff96798ced0736b134321a941bf6
-
Filesize
3KB
MD534d6ad559a833afbb17137eb8c8a8b09
SHA1c439859e2c4d07d8681a163a3e763e31b096bb63
SHA256a50a3e2f49e464d21cef7b09bc1e489ab70ffb8021fed6aa6864a8f4b01c0611
SHA512fe6774df15e1ede6cf450b8f068f0ccf8cf23f71cfe78f543acfda8cfdc418496c80dc124344e4b1c4e3dc06dc637065615f7c8554e9951bdda7df19a9be4eab
-
Filesize
349KB
MD50713de8c0103ee3e44b0ce46dc0e1278
SHA19ed9be10d2076797d9fdc2c06cbd6cb54acd99e6
SHA256965dfab52ad06d0dbdc39b535047fc25fcdd00d176ee3df3175fbb5902493ab4
SHA5120f37b53b8a410cef21cbc57c330a18f7eff62f434d3a35f28a2612320aafc9aa8e932a0828bd68a68d1f389bc423c4478f7139e6488aba553d2c5673112c532a
-
Filesize
219KB
MD55eca94d909f1ba4c5f3e35ac65a49076
SHA13b9cb69510887117844464a2cc711c06f2c3bd19
SHA256de0e530d46c803d85b8aeb6d18816f1b09cb3dafefb5e19fdfa15c9f41e0f474
SHA512257a33c748dfb617a7e2892310132fd4abf4384fb09c93a8ac3f609fd91353a4f3e326124ecc63b6041ac87cf4fcc17a8bdca312e0c851acd9c7a182247066ea
-
Filesize
270KB
MD5860095fb4fcf2801253b5fa4ad9fab5b
SHA133d2af6fe404daf8e721fbd96d2d5cf45ea3b730
SHA2563fe23667391630a02c951d35042e79ae614174483e3428279eb018b48c44fecc
SHA512f5e75afb8b50077f6f03a809e29f2e30e7b6bf592da6b8f078178b578f0541e603388a119cdba337e0fe8cb27990a44d6ca0f22b52e4fd38e932bf5f6788015e
-
Filesize
161B
MD5aa79c582fde1ca5bf09453fd3c356567
SHA179ecd7719efcd614f4f598e47f3437fdef180139
SHA25682d1eece0e63c88164a8bd8431ebb11baba05a1390dde2d155937e87d25a69d9
SHA512b644aa686f4a8998e0c28df60e5b68aa75d8ab4539db1a151425c41e477d1e2f14569e33b089df6d6da80b8833b72d6dc6b8a41a030a8326ea7b283fade47278
-
Filesize
277KB
MD58df4d6b5dc1629fcefcdc20210a88eac
SHA116c661757ad90eb84228aa3487db11a2eac6fe64
SHA2563e4288b32006fe8499b43a7f605bb7337931847a0aa79a33217a1d6d1a6c397e
SHA512874b4987865588efb806a283b0e785fd24e8b1562026edd43050e150bce6c883134f3c8ad0f8c107b0fb1b26fce6ddcc7e344a5f55c3788dac35035b13d15174
-
Filesize
40KB
MD5bf929442b12d4b5f9906b29834bf7db1
SHA1810a2b3c8e548d1df931538bc304cc1405f7a32b
SHA256b33435ac7cdefcf7c2adf96738c762a95414eb7a4967ef6b88dcda14d58bfee0
SHA5129fcfaf48bfe5455a466e666bafa59a7348a736368daa892333cefa0cac22bcef3255f9cee24a70ed96011b73abea8e5d3dbf24876cffa81e0b532df41dd81828
-
Filesize
1.4MB
MD5fe6910dc8ed246085d6e2887858785c7
SHA12676c3ebabe2fab6a4c2b3fb1248a48e540c9df6
SHA2561d904cdceaf68db70c15ccd139c34079b5c104a3a74e39f534180be64ac0471b
SHA512d603e5435376c002208b9372901452bfa26c6d5643818b61e16fcf8ecdded6be5859175ea52956766c4d4a1b0f5efcbb69d770d2037b5e9b8ff10dc55b88d734
-
Filesize
4.6MB
MD57d5484687bf85624025a4d6c122d1ffe
SHA111e9df2a9fa98f4fd755c3f0199fc265acfa3a7a
SHA256cbbaf0066a92d5413592ac9610ddef88e727eaed2acfa1a49c50d013c8da92da
SHA5123f618e92ce5dd84c65a0cf937150766ba82e54b04611d95d3077c929a53389dce5f228bba5c0bf217521fc4c2d81c1282517e7985356ce2f259d4ed2e4e25e07
-
Filesize
76KB
MD564e9cb25aeefeeba3bb579fb1a5559bc
SHA1e719f80fcbd952609475f3d4a42aa578b2034624
SHA25634cab594ce9c9af8e12a6923fc16468f5b87e168777db4be2f04db883c1db993
SHA512b21cd93f010b345b09b771d24b2e5eeed3b73a82fc16badafea7f0324e39477b0d7033623923313d2de5513cb778428ae10161ae7fc0d6b00e446f8d89cf0f8c
-
Filesize
51B
MD58af01757cc429d1347430084913566d1
SHA1e4ec570a0b1a5c99e0613da232eeff4b42ffaa75
SHA256f1a33cd5b1c9368f73b8ff144bed026664577317df27baff774b2bd2acbd52ef
SHA5123edbca5a661d0fbdd0f8aac994b50e3f844e1d6ee6bfeadf0d8aa89fab1b7cec69b9f687a704c7a989726bb676604e2cdb75ca30441e94a05fdd4027ec9a494a
-
Filesize
430B
MD5c66f9c71b325c88e4a0a37ec2f4477ff
SHA1ee2d0c5e2ecdf53c3673f167d2c5fd9f3498de8a
SHA256ebceb1e061f55fdfb57fa685bf011cf310a06f63d14b34a52031a16380a0d236
SHA512bf53d0f2de9c11c8c2c44cfb180c236d9d56bdc49bfab74757d00216be5b5619f7687799013e871c1668ca9312da5a323a7071dd70e6d7a77e8670130b9b88da
-
Filesize
475B
MD54372ee4d123ca18d933c173df0712388
SHA18f4f50684c6ca0fc86e9e65aff49f3201fe257d6
SHA2568dd4129c7d5d9ff37311026661277b4388c13299f76c5a92c28a394516d9d03c
SHA5129bf97d44205df2c90a0c3041a28ab96a9b3f09ab076021bee6aace57787651d170a78866e2ba9f875accf5bf2ff7d9adfb3816278a177a29ab1b8666e0b4f5e6
-
Filesize
14KB
MD50b4dbf61a98f3e34cdd3a1b08a6a4609
SHA173587f1f5d040541b230513d22d696513dbd4cf9
SHA256e817802f166662a7df0b144571354d74b10e34d120f91ae9d84ca3ba925241c6
SHA5127cca370890e4e245c84507623531b5f54b76ced3e8c6b87cdfc47ed16560b6a0a5cf9e0556075cd0d9266908e445b854114edd69d50870839624589676c0e688
-
Filesize
5.8MB
MD57429e30caa2a8b41d926ffef1a05b347
SHA132abbd56225cd7379bb1cca8f6749d43916efe2b
SHA2561efc5368bcd9704d7df85e2e143936d6ee4509ac31a7ca6d3eb4cf3b18c5ef27
SHA51255243a97d9a7fcd43d531bb61615e734c8bfea242f6e28d67ce09cee586d032d83709a3b8c4ecf9b567252a53d1dad1853aca669316aa2ae62422386156b77c1
-
Filesize
125B
MD5350126131a856bdd61f79e7d3517c1ef
SHA1a36570b9bf169633f93addb3e3fbb3d162b9720d
SHA2563558db8e365ad533c73d777f00a25f9dd493a4b19a9457904054bd5f07a6e0b9
SHA512a7016ee2a54d30891a1510eb577d6e32ee3f24fb94469145648b3b51433e07dd1dc54da20ca86a4d3d3bb41b119855956ae26720640c547ad474df68a56aed25
-
Filesize
101KB
MD58b632bfc3fe653a510cba277c2d699d1
SHA1d6a57aa17e5eb51297def9bac04e574c1e36d9c7
SHA2562852680c94a9d68cdab285012d9328a1ceca290db60c9e35155c2bb3e46a41b4
SHA512b9ea70ed984d3b4a42eceb9f34f222b722c4c1985b79b368d769fe0fd1f19f037ffebe2cf938aa98ed450337836a7469d911848448d99223995f7fb3a9304587
-
Filesize
600KB
MD508a77ef53b1d9c9ca3db73e89ee6506c
SHA1a78ad3859f2cedbb9cd764f9b1cb0b113fbcb55c
SHA25676e4993259dbc2b8f7e16b487731fd52f554332ac24f0bd8133f33aec845b177
SHA5124bd47858148424818e88996db2c3dbd16aa7fc328bad27d2e9f6d907c8bd4027a3d2fd27745dfb4844cbcf0a17a1d9b4ff341455b6b14fe632aed8e381869830
-
Filesize
980B
MD58ad06caaa8b86cc1cd15c3ac01922ab8
SHA1634081cdbc48c0a8362e9148c2e05dc6afc19207
SHA256f00636e9824c0e4224181f4f3e9da5ecba6588f989f2962d5616d6eee615d86b
SHA512e0341ce4fbfb1ed713551bab8e77d1a2cf6bc89bb299ff86cc7a31a9ae171c3bbda619be25142fe8996125e7c45a23a009c16cf59c25da902a4325256dee478d
-
Filesize
11.0MB
MD5d49e5e8dd0e5e347b9bb061aa9c328dc
SHA1d97c692a5c927f2db65c6ef9a240b061bdd668ed
SHA256f157877dacee3384192d3438d6d6c4dd7f25eb313a45bd0799e15d90b4eb3114
SHA512251b589318a39395dd8c40c0b54e6d000d60ce76710105d46059ede584ed939280c7f4d82ed513a5de224deb81f1213b2993301fd6134ebc796dd9b4283baef6
-
Filesize
7.7MB
MD5bb8b1f45d98a13e966973ca0eeefad9d
SHA1f9393120df22a00ac7d4cdaad466d337b891bbec
SHA256650f145e45a4b6f9a953f69df1d919bceaa3962c29d0a07ab7102afcf85a6930
SHA512592c541a6dbf9aa02ffd6566f49bfe7b30ec6d51f116e3a36af10beb4412666b4f5ad7a75716af11757e7f5bd22fc909db18ab38df26af0e0e093e09ce9489e1
-
Filesize
278KB
MD519a3ab679df06aaff3d972cd014ca769
SHA1fec74fcf958bd3effa02ae046308961f6a79cc54
SHA2563ae294870c3f566d1fa8d05c04930b6a60569d23c4341dd1033f41530a3e8e6d
SHA51241206553caab7a86e3ecc0e38a75ead6a74a5be358c53ee3a4902a367999409de8d381460ed3a20b9469c44667d1778bf7bd6fed728fc404c6c7e24afb5f589b
-
Filesize
427B
MD53da49c8188fc8651c446bac772bebe6b
SHA1b0b2c8a4fe456aa26d6de2b85a7802fab1b87900
SHA2561983c8b31bab59e35935fee1352d2f51998d85e3241cec0b1b237ee75e09357f
SHA512847e57dee8853656e787a3b954c2eff1b7da990f0e975636f4cc31a2518c7c4291b5867198cbb618a510c42855cfc6c4dfdb7a329f7c5194f7c9b8c8574dfc7d
-
Filesize
341KB
MD577a8f8ef4898599fa908ede9753ce457
SHA1fd1241d2c49bb09bceb930df3e1d457d0e37b4c1
SHA256609c98578f813ae23da82bc05fb6260ada1f5da85918b7fbd72653b46aecc302
SHA5121dd6436e0dd42193a42e7402c9c326a3423f42c3a9216b22a57bccfd01402ceca665a5293302561bb9f0367f0ad9adf711b63223e25db9bc2892ba73d34301ab
-
Filesize
288KB
MD50c820691d338cefa80fd47adc4f5cfa6
SHA14d82ef5745495c0e353302c1e404fd6627d012b1
SHA256f0310aa8b66c32d9c800df44fe9dcd100044e3a3aa12c1c036e4e5a6d491cfa4
SHA512c17888e42815d8c4c4a25cdb9b34bf9129d197d6bcb668bf9a59216d26a3cba8bed59bf09538ce00b2291569851cc18b980f11e25406f3f1f5bcc0be4ccd194c
-
Filesize
4.7MB
MD56a4290819ee8af6966d56699c390e45a
SHA16bd9c7b1a18bb284e00169a27a0e96b0f479f75a
SHA2562bfe7f2c01b2b4d5535d1cc407b0a750e8bb27409a268d77f46b461863a49301
SHA5123a804ba19ea7867cc7d9ae7df3ec8bc5d827903340f8cde4636fa47084ea74681efd0925172feeb09433abd26c42439005c8e9104271e96bf2731eb7b70ea7ae
-
Filesize
10.6MB
MD5ab66bf6e04973621114e882834c91178
SHA1b7a745de1aaa1b09d6aba7cb70d8ced0e61f2177
SHA25679a52cb25a58cf08e11b46bc743cea2df4d5097bf1c80d5ec58c1abd2015b5a8
SHA51294778e81709c9433defebcc1757433af37cf9a7e47f0c502b278e96d2e1d693b896983f58fa9b65186c252f4aafaee3ea55c8ac27030645c97e36a86536bbbfb
-
Filesize
4KB
MD5b1cbfcc7b7a5716a30b77f5dc5bb6135
SHA15c397ffd7a845b2fdf9e82ff73698784a91a2fb9
SHA25696f2ff4ddcadf6421071daa6cdda2ce866fb7b10d12cc1b20bd07cb131210430
SHA512d08516e7610e5a08d1c5c2d1cc5a22b1cd2d6b7c890f895caee0cf65577a1315d575d91a8f7f78ffc7bd0dd77b23ece46fadf58ba44257a115330a54a3ebfcf7
-
Filesize
3.2MB
MD5ecede3c32ce83ff76ae584c938512c5a
SHA1090b15025e131cc03098f6f0d8fa5366bc5fa1f0
SHA256366f1e9f9c99aa81034bada3cc344f2fb5a74246e1d5851441244df1ecc9ae6d
SHA51261ca6075c8a2086d42b58698484afc0005645507474831cacafc10126f47c8f0cda10c1c215557f9391865b55b16ae881a593d7547cbad560b54369684b23d1d
-
Filesize
1011B
MD53da156f2d3307118a8e2c569be30bc87
SHA1335678ca235af3736677bd8039e25a6c1ee5efca
SHA256f86ab68eaddd22fbe679ea5ab9cc54775e74081beffd758b30776ba103f396eb
SHA51259748e02cc4b7f280471b411d6ca3c9986f4c12f84b039bae25269634fc825cde417fe46246f58538668c19cca91e698e31d9f32df69aad89e68423f86bb00c0
-
Filesize
644B
MD54f94d9aec32ddd887cc18c75bf1198eb
SHA1b409788e465ce1827c7b59fb142905efee1aa786
SHA25607f1f4c18a79697f3db5d36f63e5a2808ee529bd8acae798b34ff2e6578fa041
SHA51256dfd0ae5d9f83297a0eb9ceb6afec85d5b71a81eca83d6544f80da8a053db8ee7fd79c2bb41643fe2e11e33c423a4fb73814091f9b28b54b95c49986f0f5ea7
-
Filesize
975B
MD5f2e034df8794aeb214942cf2f1428548
SHA1f19cbc05992f82b6ad9e557ecc4c342637cf2cf2
SHA2565f743e6fc12a38a5f0d777810ca28ee445ead07d3a36d12edfda80f85f921b2e
SHA51277612d1b024b485ae48db5d7ca362ec21f7ba1bc490938e42cf4c578bdaebd55200bbd380a4bbacdbbfa4f3e4297fc0f07598ae0cc74d6a2800168f83635db35
-
Filesize
157B
MD54101d2e2ed8bc88b996628b3799153b7
SHA19a6d4a89815ca179b34933e6d1111c57b745e56f
SHA256d87a59a089da1e2ae91713ad3df94cb6cb8c531ab13fd377dfdad05e740349e8
SHA512d358fd0b4546cae25779c91516f7bf3b1ead13fcf0b37e9dab311172b005688b7532d3dfacdc0d7d4e45d6b999d19c02f1b8a6ab8b911ad3016d4e7ddd2ae33d
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
32KB
-
Filesize
5.8MB
-
Filesize
236KB
-
Filesize
236KB
-
Filesize
320KB
-
Filesize
624KB
-
Filesize
40KB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
632KB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
9.8MB
-
Filesize
9.8MB
-
Filesize
9.8MB
-
Filesize
9.8MB
-
Filesize
9.8MB
-
Filesize
9.8MB
-
Filesize
9.8MB
-
Filesize
9.8MB
-
Filesize
9.8MB
-
Filesize
9.8MB
-
Filesize
9.8MB
-
Filesize
9.8MB
-
Filesize
9.8MB
-
Filesize
9.8MB
-
Filesize
9.8MB
-
Filesize
9.8MB
-
Filesize
9.8MB
-
Filesize
9.8MB
-
Filesize
9.8MB
-
Filesize
9.8MB
-
Filesize
9.8MB
-
Filesize
9.8MB
-
Filesize
9.8MB
-
Filesize
9.8MB
-
Filesize
9.8MB
-
Filesize
9.8MB
-
Filesize
9.8MB
-
Filesize
9.8MB
-
Filesize
9.8MB
-
Filesize
9.8MB
-
Filesize
9.8MB
-
Filesize
9.8MB
-
Filesize
9.8MB
-
Filesize
9.8MB
-
Filesize
9.8MB
-
Filesize
9.8MB
-
Filesize
9.8MB
-
Filesize
9.8MB
-
Filesize
9.8MB
-
Filesize
9.8MB
-
Filesize
9.8MB
-
Filesize
9.8MB
-
Filesize
9.8MB
-
Filesize
9.8MB
-
Filesize
9.8MB
-
Filesize
9.8MB
-
Filesize
9.8MB
-
Filesize
9.8MB
-
Filesize
9.8MB
-
Filesize
9.8MB
-
Filesize
9.8MB
-
Filesize
9.8MB
-
Filesize
9.8MB
-
Filesize
9.8MB
-
Filesize
9.8MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
104KB
-
Filesize
1.4MB
-
Filesize
248KB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
240KB
-
Filesize
376KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
408KB
-
Filesize
72KB
-
Filesize
11.0MB
-
Filesize
680KB