quasar | 48d94bfa639ca4fd947e3fda203ccc16e3bb85761e11a0428f563753374de0ff

Analysis

max time kernel
44s
max time network
41s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
06-11-2024 07:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Probemos.exe
Size

3.1MB
MD5

b4710cbc23ac3cca2e21b2d28e7c91c7
SHA1

0fdfaa530d55fab75c9dbb4452ace1c1f31deda0
SHA256

48d94bfa639ca4fd947e3fda203ccc16e3bb85761e11a0428f563753374de0ff
SHA512

c6663f8dca6cf42364b7ba711355b714423ee52635754a5ab8f8973cf6edefb0e2fcd9ed83299dc036fa4b6514ec4233a52c887b98b1c9bbbf0c837a258f7535
SSDEEP

49152:Dv+lL26AaNeWgPhlmVqvMQ7XSKWMYoybRALoGdeXTHHB72eh2NT:DvuL26AaNeWgPhlmVqkQ7XSKWXoNu

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

AdanFlores3912-54860.portmap.host:54860

Mutex

e51e2b65-e963-4051-9736-67d57ed46798

Attributes

encryption_key
AEA258EF65BF1786F0F767C0BE2497ECC304C46F
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1020-1-0x0000000000830000-0x0000000000B54000-memory.dmp	family_quasar
behavioral1/files/0x0023000000045014-3.dat	family_quasar

Executes dropped EXE 1 IoCs

Processes:

Client.exe

pid	Process
1136	Client.exe

Drops file in Windows directory 1 IoCs

Processes:

chrome.exe

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133753524091115229"	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exe

pid	Process
900	schtasks.exe
1044	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid	Process
3420	chrome.exe
3420	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid	Process
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

Probemos.exeClient.exechrome.exe

description	pid	Process
Token: SeDebugPrivilege	1020	Probemos.exe
Token: SeDebugPrivilege	1136	Client.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe
Token: SeShutdownPrivilege	3420	chrome.exe
Token: SeCreatePagefilePrivilege	3420	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	Process
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	Process
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe
3420	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Client.exe

pid	Process
1136	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Probemos.exeClient.exechrome.exe

description	pid	Process	procid_target
PID 1020 wrote to memory of 900	1020	Probemos.exe	83
PID 1020 wrote to memory of 900	1020	Probemos.exe	83
PID 1020 wrote to memory of 1136	1020	Probemos.exe	86
PID 1020 wrote to memory of 1136	1020	Probemos.exe	86
PID 1136 wrote to memory of 1044	1136	Client.exe	89
PID 1136 wrote to memory of 1044	1136	Client.exe	89
PID 3420 wrote to memory of 1828	3420	chrome.exe	99
PID 3420 wrote to memory of 1828	3420	chrome.exe	99
PID 3420 wrote to memory of 1140	3420	chrome.exe	100
PID 3420 wrote to memory of 1140	3420	chrome.exe	100
PID 3420 wrote to memory of 1140	3420	chrome.exe	100
PID 3420 wrote to memory of 1140	3420	chrome.exe	100
PID 3420 wrote to memory of 1140	3420	chrome.exe	100
PID 3420 wrote to memory of 1140	3420	chrome.exe	100
PID 3420 wrote to memory of 1140	3420	chrome.exe	100
PID 3420 wrote to memory of 1140	3420	chrome.exe	100
PID 3420 wrote to memory of 1140	3420	chrome.exe	100
PID 3420 wrote to memory of 1140	3420	chrome.exe	100
PID 3420 wrote to memory of 1140	3420	chrome.exe	100
PID 3420 wrote to memory of 1140	3420	chrome.exe	100
PID 3420 wrote to memory of 1140	3420	chrome.exe	100
PID 3420 wrote to memory of 1140	3420	chrome.exe	100
PID 3420 wrote to memory of 1140	3420	chrome.exe	100
PID 3420 wrote to memory of 1140	3420	chrome.exe	100
PID 3420 wrote to memory of 1140	3420	chrome.exe	100
PID 3420 wrote to memory of 1140	3420	chrome.exe	100
PID 3420 wrote to memory of 1140	3420	chrome.exe	100
PID 3420 wrote to memory of 1140	3420	chrome.exe	100
PID 3420 wrote to memory of 1140	3420	chrome.exe	100
PID 3420 wrote to memory of 1140	3420	chrome.exe	100
PID 3420 wrote to memory of 1140	3420	chrome.exe	100
PID 3420 wrote to memory of 1140	3420	chrome.exe	100
PID 3420 wrote to memory of 1140	3420	chrome.exe	100
PID 3420 wrote to memory of 1140	3420	chrome.exe	100
PID 3420 wrote to memory of 1140	3420	chrome.exe	100
PID 3420 wrote to memory of 1140	3420	chrome.exe	100
PID 3420 wrote to memory of 1140	3420	chrome.exe	100
PID 3420 wrote to memory of 1140	3420	chrome.exe	100
PID 3420 wrote to memory of 2340	3420	chrome.exe	101
PID 3420 wrote to memory of 2340	3420	chrome.exe	101
PID 3420 wrote to memory of 1532	3420	chrome.exe	102
PID 3420 wrote to memory of 1532	3420	chrome.exe	102
PID 3420 wrote to memory of 1532	3420	chrome.exe	102
PID 3420 wrote to memory of 1532	3420	chrome.exe	102
PID 3420 wrote to memory of 1532	3420	chrome.exe	102
PID 3420 wrote to memory of 1532	3420	chrome.exe	102
PID 3420 wrote to memory of 1532	3420	chrome.exe	102
PID 3420 wrote to memory of 1532	3420	chrome.exe	102
PID 3420 wrote to memory of 1532	3420	chrome.exe	102
PID 3420 wrote to memory of 1532	3420	chrome.exe	102
PID 3420 wrote to memory of 1532	3420	chrome.exe	102
PID 3420 wrote to memory of 1532	3420	chrome.exe	102
PID 3420 wrote to memory of 1532	3420	chrome.exe	102
PID 3420 wrote to memory of 1532	3420	chrome.exe	102
PID 3420 wrote to memory of 1532	3420	chrome.exe	102
PID 3420 wrote to memory of 1532	3420	chrome.exe	102
PID 3420 wrote to memory of 1532	3420	chrome.exe	102
PID 3420 wrote to memory of 1532	3420	chrome.exe	102
PID 3420 wrote to memory of 1532	3420	chrome.exe	102
PID 3420 wrote to memory of 1532	3420	chrome.exe	102
PID 3420 wrote to memory of 1532	3420	chrome.exe	102
PID 3420 wrote to memory of 1532	3420	chrome.exe	102
PID 3420 wrote to memory of 1532	3420	chrome.exe	102
PID 3420 wrote to memory of 1532	3420	chrome.exe	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Probemos.exe
"C:\Users\Admin\AppData\Local\Temp\Probemos.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1020
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:900
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1136
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ffaafc0cc40,0x7ffaafc0cc4c,0x7ffaafc0cc58
  2⤵
  PID:1828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1968,i,13987740824950451401,2083499328188756277,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1964 /prefetch:2
  2⤵
  PID:1140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1564,i,13987740824950451401,2083499328188756277,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2144 /prefetch:3
  2⤵
  PID:2340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2204,i,13987740824950451401,2083499328188756277,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2404 /prefetch:8
  2⤵
  PID:1532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3128,i,13987740824950451401,2083499328188756277,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:1400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3136,i,13987740824950451401,2083499328188756277,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:2952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3696,i,13987740824950451401,2083499328188756277,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4480 /prefetch:1
  2⤵
  PID:4092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4560,i,13987740824950451401,2083499328188756277,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4624 /prefetch:8
  2⤵
  PID:3184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4728,i,13987740824950451401,2083499328188756277,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4820 /prefetch:8
  2⤵
  PID:2772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4904,i,13987740824950451401,2083499328188756277,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4880 /prefetch:8
  2⤵
  PID:4240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4732,i,13987740824950451401,2083499328188756277,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5000 /prefetch:8
  2⤵
  PID:4688

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
13d162b0f89c36f218ecd18c43a73b35

SHA1
dc90934c138787c9c02bc2bcf5b68f232a5b3da1

SHA256
bae6c3472981b03a3939e0da53d1be94eef431d0978f81967f57dbd5f1598322

SHA512
d368245d8900fbdc8edb621d0ec90e601455b31b5b18dc0c4623f30b58f41a4b037ac59d6e24b97dddebeb98a17a38c87ac0b91501650cb5dae4b7251302ff6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
5d96757d92e44216bf94f7f1035dc0c8

SHA1
0575498878f7fb61dde5a0c861d2914c4a641e6b

SHA256
65380fa8761a1e34db41aa7ea692e8cfb96e85d4393b0f230993f753fe2661ca

SHA512
b39cf73ada570023b07519106af6b7c10ca13d42eb92ee5c6b01322ddb038c84690f9d50f8895ae85910c9dfbab93257044096a724a36d8eedd80ecce9b43f3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
1a7520b237ed6274340ff5a08f48e7f3

SHA1
db1d808b95444524e97311ff03e51074175e5ed2

SHA256
0100b31b4089551c70a2fc06764d1001e7d1e326e62b5c2b7406a89a57d82fc8

SHA512
c4b98f4a433a783d30b7cb608b80f0f0c0e0182300299e73e8ecee10ef89d4ca9a00f715429aa4148263095e7804d08a6928f9f53e4702b7fab7ba1489f33a68

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
7f3a57f99e91379abb39842f6d8f326e

SHA1
29126a359fe5b0245990c26e4dc206e993b15f52

SHA256
199f37f9beeccaff02fb3830efd11b91c327cb72bcf9a5785ee0e6ecf60e2669

SHA512
a413d40d04860150975ff412572248b97ac131b4186164cb83703849ac8be3af2d3205e1d344fc411405df7396663a41c44f3c37c71cd53c1c8b152d129a15d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
120KB

MD5
48e7dc21a9f3a074a2e1daf1efe3295b

SHA1
d2733e2a07534c534fe6118e4e5d21f084a83ba1

SHA256
1f77f3782ac63ef0839c4046c6db471366effe0deacf8cbb7a416a216e514815

SHA512
80eae3c117880edc850d6cbf4e1a9e36d35260477c9bbb1552ab6911ab3c2c2eea60542324a2f1037897ae056ede4025ba9aebe1ab9916c09ea1facecb4e29e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
235KB

MD5
d3c0f3965f6bdb5dc61cfe8ca470d437

SHA1
2724ad5f52f0c172042e56d53eb37901d0964aa8

SHA256
90af1d3b9a2201158cfd44687dab333a0de3778c1114c13320cf4f6093582b33

SHA512
c2539a150ad4d8bd6bb55aafcdf2b6e9d3f1f817f0856a89f68f8438f8d6ef6094301d99472392724d79249878e16a9f45a731408eb080bfe9cec8a746b65a62

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
b4710cbc23ac3cca2e21b2d28e7c91c7

SHA1
0fdfaa530d55fab75c9dbb4452ace1c1f31deda0

SHA256
48d94bfa639ca4fd947e3fda203ccc16e3bb85761e11a0428f563753374de0ff

SHA512
c6663f8dca6cf42364b7ba711355b714423ee52635754a5ab8f8973cf6edefb0e2fcd9ed83299dc036fa4b6514ec4233a52c887b98b1c9bbbf0c837a258f7535

Download Submit
\??\pipe\crashpad_3420_LUBEZXDAJXICMRJI

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1020-0-0x00007FFAB5FD3000-0x00007FFAB5FD5000-memory.dmp

Filesize
8KB

Download
memory/1020-5-0x00007FFAB5FD0000-0x00007FFAB6A92000-memory.dmp

Filesize
10.8MB

Download
memory/1020-2-0x00007FFAB5FD0000-0x00007FFAB6A92000-memory.dmp

Filesize
10.8MB

Download
memory/1020-1-0x0000000000830000-0x0000000000B54000-memory.dmp

Filesize
3.1MB

Download
memory/1136-6-0x00007FFAB5FD0000-0x00007FFAB6A92000-memory.dmp

Filesize
10.8MB

Download
memory/1136-14-0x00007FFAB5FD0000-0x00007FFAB6A92000-memory.dmp

Filesize
10.8MB

Download
memory/1136-13-0x000000001C6F0000-0x000000001C72C000-memory.dmp

Filesize
240KB

Download
memory/1136-12-0x000000001B180000-0x000000001B192000-memory.dmp

Filesize
72KB

Download
memory/1136-9-0x000000001C770000-0x000000001C822000-memory.dmp

Filesize
712KB

Download
memory/1136-8-0x000000001B0D0000-0x000000001B120000-memory.dmp

Filesize
320KB

Download
memory/1136-7-0x00007FFAB5FD0000-0x00007FFAB6A92000-memory.dmp

Filesize
10.8MB

Download