Analysis
-
max time kernel
382s -
max time network
378s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
27/03/2025, 17:10
General
-
Target
https://github.com/quasar/Quasar/releases/download/v1.4.1/Quasar.v1.4.1.zip
Malware Config
Extracted
quasar
1.4.1
Office04
Sigma:4782
5dd3911a-6fd5-49b3-be06-045737a22fba
-
encryption_key
C05479B42619500641FE325FF99D3043999E146B
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows AV
-
subdirectory
SubDir
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 6 IoCs
-
Checks computer location settings 2 TTPs 28 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 41 IoCs
-
Loads dropped DLL 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 28 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Modifies Internet Explorer settings 1 TTPs 4 IoCs
-
Modifies data under HKEY_USERS 3 IoCs
-
Modifies registry class 64 IoCs
-
Runs ping.exe 1 TTPs 28 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 34 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
-
Suspicious use of FindShellTrayWindow 50 IoCs
-
Suspicious use of SendNotifyMessage 36 IoCs
-
Suspicious use of SetWindowsHookEx 33 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/quasar/Quasar/releases/download/v1.4.1/Quasar.v1.4.1.zip1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x258,0x7fffcf1af208,0x7fffcf1af214,0x7fffcf1af2202⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1888,i,13314916190445081655,4063741314383896924,262144 --variations-seed-version --mojo-platform-channel-handle=2268 /prefetch:32⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2240,i,13314916190445081655,4063741314383896924,262144 --variations-seed-version --mojo-platform-channel-handle=2236 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2592,i,13314916190445081655,4063741314383896924,262144 --variations-seed-version --mojo-platform-channel-handle=2600 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3460,i,13314916190445081655,4063741314383896924,262144 --variations-seed-version --mojo-platform-channel-handle=3276 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3468,i,13314916190445081655,4063741314383896924,262144 --variations-seed-version --mojo-platform-channel-handle=3504 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5048,i,13314916190445081655,4063741314383896924,262144 --variations-seed-version --mojo-platform-channel-handle=5096 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5064,i,13314916190445081655,4063741314383896924,262144 --variations-seed-version --mojo-platform-channel-handle=5080 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5584,i,13314916190445081655,4063741314383896924,262144 --variations-seed-version --mojo-platform-channel-handle=5612 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --always-read-main-dll --field-trial-handle=5760,i,13314916190445081655,4063741314383896924,262144 --variations-seed-version --mojo-platform-channel-handle=5776 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4896,i,13314916190445081655,4063741314383896924,262144 --variations-seed-version --mojo-platform-channel-handle=5980 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6260,i,13314916190445081655,4063741314383896924,262144 --variations-seed-version --mojo-platform-channel-handle=6244 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6544,i,13314916190445081655,4063741314383896924,262144 --variations-seed-version --mojo-platform-channel-handle=5996 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6544,i,13314916190445081655,4063741314383896924,262144 --variations-seed-version --mojo-platform-channel-handle=5996 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6784,i,13314916190445081655,4063741314383896924,262144 --variations-seed-version --mojo-platform-channel-handle=6796 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6828,i,13314916190445081655,4063741314383896924,262144 --variations-seed-version --mojo-platform-channel-handle=6124 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=564,i,13314916190445081655,4063741314383896924,262144 --variations-seed-version --mojo-platform-channel-handle=2652 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6820,i,13314916190445081655,4063741314383896924,262144 --variations-seed-version --mojo-platform-channel-handle=6672 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6792,i,13314916190445081655,4063741314383896924,262144 --variations-seed-version --mojo-platform-channel-handle=6688 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5720,i,13314916190445081655,4063741314383896924,262144 --variations-seed-version --mojo-platform-channel-handle=5412 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6616,i,13314916190445081655,4063741314383896924,262144 --variations-seed-version --mojo-platform-channel-handle=5632 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5564,i,13314916190445081655,4063741314383896924,262144 --variations-seed-version --mojo-platform-channel-handle=5672 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=760,i,13314916190445081655,4063741314383896924,262144 --variations-seed-version --mojo-platform-channel-handle=5728 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=6612,i,13314916190445081655,4063741314383896924,262144 --variations-seed-version --mojo-platform-channel-handle=5200 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6372,i,13314916190445081655,4063741314383896924,262144 --variations-seed-version --mojo-platform-channel-handle=5444 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=764,i,13314916190445081655,4063741314383896924,262144 --variations-seed-version --mojo-platform-channel-handle=5916 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5476,i,13314916190445081655,4063741314383896924,262144 --variations-seed-version --mojo-platform-channel-handle=4772 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3868,i,13314916190445081655,4063741314383896924,262144 --variations-seed-version --mojo-platform-channel-handle=5024 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6064,i,13314916190445081655,4063741314383896924,262144 --variations-seed-version --mojo-platform-channel-handle=6120 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5820,i,13314916190445081655,4063741314383896924,262144 --variations-seed-version --mojo-platform-channel-handle=6588 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=2412,i,13314916190445081655,4063741314383896924,262144 --variations-seed-version --mojo-platform-channel-handle=4840 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=1060,i,13314916190445081655,4063741314383896924,262144 --variations-seed-version --mojo-platform-channel-handle=5628 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window2⤵
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x244,0x248,0x24c,0x240,0x2f4,0x7fffcf1af208,0x7fffcf1af214,0x7fffcf1af2203⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1896,i,786997000665441477,12876247083620001155,262144 --variations-seed-version --mojo-platform-channel-handle=2688 /prefetch:33⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2300,i,786997000665441477,12876247083620001155,262144 --variations-seed-version --mojo-platform-channel-handle=2296 /prefetch:23⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2288,i,786997000665441477,12876247083620001155,262144 --variations-seed-version --mojo-platform-channel-handle=2880 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4348,i,786997000665441477,12876247083620001155,262144 --variations-seed-version --mojo-platform-channel-handle=4356 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4564,i,786997000665441477,12876247083620001155,262144 --variations-seed-version --mojo-platform-channel-handle=4620 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4564,i,786997000665441477,12876247083620001155,262144 --variations-seed-version --mojo-platform-channel-handle=4620 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=564,i,786997000665441477,12876247083620001155,262144 --variations-seed-version --mojo-platform-channel-handle=4412 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4396,i,786997000665441477,12876247083620001155,262144 --variations-seed-version --mojo-platform-channel-handle=4456 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4384,i,786997000665441477,12876247083620001155,262144 --variations-seed-version --mojo-platform-channel-handle=4752 /prefetch:83⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start2⤵
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Desktop\Quasar v1.4.1\Quasar.exe"C:\Users\Admin\Desktop\Quasar v1.4.1\Quasar.exe"1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe" /select, "C:\Users\Admin\Desktop\Quasar v1.4.1\quasar.p12"2⤵
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\Client-built.exe"C:\Users\Admin\Desktop\Client-built.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows AV" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows AV" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3l6XNBOGJvkM.bat" "3⤵
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows AV" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yvpBboMWEdLF.bat" "5⤵
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows AV" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uA4JB4Tn8HOh.bat" "7⤵
-
C:\Windows\system32\chcp.comchcp 650018⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
-
-
C:\Users\Admin\Desktop\Client-built.exe"C:\Users\Admin\Desktop\Client-built.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows AV" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows AV" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\X13BhWLBQSNe.bat" "3⤵
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\Desktop\Client-built.exe"C:\Users\Admin\Desktop\Client-built.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows AV" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows AV" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZuY8oateVY30.bat" "3⤵
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows AV" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kzfMacgUaojG.bat" "5⤵
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows AV" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2hOEWklZuIAV.bat" "7⤵
-
C:\Windows\system32\chcp.comchcp 650018⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows AV" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8YCxQA3arrsm.bat" "9⤵
-
C:\Windows\system32\chcp.comchcp 6500110⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\Desktop\Client-built.exe"C:\Users\Admin\Desktop\Client-built.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\rocketleagie.exe"C:\Users\Admin\Desktop\rocketleagie.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows AV" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows AV" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fawIjRYTuRKh.bat" "3⤵
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows AV" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8aoQxSgUlYhY.bat" "5⤵
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows AV" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\S6nhCZyLaI48.bat" "7⤵
-
C:\Windows\system32\chcp.comchcp 650018⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows AV" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\79vthlgCPqvQ.bat" "9⤵
-
C:\Windows\system32\chcp.comchcp 6500110⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows AV" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\32ehxfAN0LSx.bat" "11⤵
-
C:\Windows\system32\chcp.comchcp 6500112⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows AV" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A1EITWJXLlvg.bat" "13⤵
-
C:\Windows\system32\chcp.comchcp 6500114⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows AV" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8Q7mXPmb2rHr.bat" "15⤵
-
C:\Windows\system32\chcp.comchcp 6500116⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows AV" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SVhVk7nNSMyA.bat" "17⤵
-
C:\Windows\system32\chcp.comchcp 6500118⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\Desktop\rocketleagie.exe"C:\Users\Admin\Desktop\rocketleagie.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows AV" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows AV" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\M40bonrkgyDb.bat" "3⤵
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows AV" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mzdM1hsHbP7l.bat" "5⤵
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows AV" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mmk2tZugU0ft.bat" "7⤵
-
C:\Windows\system32\chcp.comchcp 650018⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows AV" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MtqXiIjDHoYg.bat" "9⤵
-
C:\Windows\system32\chcp.comchcp 6500110⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows AV" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Y22tmij1vBtK.bat" "11⤵
-
C:\Windows\system32\chcp.comchcp 6500112⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows AV" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Dy6kuNugTfGP.bat" "13⤵
-
C:\Windows\system32\chcp.comchcp 6500114⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows AV" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ekW7agWJNmlu.bat" "15⤵
-
C:\Windows\system32\chcp.comchcp 6500116⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows AV" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EauW8oIQdbm3.bat" "17⤵
-
C:\Windows\system32\chcp.comchcp 6500118⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\Desktop\rocketleagie.exe"C:\Users\Admin\Desktop\rocketleagie.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\rocketleagie.exe"C:\Users\Admin\Desktop\rocketleagie.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows AV" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows AV" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gbERlI6mHX3V.bat" "3⤵
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows AV" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Sin232H7L0N5.bat" "5⤵
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows AV" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WGF1pU5ZmBzi.bat" "7⤵
-
C:\Windows\system32\chcp.comchcp 650018⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows AV" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zzqFHM77UVX1.bat" "9⤵
-
C:\Windows\system32\chcp.comchcp 6500110⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
-
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵
-
C:\Users\Admin\Desktop\Quasar v1.4.1\Quasar.exe"C:\Users\Admin\Desktop\Quasar v1.4.1\Quasar.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SDRSVC1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53B
MD522b68a088a69906d96dc6d47246880d2
SHA106491f3fd9c4903ac64980f8d655b79082545f82
SHA25694be212fe6bcf42d4b13fabd22da97d6a7ef8fdf28739989aba90a7cf181ac88
SHA5128c755fdc617fa3a196e048e222a2562622f43362b8ef60c047e540e997153a446a448e55e062b14ed4d0adce7230df643a1bd0b06a702dc1e6f78e2553aadfff
-
Filesize
79B
MD57f4b594a35d631af0e37fea02df71e72
SHA1f7bc71621ea0c176ca1ab0a3c9fe52dbca116f57
SHA256530882d7f535ae57a4906ca735b119c9e36480cbb780c7e8ad37c9c8fdf3d9b1
SHA512bf3f92f5023f0fbad88526d919252a98db6d167e9ca3e15b94f7d71ded38a2cfb0409f57ef24708284ddd965bda2d3207cd99c008b1c9c8c93705fd66ac86360
-
Filesize
176B
MD56607494855f7b5c0348eecd49ef7ce46
SHA12c844dd9ea648efec08776757bc376b5a6f9eb71
SHA25637c30639ea04878b9407aecbcea4848b033e4548d5023ce5105ea79cab2c68dd
SHA5128cb60725d958291b9a78c293992768cb03ff53ab942637e62eb6f17d80e0864c56a9c8ccafbc28246e9ce1fdb248e8d071d76764bcaf0243397d0f0a62b4d09a
-
Filesize
141B
MD5811f0436837c701dc1cea3d6292b3922
SHA14e51a3e9f5cbf8c9c96985dabe8ffc2de28dae87
SHA256dbfb38a16e33a39c35ac50bd81782e4608be14954f1df69ac8272c0b9ce87a5d
SHA51221e7bf2f8333b2900bcbcb871ede14684073249597d105095dc7d3f101e7ccc326068732f11d4a167365f245a3f2205793f520c7666d7f948e70919b40b43d35
-
Filesize
116B
MD52188c7ec4e86e29013803d6b85b0d5bb
SHA15a9b4a91c63e0013f661dfc472edb01385d0e3ce
SHA256ac47cc331bb96271da2140941926a8accc6cb7599a6f3c17bd31c78f46709a62
SHA51237c21eaff24a54c2c7571e480ff4f349267e4404111508f241f54a41542ce06bcde4c830c6e195fc48d1bf831ed1fe78da361d1e43416cfd6c02afa8188af656
-
Filesize
1KB
MD5ee002cb9e51bb8dfa89640a406a1090a
SHA149ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2
SHA2563dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b
SHA512d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c
-
Filesize
85B
MD5c3419069a1c30140b77045aba38f12cf
SHA111920f0c1e55cadc7d2893d1eebb268b3459762a
SHA256db9a702209807ba039871e542e8356219f342a8d9c9ca34bcd9a86727f4a3a0f
SHA512c5e95a4e9f5919cb14f4127539c4353a55c5f68062bf6f95e1843b6690cebed3c93170badb2412b7fb9f109a620385b0ae74783227d6813f26ff8c29074758a1
-
Filesize
118B
MD5bfd928cc511db8e8550a3e5a00cfe169
SHA1569543caeacc652b8a78bc1aee3ae06027456eb0
SHA256c49d97c9219d36b85b6541c049f1fb766a6b587b064253ea7a2a4daf3cad64e3
SHA51294ba54500dafee7013cb90c921509f1be94de9d9ad4825aa0444f4038c178bf2f70e9210943247582f36af81c93a94af68424b3f3ac25743acab145fc7ff61e9
-
Filesize
76B
MD5ba25fcf816a017558d3434583e9746b8
SHA1be05c87f7adf6b21273a4e94b3592618b6a4a624
SHA2560d664bc422a696452111b9a48e7da9043c03786c8d5401282cff9d77bcc34b11
SHA5123763bd77675221e323faa5502023dc677c08911a673db038e4108a2d4d71b1a6c0727a65128898bb5dfab275e399f4b7ed19ca2194a8a286e8f9171b3536546f
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
Filesize
280B
MD5aa8fa0bc5e72cd1e4627aec2b1a9f4d8
SHA14f3714aff1f3353743f9223c855ba8d1c584a260
SHA25697bcf3c1cb86ba10ed20e2ad0f1bc1279f36d3a113de0c575fc89c01d92319df
SHA5129918b5e780f6d7e53d723423eceeddd54f0f24c55005c04daaf5bddf0b98a4a27c4709100d056198619be1cf23f4f321967669a8a9566312b7d04567e7c5e396
-
Filesize
280B
MD5d54687df35eabb67a9557f67dc40d759
SHA164a1cfe34f80a56ff520bd098310440944cd752e
SHA25672dc2396a89e431c5139a64e27ce8d6d0e3d61aec82d5d702da6a209848fa0c9
SHA512b01c98ba21a25c50d0c4c10a7aff61d08f1cfa9a27ebeccffba7b3405bed42a23fa384aa28f20fd3a54469b5d982787a62d17d0c4d7ca7b383e6bf7e14d512aa
-
Filesize
280B
MD5df2d1721cd4e4eff7049314710dc7c11
SHA1f5aed0158b2c0a00302f743841188881d811637a
SHA256ba336ffd1b01965d7ab0e5fac5415e43cb594139c76b19e4c0d9b5b3b67c1e93
SHA51211fd520176193f284563c7d050e6a7ab4e9895bac49fdc05759bab2c8a69f224858ccc784b351fc1d3ee5d39345430f9234623c9390978d7daf6a08ff5576ef4
-
Filesize
7KB
MD5e237b213cd73bccf6a683feaf0d05231
SHA112544b50d3985564f0a8f3d9e73465e08f1e5c15
SHA25620d32e9d5817f6a753b4636e2ddd3206f9b612eb18352d82d1913868afc21188
SHA5127d287cbe55511a4d7a9af0f3caf8cc91dcfd046bccf612059da8e1f6638acf31bb3a19c41c7f5524ceabbdaa138c180960d7d4271fa6e39aefec71d597bda97f
-
Filesize
151B
MD51359cb974c4242e6781cbda508ff6539
SHA1b1d48bc3456287eb3b75db548c41fd84d662581e
SHA2566812ba684ca6777303ae1aa2af87dac42c134cbc42c7a0bac57485ceb8672b54
SHA51292b743c80f74bde65b440e00884c8e13991e4105b4b9d5f007f6bb612404bc2690b035b57dc07590cf6a292bae69c3d7dd823a0efd0ed485c7ff91cfc837a7d6
-
Filesize
3.3MB
MD513aa4bf4f5ed1ac503c69470b1ede5c1
SHA1c0b7dadff8ac37f6d9fd00ae7f375e12812bfc00
SHA2564cdeb2eae1cec1ab07077142313c524e9cf360cdec63497538c4405c2d8ded62
SHA512767b03e4e0c2a97cb0282b523bcad734f0c6d226cd1e856f6861e6ae83401d0d30946ad219c8c5de3c90028a0141d3dc0111c85e0a0952156cf09e189709fa7d
-
Filesize
264KB
MD5903440024d1b0c09f5ad054f815b0b6b
SHA1a324b7c276808b142d3506eb840c5a4f4abef434
SHA25663d9b75bfaaf6717c14d75bbdfdb98ca71936f7e67f5cc068b83d12a6fd680ac
SHA512ed1ff3073c01b6903d27ec1121e58de4db416c031c23028fd45dc2f7617bfd4a7096a79aae44c5863a080a4829048990b382eff1e8024e122c7a869a783521a8
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
107KB
MD540e2018187b61af5be8caf035fb72882
SHA172a0b7bcb454b6b727bf90da35879b3e9a70621e
SHA256b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5
SHA512a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12
-
Filesize
2KB
MD5378bae52a4d073f1e87ed43f9687c9af
SHA1e95402a9811874be3ade5276db7bf668da7b15b4
SHA2560774274041350b944ba24b2eab8d311496d120f0da81aaaa348cd6ec9e495f7e
SHA512f420e23947f735296d102f89d3995fc1517ae759f30eacce4e2802f0b9d3d24b87c10592aa642692071c0d289b0e464c5aea4693d586701b592b34f1c11a3b25
-
Filesize
2KB
MD557a6bc8ce7c4f82d84a6e67daa8f1d34
SHA1736a9b91c1d82f9273b4e7fa5fc4853b1a043021
SHA256382f902d7ba06d364bc9e1f877b3c6fc128c8f7d58198a2956dc88344963108b
SHA5126b40005b2d8aea2ac21fd143e00ce6e289b5c3315655f1ba3883402678b4106ce4be12537cf8dc7d8467c8de17e2c43f94cf97cb80bc65a4cfec46b2447f3405
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
40B
MD520d4b8fa017a12a108c87f540836e250
SHA11ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA2566028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856
-
Filesize
17KB
MD52cb96b93005500487e18c1f7d1ef1cfd
SHA1b289a69ec479c74de66154baaa8d0a040fe2b24c
SHA256506957171477ca35e27194c81232666cd81072e143d370496d68cdcca841908c
SHA51222e7fd7132676954bfef7463480b8cb89ea8e0e1e3c48605715db3ddb997c751db5aed7e556d37468a268b482cf0d45926c599ba2ed2dc2df0ef06e505968f4e
-
Filesize
18KB
MD58eec7764a9d0e5806db70f11df4bb8da
SHA198face82f75a3642b3d06b1cb0335432bfe73ca3
SHA25645a264bcf8fbaf718ce999f78e7b881d04988518b1d0c1a0c2a79736e79be6c7
SHA512a709629859d600fa3844cf325a8a8666689d00594227a5cfe8d792a625cca9b5b1b96a219aba2e5a38f38b48c01b928d819a78f209fee74cf39eb7352dd5217e
-
Filesize
17KB
MD57697f4f4a0247a13db56d07618693425
SHA16e935ea3278d3fc6665fdb8c9fe9955ba2c03639
SHA25610d7fbb7868a952fcb256cbbb24b27a9e7eb1447a5e3e129dc4473e206c838cc
SHA512a258f7797c04a160f8e4b0f6ae9c60a25572ddb07276dfabf32803f7a762e95a60a32f8bcad1a63dade4d61393e966af0663cc6d8f1da7bd518357fc029307f4
-
Filesize
36KB
MD5774cdc1423caa7b8f5d331a17b8dc8f8
SHA1a17c52e25c54015cc324f0dfe1503e911269e7c0
SHA2566c4882971fac62bee1b2c17ee98edeead6a499111296553e613bb0d8869b24e5
SHA512d37e8e663d244b347a41991be0c2a450a865bf120d8008c680015d0ae23e94d5808ef3e569d38dcc22e206a72e998341b71f4095b664d226967bb922c359dbc0
-
Filesize
22KB
MD539cb1d0b81f9c9fa186a3ab2cc4d0c6f
SHA18faadb2f60e82534fdb36ed137bb4a06588c2589
SHA2565edbf3de33476599569ac2b441916e9100f0281cc407f3634f78a1d3b2d684e1
SHA5128ae7a9e178f82d041c694e452cada90f5d62700b40546e63cd90c0f558e0d594ee8358ce2b3957c3923144e53a3705101e8e296a86eef7ab55fe3fd40465744a
-
Filesize
1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
Filesize
113KB
MD560beb7140ed66301648ef420cbaad02d
SHA17fac669b6758bb7b8e96e92a53569cf4360ab1aa
SHA25695276c09f44b28100c0a21c161766eda784a983f019fc471290b1381e7ed9985
SHA5126dfa4eca42aea86fba18bc4a3ab0eed87948ea1831e33d43426b3aca1816070ecb7fd024856ad571ca2734214a98cc55e413502b3deef2c4a101228a7377e9d5
-
Filesize
469B
MD58f298075eebea7cfe034463b435ade7d
SHA13782d5669ac7d5db560bda3ab5214ea6fd17e609
SHA256bf2dd0ee4042c7e8ce1ec42a030714f7b91cca3b1493956f1423b786411bda54
SHA512b049f7d92fb269103fdc37482bbffc178de5f56abad393a9c6ad550ca96dcde5d4c22131f30fb1622d7312bd2ce57f28554e385baa1d5372feff169f82273a68
-
Filesize
904B
MD50ce267c4622a75097fa82dde7e72fd94
SHA12a54e9152788feaf32fed76d1733588c810816de
SHA256740a69dac00ebfcb5005b177556bc9d7d1b6cb1ea510475bf2f7c518b71d5655
SHA512b19f7451510c3701f307a368a56f113b72c2d9ae9f9585194dea44477610f88f07807d173c228b318fd04a1d4d9448ed7abc8716030ce5e1bfc321a0f48bfc3b
-
Filesize
23KB
MD53f56bdbf401d92d2ebd240bb31e2c945
SHA103fee68c03dd92587cebbd6d39712c134cea7e62
SHA256ad168d0261eee924cde84c7c3c07da49f121e07d81cb765d6972939e06c32718
SHA512285253e931d8b64600b148fea2471d7f98f6a480d650ac4916baecd8981732a2a3ddd6848513a35d3d66327527ff45aa30c255b3f9898df84cbbbc1a65adaafa
-
Filesize
19KB
MD541c1930548d8b99ff1dbb64ba7fecb3d
SHA1d8acfeaf7c74e2b289be37687f886f50c01d4f2f
SHA25616cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502
SHA512a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75
-
Filesize
50KB
MD5823c2ed3528882994b7c1c9f956fcf12
SHA11e555c605c7c6664b900de04c2392f000bf1f674
SHA256f61c6a9f8c88c3d3786a7372cd24899c03b238e348eec5a930c12af2f2b7ff25
SHA512b4857c7352ce8fe6d5ec13255e996204fd58e14b1df1be33589c27fc445cf56623ca2fc6edc1b7465289eddb1a512175549a0b70394ca9549d3b16e093ec3385
-
Filesize
40KB
MD5b49f25e5dccd79a703eca01ba3df0968
SHA18f5bdd32e906b9de38ba0a4b7e4c8a3ef73e99c4
SHA25674e45d3e65a358b94ff05633929dc8e1f2043b0cfa9bb08651e3433a55686ab2
SHA51267c6058376ef49b711ed1c5458e91e64ae93691239a27cbe03c7a7dfd808c90c31d9231cc69878b53463ce7f7e160cc8ec64e4004db6e0294034469daaf6e524
-
Filesize
41KB
MD5d14328ee6e60ccd412cfc9aeb6465492
SHA1f7a4215506d0ab5a8ec0a0edcf7a4c36dba9de33
SHA25696c96219ce2c85dbea6bebf7590bedc0f8d7f95ea2baf61c9d6b4c0146fdfc90
SHA5122a63def2f943cee3a24c9f62a9acb8c4a8ceeae1efe41370e843ee991417672eb2570632f582b1d5fa9ff36c7d8eb7c05836e479f5ae28f283ec3424bd414d4e
-
Filesize
50KB
MD568470899f8fd12847af89f000539d860
SHA1668fec21de649df923cc51df70e123f1b45850fc
SHA256dd3a52a4fbf818affdbd3951b90c347966e6bf04bfd9b37e77af4ab740eee232
SHA51217bfe0e90930cf82bedb39c4f273030aa1d72e019e67c1b8f9892d2325b1a13d7c2c1dd86b322e545cc1a483f52e86b6f1a82a11074b5928d0194f97ca142433
-
Filesize
1.8MB
MD5d7c9c6d2e1d9ae242d68a8316f41198c
SHA18d2ddccc88a10468e5bffad1bd377be82d053357
SHA256f215127185b2ee6b01e12b6ca75d3e5c4e454598dd4aed36124ae13d59afd547
SHA5127fd14824e9200dd99e1fd2cee402656dc0cfc3d0a60058c5eb05c68e9e65b7f0b47e550fb4d6c2b59eba204dbf3ef9e69dc9723b43a9b3ccd5412d6b77715fc3
-
Filesize
24KB
MD5aad9405766b20014ab3beb08b99536de
SHA1486a379bdfeecdc99ed3f4617f35ae65babe9d47
SHA256ed0f972d56566a96fb2f128a7b58091dfbf32dc365b975bc9318c9701677f44d
SHA512bd9bf257306fdaff3f1e3e1fccb1f0d6a3181d436035124bd4953679d1af2cd5b4cc053b0e2ef17745ae44ae919cd8fd9663fbc0cd9ed36607e9b2472c206852
-
Filesize
6KB
MD5bef4f9f856321c6dccb47a61f605e823
SHA18e60af5b17ed70db0505d7e1647a8bc9f7612939
SHA256fd1847df25032c4eef34e045ba0333f9bd3cb38c14344f1c01b48f61f0cfd5c5
SHA512bdec3e243a6f39bfea4130c85b162ea00a4974c6057cd06a05348ac54517201bbf595fcc7c22a4ab2c16212c6009f58df7445c40c82722ab4fa1c8d49d39755c
-
Filesize
628KB
MD5291dc27655975b5be12155942f2d5fe5
SHA1a2ed705924a4876ef92d17cca8883e7bd0ca6318
SHA256e3ad9d77cabb94127ba2788196495e416bc58e7e7062fde2dfadb49df8a54296
SHA512a34ead26dd64d97a30f2c76ff6a29d71573e1c343da5fe8b499e764fbd0a9c0cc432d309ed8e5b627eac59dd5597a8c64af69a96791ff5b9b85f134985fb6c65
-
Filesize
572KB
MD5f5f5b37fd514776f455864502c852773
SHA18d5ed434173fd77feb33cb6cb0fad5e2388d97c6
SHA2562778063e5ded354d852004e80492edb3a0f731b838bb27ba3a233bc937592f6e
SHA512b0931f1cae171190e6ec8880f4d560cc7b3d5bffe1db11525bd133eaf51e2e0b3c920ea194d6c7577f95e7b4b4380f7845c82eb2898ad1f5c35d4550f93a14b6
-
Filesize
152KB
MD5dd9bf8448d3ddcfd067967f01e8bf6d7
SHA1d7829475b2bd6a3baa8fabfaf39af57c6439b35e
SHA256fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72
SHA51265347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de
-
Filesize
2KB
MD5321ae9a3eb31da6c790f5c4d418b9d6c
SHA14ef3ba89a0464d8b0293bbc567e446a1ee01674f
SHA25699b69fb9f63efea16b355549cf5da617994ae4a96833906cc5c7ed7f6215b724
SHA512e4ca48bea4b423be65eb52b6f26df648c353214384ce98b5d99beff4851e513c7d77b4e0028bb7440739dccd98505470b2338d887351d605e678b3b51d11bd0a
-
Filesize
207B
MD5a0f26e5fab677e37fd74dc535d738595
SHA1b9d078d881ca051d8e5af3b8e73bdd1160542b0c
SHA25631a4c1e4bbf0a4a9474be1fd60879dabc888670d60ce8b2f46b5c693df7163eb
SHA51249239e82349d02788eea3f9e2705ada1c772888af2ef689e9dd0bfef44756ed30c0be490fe6e942f39a0c6b2e8e473f812984e32d7b837e1a33caab73699cf77
-
Filesize
207B
MD597e14c2ec48e0a35cce3aca0644c8e0d
SHA12f9967aabe316aff75ade4d712a0a7b97584ee28
SHA2564dd7a74ccfe127c1954c5fc8e0f65e90f4493f94b53d6e3348a7afd51b9b83dc
SHA512585aa8ce1e992ae7177e56209917944a3012e59ec1cfad8dc57757c78b149196404d61dcbbbd93d76eb0c978d4119b7f7f7927bb1043545f8b6ee4b99a67da31
-
Filesize
207B
MD5b59e85ca423b10c75bb7def8eef2cda4
SHA12874c1a3ef73cd544189eb7941e26d33e1d46df6
SHA25654883c666dbec49e5da3b46b1f864c7974121c11e8feff3b328c403204f7a254
SHA5126e0114c9ec742bf68bde7fa0d3740f528eafc41a1ce31d3ede8c469ae8b4083e06fbc8b96bc272b2543ceb427008d4a17d0cba5a304d4c14a242e78b6d0f67ff
-
Filesize
207B
MD5027e8e8a71c46a3643157d0602af49bd
SHA129cad73bf2e331b43493e670e199fbd94bec285a
SHA256e6c6e3db177896669c195834a9bede6b7882fb4e70b77a970b6c633984f091ab
SHA512eac83a8a338440285900dae638775b1124fae9caebd79cb4de7f911b8ed66a89e4ad717a57448cd719e3540c7b268ba48215a905cad3987042848587c6c85fcb
-
Filesize
207B
MD54ed70e984d2d779394715e17f06d2e7b
SHA11a017a2f43f2f9238074ea2d051ba437dafa2fb7
SHA25648835e5c95919b4359d5d8c4bd255bd66ed1e69ab4df570dc0df80a8da24d5c7
SHA512e6f0f1206914ca2f3f4dc02fbe719e19cbcd154a86d5f8ff125469b3943e7843d00637f9882203e542a283a0cc5d9feceef901f62d219fe689680c2f9a5203fa
-
Filesize
207B
MD5232a529bc240cbc3082fb5353cb59d6b
SHA14ea380a8cc78d5e8806bed083e64432361c803ef
SHA2563c8fd134738c651b6f3ab0d2751a2870cbd406d6dd3a0388af64f45b034c9360
SHA5129b67a0e18cbb29ca628a1138d5459f82089fb4a7617ee4d924d2c040c005d1a49f97b876e153736d441ad5ac9ab608a6d1022fb372475232a24bf59c4a754a49
-
Filesize
207B
MD5899410bd8ebb97f9c5724bbee7e0672d
SHA1d555b1d9e45d639bc859e324c99184c8eb6ff583
SHA25608fc6cc6bbff45cc13af1e3d87c3b45e7f0a105b2a3a96f5760fc77fd7efa570
SHA512a8826a6ddd88be56379b4b0e47505d2a2fdd305d1524f6df1f8d7e64154b05a36e09b0c70a7f8838000e614725762e69b3a2628ca987c0fe831611060118efeb
-
Filesize
207B
MD540ff4c5953530f794b5fc9532653a952
SHA198fc19c1bdfadfa03430a5f7493a3edc6d544c6f
SHA256dbe3aa51d56b8d79fde9b6eaa75399362abb7e5a24556b519248eff5ab826520
SHA5122ed0b82e4378033a5a73b79aa703a85de93ce40442b0a3b0affa9d66624b0eddc9176bf548ffa0eb2b9b7d85d1853857fe091223f512b7e8c4c5ebf24a4e3556
-
Filesize
207B
MD5d9f241193b782a6327984321458b1be7
SHA10888173e13960250ada2307f6056aac24f82f432
SHA256d1c82b58218046b51dcd3a5cf2106a4cddd9ef62cf2d2ff3f7a5772e0f8e0b80
SHA5124110c5e284add46a61565e6202593d277621684b535aee72ecaa6879d65c189f941366b47d271a9e6529f24beb05df5e08a239e2c87e587885f6250dc71eb5ff
-
Filesize
3KB
MD5a7c606642d41b1a14dab4ef356c3e8a7
SHA1ccc06bc994bc3043d181e092254e08a42959e3b5
SHA256f7f78c4dbac49b176b04f067c629d18f5c0c836fa4bcca7b038d78c538739af0
SHA512f2474416ea27ffd269a036c115587a3d02dcf1ebac033469c10160fbbe70f7e1dcc8f9d57e86df6ab9d1c1ec1a99512941a2bf0e60d7a29921e977de7ac2cb31
-
Filesize
3.1MB
MD5478431e5787942f8d799fb13b33ff4b3
SHA144eff08267c1c730d1c432128b69df64b3c618f2
SHA256673e8f45d76baed0b631184eb7413dfbdc6eed02849b3be9980bb1dc4d7bdcda
SHA51227a94e896663350c47d971d05d302179d868d0e2fbf8e5d5a3be1064c5abbbcf8eeca59bc1dd40d2027715556b8b3a81a4dcf05b5a41dd87a8c75e406b2c8d1d
-
Filesize
1002B
MD5e28efdc998aa552269e11be25ac15ad2
SHA1c2eafb66c57b53df6c7118ae26484973514ab10e
SHA25635365a12e79bfc7422a6f98ecbf553358373db1e76e91cf1fd556bf2f8e68e73
SHA5120ab3b5209b9c946a848754084af7bc7b292dc866ded49c31770acfebaa8f9cc4ad8e667495a9c62ed53cefbc0fbb6b2bd7b117cb8186e47c05d684214f48e524
-
Filesize
1004B
MD50071f57d48308636c6efd140b16740fc
SHA108611daf42ff7afb6fb74ce468249437e4f448a6
SHA256e58e4a9d616305e24e7336698bb8a3e1da0ac1a65e475127a8936a873df4584b
SHA51200c55eed07d7db5b0f2c1c16497213ac3bf2abeab817239b5fa22a1c1bde070ec96472b325310e2fc15819ae78c742b1ff67b1151f07e3a853aa590558d6acf9
-
Filesize
4KB
MD56288417fd139140116e662a7b89201f8
SHA13d546a4f5589e3c881f265609bb09cf97757fcaf
SHA2566be125fd831dd980ca659b49f319a644970ac8f20ef9eda08113a62f468ccc50
SHA5122fcd9bcaba94aa31475411f721dd6c1975d57cc0ac27028c1c0f293905ff7d4bb96e2cea5e1659105e6ae514f03f428c86b180319f0ad5cfc5ab748923f765f8
-
Filesize
372B
MD5fca8b1c002395cf5d7ecf1a357f34319
SHA13795bf632d1a619814301b5226d958ce78a0ab12
SHA2560ac0e8ff8e7d2722ee870e3e227f844d16ee41250a16ba0b2d3e1537297bdc21
SHA5125d38019d282afd8b8da9d0acf0c2e622c3a889e0f7e457d08aeb6324192b7ab904ad133c6336fc24555a00c9654a8d9d21fa7211299d01b4aaad028a5739483a
-
Filesize
371B
MD58e44a023d2112129ab2bf88a4c04381a
SHA1a1a736dc126588bf1e819c7a42866088f8170fe3
SHA2562ab378fa81f348589311749673b574900ebe364e153784b6419a6dc51715316b
SHA5129cebef823d45962677ebaff1d72177ea5ba5d94702a2645950a6a794339b66faac994f45729603594558e7375b31ae0533cc9fd616169ee3613a956bfc13de5c
-
Filesize
3.1MB
MD548adeb90db817d4db9a7afb690e4888d
SHA14e6045ed20af938ac825f074d7025c7370b25414
SHA2564aad10437d3c44bb90fbd53848dff9e15d434a54e77cf790eeb3fa125f568533
SHA512b0c815dfc76edeabe43decde6177c0098d0261d54c6125709134b22388587e233c90a27622c2ce9d80f287991c9048dcee16cb618d56d6c4ecdbb44eb1e54469
-
Filesize
1.2MB
-
Filesize
320KB
-
Filesize
96KB
-
Filesize
712KB
-
Filesize
3.2MB
-
Filesize
88KB
-
Filesize
304KB
-
Filesize
104KB
-
Filesize
376KB
-
Filesize
3.1MB
-
Filesize
3.1MB