quasar | 4d9417d9d1f8779020682a3882dc72979a504ea9b71ef51b37084556aa0d7205

Resubmissions

07/08/2024, 00:14

240807-ajameavelq 10

07/08/2024, 00:10

240807-agetcaycqd 10

Analysis

max time kernel
63s
max time network
135s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
07/08/2024, 00:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

6f2f7543e46ca0cd1eecf947d68b0ec8
SHA1

7cf099fee562af351bebcea654e660fb05a5e736
SHA256

4d9417d9d1f8779020682a3882dc72979a504ea9b71ef51b37084556aa0d7205
SHA512

5851ea5dc7f9160256fb28fb89784fbbe40e244b55f083175382464eafa6c39d8b0c88aead34812c7c9f1abb6ccc1db84f65d379b4e1e6b65f65dc1a1902117c
SSDEEP

49152:ivyI22SsaNYfdPBldt698dBcjHh/RJ6EbR3LoGdf41THHB72eh2NT:ivf22SsaNYfdPBldt6+dBcjHh/RJ6O

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.1.85:4782

Mutex

d31c90bf-6e6a-483d-9f59-e618a1e6c7c9

Attributes

encryption_key
705FA42F7E103298DD84CEB0EA11F1B6B9143152
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral1/memory/1700-1-0x00000000001D0000-0x00000000004F4000-memory.dmp	family_quasar
behavioral1/files/0x000800000001711a-6.dat	family_quasar
behavioral1/memory/2436-10-0x0000000000240000-0x0000000000564000-memory.dmp	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
2436	Client.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2296	schtasks.exe
2444	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2676	chrome.exe
2676	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1700	Client-built.exe
Token: SeDebugPrivilege	2436	Client.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2436	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 2296	1700	Client-built.exe	31
PID 1700 wrote to memory of 2296	1700	Client-built.exe	31
PID 1700 wrote to memory of 2296	1700	Client-built.exe	31
PID 1700 wrote to memory of 2436	1700	Client-built.exe	33
PID 1700 wrote to memory of 2436	1700	Client-built.exe	33
PID 1700 wrote to memory of 2436	1700	Client-built.exe	33
PID 2436 wrote to memory of 2444	2436	Client.exe	34
PID 2436 wrote to memory of 2444	2436	Client.exe	34
PID 2436 wrote to memory of 2444	2436	Client.exe	34
PID 2676 wrote to memory of 2708	2676	chrome.exe	39
PID 2676 wrote to memory of 2708	2676	chrome.exe	39
PID 2676 wrote to memory of 2708	2676	chrome.exe	39
PID 2676 wrote to memory of 3008	2676	chrome.exe	41
PID 2676 wrote to memory of 3008	2676	chrome.exe	41
PID 2676 wrote to memory of 3008	2676	chrome.exe	41
PID 2676 wrote to memory of 3008	2676	chrome.exe	41
PID 2676 wrote to memory of 3008	2676	chrome.exe	41
PID 2676 wrote to memory of 3008	2676	chrome.exe	41
PID 2676 wrote to memory of 3008	2676	chrome.exe	41
PID 2676 wrote to memory of 3008	2676	chrome.exe	41
PID 2676 wrote to memory of 3008	2676	chrome.exe	41
PID 2676 wrote to memory of 3008	2676	chrome.exe	41
PID 2676 wrote to memory of 3008	2676	chrome.exe	41
PID 2676 wrote to memory of 3008	2676	chrome.exe	41
PID 2676 wrote to memory of 3008	2676	chrome.exe	41
PID 2676 wrote to memory of 3008	2676	chrome.exe	41
PID 2676 wrote to memory of 3008	2676	chrome.exe	41
PID 2676 wrote to memory of 3008	2676	chrome.exe	41
PID 2676 wrote to memory of 3008	2676	chrome.exe	41
PID 2676 wrote to memory of 3008	2676	chrome.exe	41
PID 2676 wrote to memory of 3008	2676	chrome.exe	41
PID 2676 wrote to memory of 3008	2676	chrome.exe	41
PID 2676 wrote to memory of 3008	2676	chrome.exe	41
PID 2676 wrote to memory of 3008	2676	chrome.exe	41
PID 2676 wrote to memory of 3008	2676	chrome.exe	41
PID 2676 wrote to memory of 3008	2676	chrome.exe	41
PID 2676 wrote to memory of 3008	2676	chrome.exe	41
PID 2676 wrote to memory of 3008	2676	chrome.exe	41
PID 2676 wrote to memory of 3008	2676	chrome.exe	41
PID 2676 wrote to memory of 3008	2676	chrome.exe	41
PID 2676 wrote to memory of 3008	2676	chrome.exe	41
PID 2676 wrote to memory of 3008	2676	chrome.exe	41
PID 2676 wrote to memory of 3008	2676	chrome.exe	41
PID 2676 wrote to memory of 3008	2676	chrome.exe	41
PID 2676 wrote to memory of 3008	2676	chrome.exe	41
PID 2676 wrote to memory of 3008	2676	chrome.exe	41
PID 2676 wrote to memory of 3008	2676	chrome.exe	41
PID 2676 wrote to memory of 3008	2676	chrome.exe	41
PID 2676 wrote to memory of 3008	2676	chrome.exe	41
PID 2676 wrote to memory of 3008	2676	chrome.exe	41
PID 2676 wrote to memory of 3008	2676	chrome.exe	41
PID 2676 wrote to memory of 2928	2676	chrome.exe	42
PID 2676 wrote to memory of 2928	2676	chrome.exe	42
PID 2676 wrote to memory of 2928	2676	chrome.exe	42
PID 2676 wrote to memory of 2004	2676	chrome.exe	43
PID 2676 wrote to memory of 2004	2676	chrome.exe	43
PID 2676 wrote to memory of 2004	2676	chrome.exe	43
PID 2676 wrote to memory of 2004	2676	chrome.exe	43
PID 2676 wrote to memory of 2004	2676	chrome.exe	43
PID 2676 wrote to memory of 2004	2676	chrome.exe	43
PID 2676 wrote to memory of 2004	2676	chrome.exe	43
PID 2676 wrote to memory of 2004	2676	chrome.exe	43
PID 2676 wrote to memory of 2004	2676	chrome.exe	43
PID 2676 wrote to memory of 2004	2676	chrome.exe	43

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2296
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2444

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7feef7d9758,0x7feef7d9768,0x7feef7d9778
  2⤵
  PID:2708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1140 --field-trial-handle=1364,i,17956467382355669551,5115583453170961079,131072 /prefetch:2
  2⤵
  PID:3008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1420 --field-trial-handle=1364,i,17956467382355669551,5115583453170961079,131072 /prefetch:8
  2⤵
  PID:2928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1588 --field-trial-handle=1364,i,17956467382355669551,5115583453170961079,131072 /prefetch:8
  2⤵
  PID:2004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2040 --field-trial-handle=1364,i,17956467382355669551,5115583453170961079,131072 /prefetch:1
  2⤵
  PID:1000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2300 --field-trial-handle=1364,i,17956467382355669551,5115583453170961079,131072 /prefetch:1
  2⤵
  PID:2576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1824 --field-trial-handle=1364,i,17956467382355669551,5115583453170961079,131072 /prefetch:2
  2⤵
  PID:1592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3240 --field-trial-handle=1364,i,17956467382355669551,5115583453170961079,131072 /prefetch:1
  2⤵
  PID:2556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3644 --field-trial-handle=1364,i,17956467382355669551,5115583453170961079,131072 /prefetch:8
  2⤵
  PID:776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=1484 --field-trial-handle=1364,i,17956467382355669551,5115583453170961079,131072 /prefetch:1
  2⤵
  PID:2744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3496 --field-trial-handle=1364,i,17956467382355669551,5115583453170961079,131072 /prefetch:1
  2⤵
  PID:2100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=2604 --field-trial-handle=1364,i,17956467382355669551,5115583453170961079,131072 /prefetch:1
  2⤵
  PID:2612

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
633B

MD5
4e0fcd55d4524ae1d7bf608dd237cae0

SHA1
3043ccd75f2ba093cc2d5bcb531e305a7268881f

SHA256
cf297d908b06b77a8bff2cd55442dbd76d496a656583c1b2bb3391518ab52fc3

SHA512
7d579f4ecf7488177e929937917490e8cee71ed7a9dddd3876b24efb29424689252bbb3ee3aff4f26ba838d8346b7d56142deec330483b23c04f019a9d578907

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
d511210cfc62289ec2bccdbed9a77bf3

SHA1
e1c4cd6cd93feab84be84d5283448e38511dea31

SHA256
b3229991e727f79f71f00452fb3e9c55e583db25f814696720b9bc37cc29b04d

SHA512
96de7854512e218165d22d9519733425efcbef995d48f3cd7bfea0bc1a3551602dcd8343490e828c2c39bd3741bcc3187a2ee4640056ff30ae7a6cde6f114b59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
3e677139388b2c2ff04f45899fac2069

SHA1
e06c2d6a05beb6e41c8fe16d8ba5fa361f577fbd

SHA256
11d5fa4484f6c037e8fbc3c3e7ed73c18e90d72a64328792eb24578a5f3df0bb

SHA512
5e419368018e5df67abcd01e40ac934c0f0e1912433ab2f83cbaa4f98ee043ea2a280cb17796945546020f78a6420813b339466911e3f3eefb7cab9d81532e93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
fb01a2844560ba3e18cbf4cc40c1689b

SHA1
af8ac9c018a7da7fe69d1640f5d724734986df9b

SHA256
78319823896026380f959e37dc14b917fc26202080ee23f82513bd03d7ea23c0

SHA512
08c8e2b997f682dd36d832d8610bcba8afd93fae9eb9700077fa521ad317b4784afc6ddc31a286e29d049d8fc25ef76c8d91774eb73bcdfa006667e69038e157

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
310KB

MD5
6d2a74f516df71f5f6ab37ca2d67d62c

SHA1
1586dc6bbc687d4c5659db2813fb6972ccb49293

SHA256
0d12d854b13d54c55a3290e3caac7b450583a861e13f012fbd853078e9e88caa

SHA512
fff5b22558bd67c76ba121b88f030760baca1144e28881553eca3045d8496ba871346229fb1f23b212b7a07398d58d9c4f32a39dd60f708181be9a00c89dc48f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\c064666d-a7af-40b7-aaf6-6f1d4e0d65e4.tmp

Filesize
310KB

MD5
4f66317cf9d8d015351286e098d4bae0

SHA1
1583b4c64d2c52a2477a18d697922861283806b1

SHA256
a64777843d9cf9071edac21016cd4dd17aaa1f9829b6f5af225ebe0b55c56591

SHA512
7725b0f9831af1b4a6991ce2823e69286cc7b499d221102a3bc6a1a63b6870d23efa3f538c52dc41e643026817e6a2d4fd04ad5ab4ba57b6bf60f01ffb4f8cd6

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
6f2f7543e46ca0cd1eecf947d68b0ec8

SHA1
7cf099fee562af351bebcea654e660fb05a5e736

SHA256
4d9417d9d1f8779020682a3882dc72979a504ea9b71ef51b37084556aa0d7205

SHA512
5851ea5dc7f9160256fb28fb89784fbbe40e244b55f083175382464eafa6c39d8b0c88aead34812c7c9f1abb6ccc1db84f65d379b4e1e6b65f65dc1a1902117c

Download Submit
memory/1700-0-0x000007FEF56C3000-0x000007FEF56C4000-memory.dmp

Filesize
4KB

Download
memory/1700-9-0x000007FEF56C0000-0x000007FEF60AC000-memory.dmp

Filesize
9.9MB

Download
memory/1700-2-0x000007FEF56C0000-0x000007FEF60AC000-memory.dmp

Filesize
9.9MB

Download
memory/1700-1-0x00000000001D0000-0x00000000004F4000-memory.dmp

Filesize
3.1MB

Download
memory/2436-62-0x000007FEF56C0000-0x000007FEF60AC000-memory.dmp

Filesize
9.9MB

Download
memory/2436-11-0x000007FEF56C0000-0x000007FEF60AC000-memory.dmp

Filesize
9.9MB

Download
memory/2436-10-0x0000000000240000-0x0000000000564000-memory.dmp

Filesize
3.1MB

Download
memory/2436-8-0x000007FEF56C0000-0x000007FEF60AC000-memory.dmp

Filesize
9.9MB

Download