quasar | ca182b6ce56a01a69122b24469fe5ad78e0cda78caeb49e5a814e2ac5774a10a

Analysis

max time kernel
149s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 13:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

1e48869d1ce254c1aba0e61aedcdba8e
SHA1

cf79b1e78d9e1616208e653c4df4eef3b9f7360b
SHA256

ca182b6ce56a01a69122b24469fe5ad78e0cda78caeb49e5a814e2ac5774a10a
SHA512

fc6469a2297258cd9723f2d6c795e78c5b065ed709384bb18fe0fb8255cb2760e0633ec2683652ef88abd87ac21ef1d31eee3fd35e64f464d4da0c205fdcb343
SSDEEP

49152:7vilL26AaNeWgPhlmVqvMQ7XSKeQ03far7ToGddTHHB72eh2NT:7vaL26AaNeWgPhlmVqkQ7XSKu3Y

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.1.150:4782

Mutex

4fa54cdc-4bee-4759-b0fd-21bb6d6f9eed

Attributes

encryption_key
99A3D9CE1DE6501187FC4C0E50EBB3FE8AD7B9A8
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Microsoft Task Manager Worker Service
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar payload 2 IoCs

Processes:

resource yara_rule

behavioral2/memory/2348-1-0x0000000000250000-0x0000000000574000-memory.dmp family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar
Executes dropped EXE 1 IoCs

Processes:

Client.exe

pid process

3928 Client.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

resource	yara_rule
behavioral2/memory/2348-1-0x0000000000250000-0x0000000000574000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133642278687284739"	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

2016 schtasks.exe
3276 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

4884 chrome.exe
4884 chrome.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Client.exe

pid process

3928 Client.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

4884 chrome.exe
4884 chrome.exe
4884 chrome.exe

pid	process
2016	schtasks.exe
3276	schtasks.exe

pid	process
4884	chrome.exe
4884	chrome.exe

pid	process
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Client-built.exeClient.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	2348	Client-built.exe
Token: SeDebugPrivilege	3928	Client.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

Processes:

Client.exechrome.exe

pid	process
3928	Client.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe

Suspicious use of SendNotifyMessage 25 IoCs

Processes:

Client.exechrome.exe

pid	process
3928	Client.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Client.exe

pid process

3928 Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Client-built.exeClient.exechrome.exe

description	pid	process	target process
PID 2348 wrote to memory of 2016	2348	Client-built.exe	schtasks.exe
PID 2348 wrote to memory of 2016	2348	Client-built.exe	schtasks.exe
PID 2348 wrote to memory of 3928	2348	Client-built.exe	Client.exe
PID 2348 wrote to memory of 3928	2348	Client-built.exe	Client.exe
PID 3928 wrote to memory of 3276	3928	Client.exe	schtasks.exe
PID 3928 wrote to memory of 3276	3928	Client.exe	schtasks.exe
PID 4884 wrote to memory of 4016	4884	chrome.exe	chrome.exe
PID 4884 wrote to memory of 4016	4884	chrome.exe	chrome.exe
PID 4884 wrote to memory of 3212	4884	chrome.exe	chrome.exe
PID 4884 wrote to memory of 3212	4884	chrome.exe	chrome.exe
PID 4884 wrote to memory of 3212	4884	chrome.exe	chrome.exe
PID 4884 wrote to memory of 3212	4884	chrome.exe	chrome.exe
PID 4884 wrote to memory of 3212	4884	chrome.exe	chrome.exe
PID 4884 wrote to memory of 3212	4884	chrome.exe	chrome.exe
PID 4884 wrote to memory of 3212	4884	chrome.exe	chrome.exe
PID 4884 wrote to memory of 3212	4884	chrome.exe	chrome.exe
PID 4884 wrote to memory of 3212	4884	chrome.exe	chrome.exe
PID 4884 wrote to memory of 3212	4884	chrome.exe	chrome.exe
PID 4884 wrote to memory of 3212	4884	chrome.exe	chrome.exe
PID 4884 wrote to memory of 3212	4884	chrome.exe	chrome.exe
PID 4884 wrote to memory of 3212	4884	chrome.exe	chrome.exe
PID 4884 wrote to memory of 3212	4884	chrome.exe	chrome.exe
PID 4884 wrote to memory of 3212	4884	chrome.exe	chrome.exe
PID 4884 wrote to memory of 3212	4884	chrome.exe	chrome.exe
PID 4884 wrote to memory of 3212	4884	chrome.exe	chrome.exe
PID 4884 wrote to memory of 3212	4884	chrome.exe	chrome.exe
PID 4884 wrote to memory of 3212	4884	chrome.exe	chrome.exe
PID 4884 wrote to memory of 3212	4884	chrome.exe	chrome.exe
PID 4884 wrote to memory of 3212	4884	chrome.exe	chrome.exe
PID 4884 wrote to memory of 3212	4884	chrome.exe	chrome.exe
PID 4884 wrote to memory of 3212	4884	chrome.exe	chrome.exe
PID 4884 wrote to memory of 3212	4884	chrome.exe	chrome.exe
PID 4884 wrote to memory of 3212	4884	chrome.exe	chrome.exe
PID 4884 wrote to memory of 3212	4884	chrome.exe	chrome.exe
PID 4884 wrote to memory of 3212	4884	chrome.exe	chrome.exe
PID 4884 wrote to memory of 3212	4884	chrome.exe	chrome.exe
PID 4884 wrote to memory of 3212	4884	chrome.exe	chrome.exe
PID 4884 wrote to memory of 3212	4884	chrome.exe	chrome.exe
PID 4884 wrote to memory of 3212	4884	chrome.exe	chrome.exe
PID 4884 wrote to memory of 4956	4884	chrome.exe	chrome.exe
PID 4884 wrote to memory of 4956	4884	chrome.exe	chrome.exe
PID 4884 wrote to memory of 4932	4884	chrome.exe	chrome.exe
PID 4884 wrote to memory of 4932	4884	chrome.exe	chrome.exe
PID 4884 wrote to memory of 4932	4884	chrome.exe	chrome.exe
PID 4884 wrote to memory of 4932	4884	chrome.exe	chrome.exe
PID 4884 wrote to memory of 4932	4884	chrome.exe	chrome.exe
PID 4884 wrote to memory of 4932	4884	chrome.exe	chrome.exe
PID 4884 wrote to memory of 4932	4884	chrome.exe	chrome.exe
PID 4884 wrote to memory of 4932	4884	chrome.exe	chrome.exe
PID 4884 wrote to memory of 4932	4884	chrome.exe	chrome.exe
PID 4884 wrote to memory of 4932	4884	chrome.exe	chrome.exe
PID 4884 wrote to memory of 4932	4884	chrome.exe	chrome.exe
PID 4884 wrote to memory of 4932	4884	chrome.exe	chrome.exe
PID 4884 wrote to memory of 4932	4884	chrome.exe	chrome.exe
PID 4884 wrote to memory of 4932	4884	chrome.exe	chrome.exe
PID 4884 wrote to memory of 4932	4884	chrome.exe	chrome.exe
PID 4884 wrote to memory of 4932	4884	chrome.exe	chrome.exe
PID 4884 wrote to memory of 4932	4884	chrome.exe	chrome.exe
PID 4884 wrote to memory of 4932	4884	chrome.exe	chrome.exe
PID 4884 wrote to memory of 4932	4884	chrome.exe	chrome.exe
PID 4884 wrote to memory of 4932	4884	chrome.exe	chrome.exe
PID 4884 wrote to memory of 4932	4884	chrome.exe	chrome.exe
PID 4884 wrote to memory of 4932	4884	chrome.exe	chrome.exe
PID 4884 wrote to memory of 4932	4884	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Microsoft Task Manager Worker Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
2⤵
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3928

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Microsoft Task Manager Worker Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Scheduled Task/Job: Scheduled Task
PID:3276

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\erm what the sigma.txt
1⤵
PID:3028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa8424ab58,0x7ffa8424ab68,0x7ffa8424ab78
2⤵
PID:4016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 --field-trial-handle=2012,i,4005588376665138601,6689442666498379757,131072 /prefetch:2
2⤵
PID:3212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1912 --field-trial-handle=2012,i,4005588376665138601,6689442666498379757,131072 /prefetch:8
2⤵
PID:4956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2172 --field-trial-handle=2012,i,4005588376665138601,6689442666498379757,131072 /prefetch:8
2⤵
PID:4932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3116 --field-trial-handle=2012,i,4005588376665138601,6689442666498379757,131072 /prefetch:1
2⤵
PID:2764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3124 --field-trial-handle=2012,i,4005588376665138601,6689442666498379757,131072 /prefetch:1
2⤵
PID:3192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4300 --field-trial-handle=2012,i,4005588376665138601,6689442666498379757,131072 /prefetch:1
2⤵
PID:4948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3644 --field-trial-handle=2012,i,4005588376665138601,6689442666498379757,131072 /prefetch:8
2⤵
PID:2540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4528 --field-trial-handle=2012,i,4005588376665138601,6689442666498379757,131072 /prefetch:8
2⤵
PID:1404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4676 --field-trial-handle=2012,i,4005588376665138601,6689442666498379757,131072 /prefetch:8
2⤵
PID:4852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4848 --field-trial-handle=2012,i,4005588376665138601,6689442666498379757,131072 /prefetch:8
2⤵
PID:2384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4972 --field-trial-handle=2012,i,4005588376665138601,6689442666498379757,131072 /prefetch:8
2⤵
PID:2248

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4552

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
e70e7fad7df5e576d36795e5966553f5

SHA1
a4bac1b50afa590426c741a6d18dc9d0957a7f3c

SHA256
fcebed0ee0e9ed6d7a162ca76c8f0edb3addaac4d8f42c65c995cf4cd0cb3038

SHA512
a3adaf120060f4905a0c5180f564bf515f789e9b72fd048b7bb3ae6e80642c11290988b9adc6c676d0ffa65aa813ef5c4f084d552200f25a3d121f43058e283d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
6f9577310a4f9c042aaf9a4ecb8ef6da

SHA1
15056fa29dec57a0181ac09e930943d1693ae836

SHA256
a01515c23c32f0a14c40c89d11cdcd607a6d30a7d4326419604b6c6542a85ada

SHA512
4ced8fb95b50b39caa1699a547548d933a395d74db6deee3bbacef7437d47deb935d046b0bab79a40c959f0a11cab2ad400c9cdba1f71390e9d0731b06fd33e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
42d9407c45ba5bdfad6be0aa924a4847

SHA1
d6b487f7e73afc051d22fe1c8438065dda4721c2

SHA256
9174eb1a6e71c35edf9249be3119d507657a98949f149b874f5b55d7d314a20e

SHA512
a6f30b8ce65a6b55089d3e175f0b8083304ac38878c7eef7268674d13ea5cb888218488001ce030fd75fe680cf4c2957687f819481ba655fe44692cdf74e4fd7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
91453da011329532d539217c601552da

SHA1
0528ed3b651b35efa093665332bdf7f20288ffe0

SHA256
5b45f698546d506a4ddfc418cc4e287e14802268471bb444108bea2d969a24d1

SHA512
9a8d3e6b89e6d8f8bf12592cec530188daaabac457d713133e3496f8e5fc2ab5a6a43f09bbaa103f0d80105b1d68cd7ed25484974205e8aaceadbe28866afe24

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
281KB

MD5
d1f4e99064295c0cabdd616d8f77aee6

SHA1
55ab780d192d4f4ca2fcadac311576dbde1916c2

SHA256
2ca6b33d29661cbc4da35e7a3f9ed27c6f6ab2a0c9eb4e81445fd944c9e73d63

SHA512
23ff7eeb8619bd06da0665a3bd43d05c1ebd3791f5a7501ca68f8729bb296a37d1a5bb1cd452e742500680a6cb2f50b01b983bf39893b2bb9b423767efecf220

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
3.1MB

MD5
1e48869d1ce254c1aba0e61aedcdba8e

SHA1
cf79b1e78d9e1616208e653c4df4eef3b9f7360b

SHA256
ca182b6ce56a01a69122b24469fe5ad78e0cda78caeb49e5a814e2ac5774a10a

SHA512
fc6469a2297258cd9723f2d6c795e78c5b065ed709384bb18fe0fb8255cb2760e0633ec2683652ef88abd87ac21ef1d31eee3fd35e64f464d4da0c205fdcb343

Download Submit
\??\pipe\crashpad_4884_SHOFSEUEFKYPBYMN
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2348-9-0x00007FFA8DB50000-0x00007FFA8E611000-memory.dmp

Filesize
10.8MB

Download
memory/2348-0-0x00007FFA8DB53000-0x00007FFA8DB55000-memory.dmp

Filesize
8KB

Download
memory/2348-2-0x00007FFA8DB50000-0x00007FFA8E611000-memory.dmp

Filesize
10.8MB

Download
memory/2348-1-0x0000000000250000-0x0000000000574000-memory.dmp

Filesize
3.1MB

Download
memory/3928-14-0x00007FFA8DB50000-0x00007FFA8E611000-memory.dmp

Filesize
10.8MB

Download
memory/3928-15-0x000000001C9A0000-0x000000001CEC8000-memory.dmp

Filesize
5.2MB

Download
memory/3928-13-0x000000001BF70000-0x000000001C022000-memory.dmp

Filesize
712KB

Download
memory/3928-12-0x000000001BE60000-0x000000001BEB0000-memory.dmp

Filesize
320KB

Download
memory/3928-11-0x00007FFA8DB50000-0x00007FFA8E611000-memory.dmp

Filesize
10.8MB

Download
memory/3928-10-0x00007FFA8DB50000-0x00007FFA8E611000-memory.dmp

Filesize
10.8MB

Download