quasar | a72f77cddbd993e606115287c8806adbd6b08e3217a6c6ea9a8f31fdca56c317

Analysis

max time kernel
109s
max time network
150s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
23-06-2024 14:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

e010924db36ba5093382221cdf0c89df
SHA1

09e2ab5a296e5500001cee9481b8a066b1f400e5
SHA256

a72f77cddbd993e606115287c8806adbd6b08e3217a6c6ea9a8f31fdca56c317
SHA512

1c3bf5fd4a36438376416ba7c7758929403a74d37805ff283aede3586bbd2e4aa2b41bc5aa9e79523e1940bdeafcb60d15c74a88d7de82a5f21dbd507591a0f0
SSDEEP

49152:3vHI22SsaNYfdPBldt698dBcjHDJSC1J6loGdsTHHB72eh2NT:3vo22SsaNYfdPBldt6+dBcjHDJSv

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.26.243:4782

Mutex

51d612b2-dcb5-4477-9ee7-748df2f891d3

Attributes

encryption_key
D7CE15708C398D1F0A3B43032DE529C00B9A8B5F
install_name
windowsupdater.exe
log_directory
Logs
reconnect_delay
3000
startup_key
msedge.exe
subdirectory
Win64

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2164-1-0x0000000000880000-0x0000000000BA4000-memory.dmp	family_quasar
C:\Windows\System32\Win64\windowsupdater.exe	family_quasar
behavioral1/memory/2620-9-0x0000000000F20000-0x0000000001244000-memory.dmp	family_quasar

Executes dropped EXE 1 IoCs

Processes:

windowsupdater.exe

pid process

2620 windowsupdater.exe

pid	process
2620	windowsupdater.exe

Drops file in System32 directory 5 IoCs

Processes:

Client-built.exewindowsupdater.exe

description	ioc	process
File opened for modification	C:\Windows\system32\Win64\windowsupdater.exe	Client-built.exe
File opened for modification	C:\Windows\system32\Win64	Client-built.exe
File opened for modification	C:\Windows\system32\Win64\windowsupdater.exe	windowsupdater.exe
File opened for modification	C:\Windows\system32\Win64	windowsupdater.exe
File created	C:\Windows\system32\Win64\windowsupdater.exe	Client-built.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

2044 schtasks.exe
2760 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

2528 chrome.exe
2528 chrome.exe

pid	process
2044	schtasks.exe
2760	schtasks.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Client-built.exewindowsupdater.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	2164	Client-built.exe
Token: SeDebugPrivilege	2620	windowsupdater.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

chrome.exe

pid	process
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

windowsupdater.exe

pid process

2620 windowsupdater.exe

pid	process
2620	windowsupdater.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Client-built.exewindowsupdater.exechrome.exe

description	pid	process	target process
PID 2164 wrote to memory of 2044	2164	Client-built.exe	schtasks.exe
PID 2164 wrote to memory of 2044	2164	Client-built.exe	schtasks.exe
PID 2164 wrote to memory of 2044	2164	Client-built.exe	schtasks.exe
PID 2164 wrote to memory of 2620	2164	Client-built.exe	windowsupdater.exe
PID 2164 wrote to memory of 2620	2164	Client-built.exe	windowsupdater.exe
PID 2164 wrote to memory of 2620	2164	Client-built.exe	windowsupdater.exe
PID 2620 wrote to memory of 2760	2620	windowsupdater.exe	schtasks.exe
PID 2620 wrote to memory of 2760	2620	windowsupdater.exe	schtasks.exe
PID 2620 wrote to memory of 2760	2620	windowsupdater.exe	schtasks.exe
PID 2528 wrote to memory of 2544	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 2544	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 2544	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 1060	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 1060	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 1060	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 1060	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 1060	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 1060	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 1060	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 1060	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 1060	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 1060	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 1060	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 1060	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 1060	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 1060	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 1060	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 1060	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 1060	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 1060	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 1060	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 1060	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 1060	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 1060	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 1060	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 1060	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 1060	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 1060	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 1060	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 1060	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 1060	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 1060	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 1060	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 1060	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 1060	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 1060	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 1060	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 1060	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 1060	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 1060	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 1060	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 2392	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 2392	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 2392	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 2972	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 2972	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 2972	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 2972	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 2972	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 2972	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 2972	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 2972	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 2972	2528	chrome.exe	chrome.exe
PID 2528 wrote to memory of 2972	2528	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "msedge.exe" /sc ONLOGON /tr "C:\Windows\system32\Win64\windowsupdater.exe" /rl HIGHEST /f
2⤵
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\Win64\windowsupdater.exe
"C:\Windows\system32\Win64\windowsupdater.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2620

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "msedge.exe" /sc ONLOGON /tr "C:\Windows\system32\Win64\windowsupdater.exe" /rl HIGHEST /f
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef0029758,0x7fef0029768,0x7fef0029778
2⤵
PID:2544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1140 --field-trial-handle=1172,i,2925016970387883880,17335261689899861797,131072 /prefetch:2
2⤵
PID:1060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1508 --field-trial-handle=1172,i,2925016970387883880,17335261689899861797,131072 /prefetch:8
2⤵
PID:2392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1604 --field-trial-handle=1172,i,2925016970387883880,17335261689899861797,131072 /prefetch:8
2⤵
PID:2972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2296 --field-trial-handle=1172,i,2925016970387883880,17335261689899861797,131072 /prefetch:1
2⤵
PID:1488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2304 --field-trial-handle=1172,i,2925016970387883880,17335261689899861797,131072 /prefetch:1
2⤵
PID:1296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1176 --field-trial-handle=1172,i,2925016970387883880,17335261689899861797,131072 /prefetch:2
2⤵
PID:2496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2188 --field-trial-handle=1172,i,2925016970387883880,17335261689899861797,131072 /prefetch:2
2⤵
PID:1536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3252 --field-trial-handle=1172,i,2925016970387883880,17335261689899861797,131072 /prefetch:1
2⤵
PID:2196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1204 --field-trial-handle=1172,i,2925016970387883880,17335261689899861797,131072 /prefetch:8
2⤵
PID:1692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3584 --field-trial-handle=1172,i,2925016970387883880,17335261689899861797,131072 /prefetch:8
2⤵
PID:772

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2432

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
41ddcb39c7da3285f8168613d3228a9f

SHA1
99ef6c41848d03b88f6f20a21f2748f080813fc6

SHA256
9f80255a37879cd785a7e7e346f7b4a0644813a2d690f77067c66a37f968ea2f

SHA512
8511702a0323fa7a6168f93370dbf04195ad78c5a01f9b4fcf939f9d66368c59713ccadd82a365f9b0431234721435604165d1a1560f8a61b4e15329569cd0fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
4576c1ea305b1519e17339b586a5b82a

SHA1
aee92e489714ca1d8e35756f293a13b44ad0bd51

SHA256
01643441deb8c38de5c1c9b83f3668dc5eb3c70bfbc0392157250944f7b52eee

SHA512
71e72c15d86e849de48eb1ea215302abbac4597c7626fb512d03a2f3b72807b35b148d029a8d282a4a5c6fdd1ca129ac5a4537f861a4f65df5441f35c41556a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp
Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Windows\System32\Win64\windowsupdater.exe
Filesize
3.1MB

MD5
e010924db36ba5093382221cdf0c89df

SHA1
09e2ab5a296e5500001cee9481b8a066b1f400e5

SHA256
a72f77cddbd993e606115287c8806adbd6b08e3217a6c6ea9a8f31fdca56c317

SHA512
1c3bf5fd4a36438376416ba7c7758929403a74d37805ff283aede3586bbd2e4aa2b41bc5aa9e79523e1940bdeafcb60d15c74a88d7de82a5f21dbd507591a0f0

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2164-10-0x000007FEF5700000-0x000007FEF60EC000-memory.dmp

Filesize
9.9MB

Download
memory/2164-0-0x000007FEF5703000-0x000007FEF5704000-memory.dmp

Filesize
4KB

Download
memory/2164-2-0x000007FEF5700000-0x000007FEF60EC000-memory.dmp

Filesize
9.9MB

Download
memory/2164-1-0x0000000000880000-0x0000000000BA4000-memory.dmp

Filesize
3.1MB

Download
memory/2620-11-0x000007FEF5700000-0x000007FEF60EC000-memory.dmp

Filesize
9.9MB

Download
memory/2620-12-0x000007FEF5700000-0x000007FEF60EC000-memory.dmp

Filesize
9.9MB

Download
memory/2620-13-0x000007FEF5700000-0x000007FEF60EC000-memory.dmp

Filesize
9.9MB

Download
memory/2620-9-0x0000000000F20000-0x0000000001244000-memory.dmp

Filesize
3.1MB

Download
memory/2620-8-0x000007FEF5700000-0x000007FEF60EC000-memory.dmp

Filesize
9.9MB

Download