quasar | 900cb76890979aa50347b7b929ef1babd7c677966f642aa4d74cf973136a48bf

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/08/2024, 04:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Venom.exe
Size

3.1MB
MD5

1348632fc2ede08cab5db1cb174ff0d3
SHA1

2a1966291aa0e7aee1b039a1a75fa4879489a2be
SHA256

900cb76890979aa50347b7b929ef1babd7c677966f642aa4d74cf973136a48bf
SHA512

52f68303d71f1293b02784539ef3250a95cf9ef4cb868e26e381a86667ab4f5cfc5a36d462ff746dc021bc0420cf8f0b31b050ec4142fb1be4b8f626fae39edb
SSDEEP

49152:avht62XlaSFNWPjljiFa2RoUYItFW7Bxn+oGdzTHHB72eh2NT:avL62XlaSFNWPjljiFXRoUYIrW2

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.0.246:4782

Mutex

1e9de725-2f46-4350-b6c8-78b3b776a085

Attributes

encryption_key
ACF3D3BDCC7612495B863F26348AD4EE3B96458B
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
venom
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/3748-1-0x00000000008E0000-0x0000000000C04000-memory.dmp	family_quasar
behavioral2/files/0x000a0000000233a2-6.dat	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
3048	Client.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1880	schtasks.exe
1488	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5080	chrome.exe
5080	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3748	Venom.exe
Token: SeDebugPrivilege	3048	Client.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
3048	Client.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
3048	Client.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3048	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3748 wrote to memory of 1880	3748	Venom.exe	84
PID 3748 wrote to memory of 1880	3748	Venom.exe	84
PID 3748 wrote to memory of 3048	3748	Venom.exe	86
PID 3748 wrote to memory of 3048	3748	Venom.exe	86
PID 3048 wrote to memory of 1488	3048	Client.exe	87
PID 3048 wrote to memory of 1488	3048	Client.exe	87
PID 5080 wrote to memory of 2200	5080	chrome.exe	94
PID 5080 wrote to memory of 2200	5080	chrome.exe	94
PID 5080 wrote to memory of 3904	5080	chrome.exe	95
PID 5080 wrote to memory of 3904	5080	chrome.exe	95
PID 5080 wrote to memory of 3904	5080	chrome.exe	95
PID 5080 wrote to memory of 3904	5080	chrome.exe	95
PID 5080 wrote to memory of 3904	5080	chrome.exe	95
PID 5080 wrote to memory of 3904	5080	chrome.exe	95
PID 5080 wrote to memory of 3904	5080	chrome.exe	95
PID 5080 wrote to memory of 3904	5080	chrome.exe	95
PID 5080 wrote to memory of 3904	5080	chrome.exe	95
PID 5080 wrote to memory of 3904	5080	chrome.exe	95
PID 5080 wrote to memory of 3904	5080	chrome.exe	95
PID 5080 wrote to memory of 3904	5080	chrome.exe	95
PID 5080 wrote to memory of 3904	5080	chrome.exe	95
PID 5080 wrote to memory of 3904	5080	chrome.exe	95
PID 5080 wrote to memory of 3904	5080	chrome.exe	95
PID 5080 wrote to memory of 3904	5080	chrome.exe	95
PID 5080 wrote to memory of 3904	5080	chrome.exe	95
PID 5080 wrote to memory of 3904	5080	chrome.exe	95
PID 5080 wrote to memory of 3904	5080	chrome.exe	95
PID 5080 wrote to memory of 3904	5080	chrome.exe	95
PID 5080 wrote to memory of 3904	5080	chrome.exe	95
PID 5080 wrote to memory of 3904	5080	chrome.exe	95
PID 5080 wrote to memory of 3904	5080	chrome.exe	95
PID 5080 wrote to memory of 3904	5080	chrome.exe	95
PID 5080 wrote to memory of 3904	5080	chrome.exe	95
PID 5080 wrote to memory of 3904	5080	chrome.exe	95
PID 5080 wrote to memory of 3904	5080	chrome.exe	95
PID 5080 wrote to memory of 3904	5080	chrome.exe	95
PID 5080 wrote to memory of 3904	5080	chrome.exe	95
PID 5080 wrote to memory of 3904	5080	chrome.exe	95
PID 5080 wrote to memory of 4948	5080	chrome.exe	96
PID 5080 wrote to memory of 4948	5080	chrome.exe	96
PID 5080 wrote to memory of 2872	5080	chrome.exe	97
PID 5080 wrote to memory of 2872	5080	chrome.exe	97
PID 5080 wrote to memory of 2872	5080	chrome.exe	97
PID 5080 wrote to memory of 2872	5080	chrome.exe	97
PID 5080 wrote to memory of 2872	5080	chrome.exe	97
PID 5080 wrote to memory of 2872	5080	chrome.exe	97
PID 5080 wrote to memory of 2872	5080	chrome.exe	97
PID 5080 wrote to memory of 2872	5080	chrome.exe	97
PID 5080 wrote to memory of 2872	5080	chrome.exe	97
PID 5080 wrote to memory of 2872	5080	chrome.exe	97
PID 5080 wrote to memory of 2872	5080	chrome.exe	97
PID 5080 wrote to memory of 2872	5080	chrome.exe	97
PID 5080 wrote to memory of 2872	5080	chrome.exe	97
PID 5080 wrote to memory of 2872	5080	chrome.exe	97
PID 5080 wrote to memory of 2872	5080	chrome.exe	97
PID 5080 wrote to memory of 2872	5080	chrome.exe	97
PID 5080 wrote to memory of 2872	5080	chrome.exe	97
PID 5080 wrote to memory of 2872	5080	chrome.exe	97
PID 5080 wrote to memory of 2872	5080	chrome.exe	97
PID 5080 wrote to memory of 2872	5080	chrome.exe	97
PID 5080 wrote to memory of 2872	5080	chrome.exe	97
PID 5080 wrote to memory of 2872	5080	chrome.exe	97
PID 5080 wrote to memory of 2872	5080	chrome.exe	97
PID 5080 wrote to memory of 2872	5080	chrome.exe	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Venom.exe
"C:\Users\Admin\AppData\Local\Temp\Venom.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3748
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "venom" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1880
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "venom" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffba107cc40,0x7ffba107cc4c,0x7ffba107cc58
  2⤵
  PID:2200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1812,i,4994021697980558851,15064107561627459596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1800 /prefetch:2
  2⤵
  PID:3904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1952,i,4994021697980558851,15064107561627459596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2156 /prefetch:3
  2⤵
  PID:4948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2272,i,4994021697980558851,15064107561627459596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2292 /prefetch:8
  2⤵
  PID:2872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3188,i,4994021697980558851,15064107561627459596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:4804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3232,i,4994021697980558851,15064107561627459596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:4028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4600,i,4994021697980558851,15064107561627459596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3720 /prefetch:1
  2⤵
  PID:3812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4860,i,4994021697980558851,15064107561627459596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4816 /prefetch:8
  2⤵
  PID:3740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4896,i,4994021697980558851,15064107561627459596,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4836 /prefetch:8
  2⤵
  PID:2636

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2360

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
00a2950f0bb1c86b6eea354426175b95

SHA1
e75316d5afe036f339a82d8e235b31cffd3c85f7

SHA256
22261728ad0c492160414142e3d93640aac0b4b88bd0aadd06cee7859ae63394

SHA512
06528a6782d639a633c946ebd67774f7f765fb0c70f0bce11adfdd5fb59c4df9c08cffa60e8e59cc085f4145f69ba7c15acdb78ddb6e9ca29e3189adc2fdffab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
b6ef3e7d7c7d16d4db7bc18cc927354a

SHA1
fc96237ad9aa9bcb583a8537aabc30b7594999b3

SHA256
35fd729dc8ad3ffc2b5f045a20cdf7deb7120d6faca0ad0b384d7fa08c4ef9f8

SHA512
8efe6e5d6cf5653838f13b5d4684521eec236d9e1f58437f3ba52d321309bddab1e0d1361757367c001b68686a8e715bc5155d018e148a5141cf654440ba8834

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
d4060913d14b177ea3db447bdfcfbdd4

SHA1
c13a56e97b9858b3616a96dd20b3f22050e4f3b8

SHA256
4bc0cf59815462b3d124b694c4ca507a57b4a32f27903c47cbddf367920703c4

SHA512
d6a438feb77daa14ba14841f5bfe909062651f270188aeac8cb4f2e2b03b87f288a7726a3a73480d909329fde72e446222467f0628452042959f4cb91404c34d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
84961fd03f20e49521ecd74b9ba0445a

SHA1
e95458f94f7e1a9d5e354f8095c184f9a8b69d8a

SHA256
bf2a22cb9ac570057205187d9d02735335f3a721857a1835288eee3dd3f8531f

SHA512
5178e5332f287da1c01400383afef0b23363c4c8213e3ffde2ca3b43a80b278d455885a353ae9d789aadfcc6283e30d39274011b82b397d9a6830749e95dfee2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
df7896ec17bd995b4c34e950a20d78a0

SHA1
1deee02f7328a67287848a2c548e2c19f7eb50c9

SHA256
67ad93d8a5c50dcbe32baceb245b0815499a59f9b27104fc90aa721ce748bc4c

SHA512
3b384964695d007d420637bde3fd82daac4b885d3cfd71f800c23847114a54563b089e6c7cc5bfff4edf5a7feefae56fe2d6d9d2b3a591ea370ac7e8a8335757

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
f1bd9d30a7895decdd186af9de1cf774

SHA1
4c4117974aac527fbea555d1e175591127a87406

SHA256
2d7a3050688f0fb427a00d5c12d16dfcf1cdc22c400c67785887fdb9ab1fbaf5

SHA512
9d71194a46fc60e5e43b860774c04f7f22f396e8dd224e2c32f0886f96b6676753e16359bbea6acaec44c32d77914ff27204086ffb31e336ee3dc3ddc033455c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
8c045799dbf00ec06f7641ffdf18751e

SHA1
e16c71960edb268047fe68644c4dd5c6cae383df

SHA256
6a37f2fd39c56ab7fbccf09393e56334e2b7cdd9918469575114c533d0dc1aff

SHA512
d97cd4fbb18e0113661f9d1fbca11fa1a08511102caa958ab0bc055a780966c8ab37197eb046bdd33fe52af3e184fc105f2a83cf4b3695e3529bca9e5e717642

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
103e1db461c7cb045fbbfa1aaf67fde7

SHA1
2d30625190326b5316c1f93d6934e0d922d731d0

SHA256
49a15f05921f162334682e95b2ff83f2b2b837ca1917414316ec87d68c3c608b

SHA512
34b3a86fc5718b7a2d9bcccaa2420a5a117554a35ce9e6766913b2145e642c5181b2443bd01df872a84d7ab28ac356622c649ca59cc777bfe49bcde153aa83de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\bf505bfd-d264-4e17-a4e4-64e918c554d2.tmp

Filesize
7KB

MD5
bdc4110bd0ff516287a22bd3d743fdc8

SHA1
0cc7ac1fbc5413a85b13308c5526c628599c1002

SHA256
658773582bd561094eba2e82d7bcdf60b028203111acaa1e721760c8755abea1

SHA512
0d221efc25752d8b6cc4d5e5566dfac782e2371d615dce05bfbd571d6e16e981bd4aaed5785f429ac52c50fd110fc249c83f1311de73602a7ba3490e69f7e5d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
b28b69782c5d10b45b63781d94664615

SHA1
b6b2cd8198b92712016b7832192cd190f3d7990a

SHA256
1672bc0c7c9485db9f697f27ce086a6b3ca46712a6df2f7af4df9110f4dc9371

SHA512
120f566c3a7f55df896536f464e673a8fa27189dc1ee017cbb0e079dc0bd80243458d84b2b718a7a7d6916d38da2b51b6a1662c90b502888fc434cca6eca375e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
aca981c8c96c91108748e3be6572bc2e

SHA1
bf4655c4d280a8737257a329458781ed5dc19f80

SHA256
42a52848eeaa8564665993aeeedb3b7f7b2138e26a66e8c1bda37e93cde796b6

SHA512
29d54089556786885acbd8df56c4f0d48b901b3e45f235821f4c7ed7b1cf09fe28c90bed64a2d5d7cbf0c9c6d51ff9c5abf3360c55402203ffae760c33d79784

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
1348632fc2ede08cab5db1cb174ff0d3

SHA1
2a1966291aa0e7aee1b039a1a75fa4879489a2be

SHA256
900cb76890979aa50347b7b929ef1babd7c677966f642aa4d74cf973136a48bf

SHA512
52f68303d71f1293b02784539ef3250a95cf9ef4cb868e26e381a86667ab4f5cfc5a36d462ff746dc021bc0420cf8f0b31b050ec4142fb1be4b8f626fae39edb

Download Submit
memory/3048-14-0x00007FFBA6900000-0x00007FFBA73C1000-memory.dmp

Filesize
10.8MB

Download
memory/3048-13-0x000000001CA00000-0x000000001CAB2000-memory.dmp

Filesize
712KB

Download
memory/3048-12-0x000000001C8F0000-0x000000001C940000-memory.dmp

Filesize
320KB

Download
memory/3048-11-0x00007FFBA6900000-0x00007FFBA73C1000-memory.dmp

Filesize
10.8MB

Download
memory/3048-10-0x00007FFBA6900000-0x00007FFBA73C1000-memory.dmp

Filesize
10.8MB

Download
memory/3748-0-0x00007FFBA6903000-0x00007FFBA6905000-memory.dmp

Filesize
8KB

Download
memory/3748-9-0x00007FFBA6900000-0x00007FFBA73C1000-memory.dmp

Filesize
10.8MB

Download
memory/3748-2-0x00007FFBA6900000-0x00007FFBA73C1000-memory.dmp

Filesize
10.8MB

Download
memory/3748-1-0x00000000008E0000-0x0000000000C04000-memory.dmp

Filesize
3.1MB

Download