quasar | 36e9de882ef9c44bf0b55c230ae42233a142f5d416c114221b6bc6db2eb8d9db

Analysis

max time kernel
1780s
max time network
1796s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 10:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

a5ec52e235b51b62737775708aa75b41
SHA1

2fb3d2b31ec5cc4f81d8000ab73e1c42e56d9696
SHA256

36e9de882ef9c44bf0b55c230ae42233a142f5d416c114221b6bc6db2eb8d9db
SHA512

c89a016cae8e27bbc080300834410e72c00279ea74004f52c1c82bb5293c3abdda0b0aa5634b3157cd88bc81acadeeb4e8114789d0dd292273a3d2871ba094dd
SSDEEP

49152:Wv+I22SsaNYfdPBldt698dBcjHR3DkE2HLk/+FMoGdECTHHB72eh2NT:Wvz22SsaNYfdPBldt6+dBcjHR3DMq0

Score

10^/10

quasar final spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

FINAL

192.168.1.3:4782

0.tcp.ap.ngrok.io:19777

Mutex

07349335-02d4-4e1c-9997-b1ec2161a0e1

Attributes

encryption_key
DE496BF144B8EBE8F8D89996CC77BEE88B0F6BCB
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
GET FUCKED
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4808-1-0x0000000000720000-0x0000000000A44000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Executes dropped EXE 1 IoCs

Processes:

Client.exe

pid process

2132 Client.exe

pid	process
2132	Client.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 23 IoCs

Web Service

T1102

Processes:

flow	ioc
54	0.tcp.ap.ngrok.io
141	0.tcp.ap.ngrok.io
160	0.tcp.ap.ngrok.io
181	0.tcp.ap.ngrok.io
174	0.tcp.ap.ngrok.io
196	0.tcp.ap.ngrok.io
83	0.tcp.ap.ngrok.io
91	0.tcp.ap.ngrok.io
98	0.tcp.ap.ngrok.io
115	0.tcp.ap.ngrok.io
134	0.tcp.ap.ngrok.io
155	0.tcp.ap.ngrok.io
18	0.tcp.ap.ngrok.io
167	0.tcp.ap.ngrok.io
186	0.tcp.ap.ngrok.io
201	0.tcp.ap.ngrok.io
206	0.tcp.ap.ngrok.io
211	0.tcp.ap.ngrok.io
107	0.tcp.ap.ngrok.io
122	0.tcp.ap.ngrok.io
127	0.tcp.ap.ngrok.io
148	0.tcp.ap.ngrok.io
191	0.tcp.ap.ngrok.io

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133602409876867319"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

4668 chrome.exe
4668 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

4668 chrome.exe
4668 chrome.exe
4668 chrome.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

Client-built.exeClient.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	4808	Client-built.exe
Token: SeDebugPrivilege	2132	Client.exe
Token: SeShutdownPrivilege	4668	chrome.exe
Token: SeCreatePagefilePrivilege	4668	chrome.exe
Token: SeShutdownPrivilege	4668	chrome.exe
Token: SeCreatePagefilePrivilege	4668	chrome.exe
Token: SeShutdownPrivilege	4668	chrome.exe
Token: SeCreatePagefilePrivilege	4668	chrome.exe
Token: SeShutdownPrivilege	4668	chrome.exe
Token: SeCreatePagefilePrivilege	4668	chrome.exe
Token: SeShutdownPrivilege	4668	chrome.exe
Token: SeCreatePagefilePrivilege	4668	chrome.exe
Token: SeShutdownPrivilege	4668	chrome.exe
Token: SeCreatePagefilePrivilege	4668	chrome.exe
Token: SeShutdownPrivilege	4668	chrome.exe
Token: SeCreatePagefilePrivilege	4668	chrome.exe
Token: SeShutdownPrivilege	4668	chrome.exe
Token: SeCreatePagefilePrivilege	4668	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

Processes:

chrome.exe

pid	process
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Client.exe

pid process

2132 Client.exe

pid	process
2132	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Client-built.exechrome.exe

description	pid	process	target process
PID 4808 wrote to memory of 2132	4808	Client-built.exe	Client.exe
PID 4808 wrote to memory of 2132	4808	Client-built.exe	Client.exe
PID 4668 wrote to memory of 1164	4668	chrome.exe	chrome.exe
PID 4668 wrote to memory of 1164	4668	chrome.exe	chrome.exe
PID 4668 wrote to memory of 1316	4668	chrome.exe	chrome.exe
PID 4668 wrote to memory of 1316	4668	chrome.exe	chrome.exe
PID 4668 wrote to memory of 1316	4668	chrome.exe	chrome.exe
PID 4668 wrote to memory of 1316	4668	chrome.exe	chrome.exe
PID 4668 wrote to memory of 1316	4668	chrome.exe	chrome.exe
PID 4668 wrote to memory of 1316	4668	chrome.exe	chrome.exe
PID 4668 wrote to memory of 1316	4668	chrome.exe	chrome.exe
PID 4668 wrote to memory of 1316	4668	chrome.exe	chrome.exe
PID 4668 wrote to memory of 1316	4668	chrome.exe	chrome.exe
PID 4668 wrote to memory of 1316	4668	chrome.exe	chrome.exe
PID 4668 wrote to memory of 1316	4668	chrome.exe	chrome.exe
PID 4668 wrote to memory of 1316	4668	chrome.exe	chrome.exe
PID 4668 wrote to memory of 1316	4668	chrome.exe	chrome.exe
PID 4668 wrote to memory of 1316	4668	chrome.exe	chrome.exe
PID 4668 wrote to memory of 1316	4668	chrome.exe	chrome.exe
PID 4668 wrote to memory of 1316	4668	chrome.exe	chrome.exe
PID 4668 wrote to memory of 1316	4668	chrome.exe	chrome.exe
PID 4668 wrote to memory of 1316	4668	chrome.exe	chrome.exe
PID 4668 wrote to memory of 1316	4668	chrome.exe	chrome.exe
PID 4668 wrote to memory of 1316	4668	chrome.exe	chrome.exe
PID 4668 wrote to memory of 1316	4668	chrome.exe	chrome.exe
PID 4668 wrote to memory of 1316	4668	chrome.exe	chrome.exe
PID 4668 wrote to memory of 1316	4668	chrome.exe	chrome.exe
PID 4668 wrote to memory of 1316	4668	chrome.exe	chrome.exe
PID 4668 wrote to memory of 1316	4668	chrome.exe	chrome.exe
PID 4668 wrote to memory of 1316	4668	chrome.exe	chrome.exe
PID 4668 wrote to memory of 1316	4668	chrome.exe	chrome.exe
PID 4668 wrote to memory of 1316	4668	chrome.exe	chrome.exe
PID 4668 wrote to memory of 1316	4668	chrome.exe	chrome.exe
PID 4668 wrote to memory of 1316	4668	chrome.exe	chrome.exe
PID 4668 wrote to memory of 1316	4668	chrome.exe	chrome.exe
PID 4668 wrote to memory of 1976	4668	chrome.exe	chrome.exe
PID 4668 wrote to memory of 1976	4668	chrome.exe	chrome.exe
PID 4668 wrote to memory of 1856	4668	chrome.exe	chrome.exe
PID 4668 wrote to memory of 1856	4668	chrome.exe	chrome.exe
PID 4668 wrote to memory of 1856	4668	chrome.exe	chrome.exe
PID 4668 wrote to memory of 1856	4668	chrome.exe	chrome.exe
PID 4668 wrote to memory of 1856	4668	chrome.exe	chrome.exe
PID 4668 wrote to memory of 1856	4668	chrome.exe	chrome.exe
PID 4668 wrote to memory of 1856	4668	chrome.exe	chrome.exe
PID 4668 wrote to memory of 1856	4668	chrome.exe	chrome.exe
PID 4668 wrote to memory of 1856	4668	chrome.exe	chrome.exe
PID 4668 wrote to memory of 1856	4668	chrome.exe	chrome.exe
PID 4668 wrote to memory of 1856	4668	chrome.exe	chrome.exe
PID 4668 wrote to memory of 1856	4668	chrome.exe	chrome.exe
PID 4668 wrote to memory of 1856	4668	chrome.exe	chrome.exe
PID 4668 wrote to memory of 1856	4668	chrome.exe	chrome.exe
PID 4668 wrote to memory of 1856	4668	chrome.exe	chrome.exe
PID 4668 wrote to memory of 1856	4668	chrome.exe	chrome.exe
PID 4668 wrote to memory of 1856	4668	chrome.exe	chrome.exe
PID 4668 wrote to memory of 1856	4668	chrome.exe	chrome.exe
PID 4668 wrote to memory of 1856	4668	chrome.exe	chrome.exe
PID 4668 wrote to memory of 1856	4668	chrome.exe	chrome.exe
PID 4668 wrote to memory of 1856	4668	chrome.exe	chrome.exe
PID 4668 wrote to memory of 1856	4668	chrome.exe	chrome.exe
PID 4668 wrote to memory of 1856	4668	chrome.exe	chrome.exe
PID 4668 wrote to memory of 1856	4668	chrome.exe	chrome.exe
PID 4668 wrote to memory of 1856	4668	chrome.exe	chrome.exe
PID 4668 wrote to memory of 1856	4668	chrome.exe	chrome.exe
PID 4668 wrote to memory of 1856	4668	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4808

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2132

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa48c3ab58,0x7ffa48c3ab68,0x7ffa48c3ab78
2⤵
PID:1164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1700 --field-trial-handle=1928,i,6736188313312510419,5939220661036732304,131072 /prefetch:2
2⤵
PID:1316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 --field-trial-handle=1928,i,6736188313312510419,5939220661036732304,131072 /prefetch:8
2⤵
PID:1976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2320 --field-trial-handle=1928,i,6736188313312510419,5939220661036732304,131072 /prefetch:8
2⤵
PID:1856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1720 --field-trial-handle=1928,i,6736188313312510419,5939220661036732304,131072 /prefetch:1
2⤵
PID:2948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3080 --field-trial-handle=1928,i,6736188313312510419,5939220661036732304,131072 /prefetch:1
2⤵
PID:828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4324 --field-trial-handle=1928,i,6736188313312510419,5939220661036732304,131072 /prefetch:1
2⤵
PID:2240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4516 --field-trial-handle=1928,i,6736188313312510419,5939220661036732304,131072 /prefetch:8
2⤵
PID:5088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4580 --field-trial-handle=1928,i,6736188313312510419,5939220661036732304,131072 /prefetch:8
2⤵
PID:5112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4816 --field-trial-handle=1928,i,6736188313312510419,5939220661036732304,131072 /prefetch:8
2⤵
PID:2144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4852 --field-trial-handle=1928,i,6736188313312510419,5939220661036732304,131072 /prefetch:8
2⤵
PID:3068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4688 --field-trial-handle=1928,i,6736188313312510419,5939220661036732304,131072 /prefetch:8
2⤵
PID:1720

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
8ac409f85b2fcd4fa5a1ccec8cc64c15

SHA1
27f149c197c3c006803cbebf5ad67f8619840af1

SHA256
c19b4cd3bd40d9b1315e0c8dcbe98f482d590341c1dbcc60c9e41b846976d177

SHA512
7a3dc8e3eb513716cc9612052c3159a9c8b39d3adebb99c502556d9789bdb60caf1d76cb58ae5037476b90b303014f60182846be0afd938c87163bcd659c005b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
c02a800e3aba902b4cf0d0c328ad8a52

SHA1
e04f3d79dee81536c3d8806092e0e539ac812665

SHA256
b995706bf6f714b0ea75ff91f8cd8f375e01cd19e3767501513faea7b86081cc

SHA512
243e4f92349edbf5978be16caa25c1cb801dcb2f29b1a3219f5b9b1d9c71bfda2b609fce30819d65142e1269341fef5d207f9c811f6fa676e00e9d4b828ba5d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
8bdac59e386cc117b38842eb969bae33

SHA1
1708cd289fd4ae176bf9ac067f3209867023dbb8

SHA256
990766ba5cdffe38c35f300823cc5c3422d2eba8a5f8d723371b33952f8bdc06

SHA512
0d03ed7a50d584e680abb8cbf220acf1448deaeb7896a6d9c155e288d40b850abb7ad89fe7397c84f9aae796bca3bd8d130229ffc03cf4b8ae860ac51d38d134

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
19f6f31dac36a26c990ff043f63b0747

SHA1
ab6cff9130d5711f63374b006b6eed9e2cf41cb8

SHA256
4a3871b9b9ad65d02d7b348a4deab2cb5c1a95207f611512eba3c7689eb196e9

SHA512
a02eff385483bb5831f3d984833e1fd65c5699ff82e01c76c0e77fee4ea8ad0da54f399e34f382a1d0c2325ad42d1bcedf95b3acb2dac00fa826ae12b5b0c733

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
259KB

MD5
7e4b611d47a518ce5fef9b77b6d423c1

SHA1
838be013a205af747d3b591b6e2ee14b450bcd35

SHA256
c06eb47615fd2514356c4d3b2e5a093f59d9680590e83d94a106dbe4eae87d65

SHA512
3031cfe0f8c7d286e1814552563265d9f55b30fed8d1df8632ea93c5a0632c776f43458bf2ade898089d909008ec862b045a92f8754c2982092ff46eddb7ac53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
13ebc292c1431f5675bc48749193aaab

SHA1
7329f1a4d51c697e6c5fd92449138c80197c0452

SHA256
cb2682335844227e6d5186090e83327b254b8df9ed4f03b536377ba12dd28294

SHA512
ccfc6221b5c94b7b5fe61e33b286ccf57f6804a8cf0564395ba63af2bacae710f439bee3d5e4397341ad585995fc6e4691013b5e626ff89522973bab72c95072

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
a5ec52e235b51b62737775708aa75b41

SHA1
2fb3d2b31ec5cc4f81d8000ab73e1c42e56d9696

SHA256
36e9de882ef9c44bf0b55c230ae42233a142f5d416c114221b6bc6db2eb8d9db

SHA512
c89a016cae8e27bbc080300834410e72c00279ea74004f52c1c82bb5293c3abdda0b0aa5634b3157cd88bc81acadeeb4e8114789d0dd292273a3d2871ba094dd

Download Submit
\??\pipe\crashpad_4668_BNNLWTWNBSNELGLY

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2132-12-0x000000001BD10000-0x000000001BDC2000-memory.dmp

Filesize
712KB

Download
memory/2132-13-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp

Filesize
10.8MB

Download
memory/2132-11-0x000000001BC00000-0x000000001BC50000-memory.dmp

Filesize
320KB

Download
memory/2132-10-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp

Filesize
10.8MB

Download
memory/2132-8-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp

Filesize
10.8MB

Download
memory/4808-0-0x00007FFA4C3A3000-0x00007FFA4C3A5000-memory.dmp

Filesize
8KB

Download
memory/4808-9-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp

Filesize
10.8MB

Download
memory/4808-2-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp

Filesize
10.8MB

Download
memory/4808-1-0x0000000000720000-0x0000000000A44000-memory.dmp

Filesize
3.1MB

Download