quasar | 7ad17f624e1bb05a2851647c2bd1abce1b4ebd204d29df513bcda18d4749e921

Analysis

max time kernel
25s
max time network
28s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
22-01-2025 21:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FlappyBird.exe
Size

3.1MB
MD5

414600d00de783a17b23b21c76716f12
SHA1

3932c9844bb194a155910ad90478296e2ae0cffa
SHA256

7ad17f624e1bb05a2851647c2bd1abce1b4ebd204d29df513bcda18d4749e921
SHA512

01eabaeb3b205661157961af880c4a15a23b3f0c64b2f1d2a8c759b715e5e9dd10875299aac61b7dcea645cffd462acb1d580399d9f1efd78bed9d2896835399
SSDEEP

49152:YvSI22SsaNYfdPBldt698dBcjHNUFwLo+d1iy82x81THHB72eh2NT:Yv/22SsaNYfdPBldt6+dBcjHNUFOh6

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

azxq0ap.localto.net:3425

Mutex

e51e2b65-e963-4051-9736-67d57ed46798

Attributes

encryption_key
AEA258EF65BF1786F0F767C0BE2497ECC304C46F
install_name
WindowsUpdate.exe
log_directory
Logs
reconnect_delay
3000
startup_key
WindowsUpdate
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/380-1-0x0000000000190000-0x00000000004B6000-memory.dmp	family_quasar
behavioral1/files/0x0028000000046142-3.dat	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
232	WindowsUpdate.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133820554069934852"	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4768	schtasks.exe
2060	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1084	chrome.exe
1084	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeDebugPrivilege	380	FlappyBird.exe
Token: SeDebugPrivilege	232	WindowsUpdate.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe
Token: SeShutdownPrivilege	1084	chrome.exe
Token: SeCreatePagefilePrivilege	1084	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe
1084	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
232	WindowsUpdate.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 380 wrote to memory of 4768	380	FlappyBird.exe	82
PID 380 wrote to memory of 4768	380	FlappyBird.exe	82
PID 380 wrote to memory of 232	380	FlappyBird.exe	84
PID 380 wrote to memory of 232	380	FlappyBird.exe	84
PID 1084 wrote to memory of 2932	1084	chrome.exe	88
PID 1084 wrote to memory of 2932	1084	chrome.exe	88
PID 232 wrote to memory of 2060	232	WindowsUpdate.exe	89
PID 232 wrote to memory of 2060	232	WindowsUpdate.exe	89
PID 1084 wrote to memory of 3284	1084	chrome.exe	91
PID 1084 wrote to memory of 3284	1084	chrome.exe	91
PID 1084 wrote to memory of 3284	1084	chrome.exe	91
PID 1084 wrote to memory of 3284	1084	chrome.exe	91
PID 1084 wrote to memory of 3284	1084	chrome.exe	91
PID 1084 wrote to memory of 3284	1084	chrome.exe	91
PID 1084 wrote to memory of 3284	1084	chrome.exe	91
PID 1084 wrote to memory of 3284	1084	chrome.exe	91
PID 1084 wrote to memory of 3284	1084	chrome.exe	91
PID 1084 wrote to memory of 3284	1084	chrome.exe	91
PID 1084 wrote to memory of 3284	1084	chrome.exe	91
PID 1084 wrote to memory of 3284	1084	chrome.exe	91
PID 1084 wrote to memory of 3284	1084	chrome.exe	91
PID 1084 wrote to memory of 3284	1084	chrome.exe	91
PID 1084 wrote to memory of 3284	1084	chrome.exe	91
PID 1084 wrote to memory of 3284	1084	chrome.exe	91
PID 1084 wrote to memory of 3284	1084	chrome.exe	91
PID 1084 wrote to memory of 3284	1084	chrome.exe	91
PID 1084 wrote to memory of 3284	1084	chrome.exe	91
PID 1084 wrote to memory of 3284	1084	chrome.exe	91
PID 1084 wrote to memory of 3284	1084	chrome.exe	91
PID 1084 wrote to memory of 3284	1084	chrome.exe	91
PID 1084 wrote to memory of 3284	1084	chrome.exe	91
PID 1084 wrote to memory of 3284	1084	chrome.exe	91
PID 1084 wrote to memory of 3284	1084	chrome.exe	91
PID 1084 wrote to memory of 3284	1084	chrome.exe	91
PID 1084 wrote to memory of 3284	1084	chrome.exe	91
PID 1084 wrote to memory of 3284	1084	chrome.exe	91
PID 1084 wrote to memory of 3284	1084	chrome.exe	91
PID 1084 wrote to memory of 3284	1084	chrome.exe	91
PID 1084 wrote to memory of 1660	1084	chrome.exe	92
PID 1084 wrote to memory of 1660	1084	chrome.exe	92
PID 1084 wrote to memory of 416	1084	chrome.exe	93
PID 1084 wrote to memory of 416	1084	chrome.exe	93
PID 1084 wrote to memory of 416	1084	chrome.exe	93
PID 1084 wrote to memory of 416	1084	chrome.exe	93
PID 1084 wrote to memory of 416	1084	chrome.exe	93
PID 1084 wrote to memory of 416	1084	chrome.exe	93
PID 1084 wrote to memory of 416	1084	chrome.exe	93
PID 1084 wrote to memory of 416	1084	chrome.exe	93
PID 1084 wrote to memory of 416	1084	chrome.exe	93
PID 1084 wrote to memory of 416	1084	chrome.exe	93
PID 1084 wrote to memory of 416	1084	chrome.exe	93
PID 1084 wrote to memory of 416	1084	chrome.exe	93
PID 1084 wrote to memory of 416	1084	chrome.exe	93
PID 1084 wrote to memory of 416	1084	chrome.exe	93
PID 1084 wrote to memory of 416	1084	chrome.exe	93
PID 1084 wrote to memory of 416	1084	chrome.exe	93
PID 1084 wrote to memory of 416	1084	chrome.exe	93
PID 1084 wrote to memory of 416	1084	chrome.exe	93
PID 1084 wrote to memory of 416	1084	chrome.exe	93
PID 1084 wrote to memory of 416	1084	chrome.exe	93
PID 1084 wrote to memory of 416	1084	chrome.exe	93
PID 1084 wrote to memory of 416	1084	chrome.exe	93
PID 1084 wrote to memory of 416	1084	chrome.exe	93
PID 1084 wrote to memory of 416	1084	chrome.exe	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\FlappyBird.exe
"C:\Users\Admin\AppData\Local\Temp\FlappyBird.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:380
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4768
- C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:232
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ffcb024cc40,0x7ffcb024cc4c,0x7ffcb024cc58
  2⤵
  PID:2932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1948,i,14493838816879028849,18328722746662882665,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=1940 /prefetch:2
  2⤵
  PID:3284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1644,i,14493838816879028849,18328722746662882665,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=2204 /prefetch:3
  2⤵
  PID:1660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2268,i,14493838816879028849,18328722746662882665,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=2452 /prefetch:8
  2⤵
  PID:416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,14493838816879028849,18328722746662882665,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=3164 /prefetch:1
  2⤵
  PID:996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3172,i,14493838816879028849,18328722746662882665,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4540,i,14493838816879028849,18328722746662882665,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=4528 /prefetch:1
  2⤵
  PID:4980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3728,i,14493838816879028849,18328722746662882665,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=4364 /prefetch:1
  2⤵
  PID:1880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=3316,i,14493838816879028849,18328722746662882665,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:2952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4804,i,14493838816879028849,18328722746662882665,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=4708 /prefetch:8
  2⤵
  PID:3980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3416,i,14493838816879028849,18328722746662882665,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=4404 /prefetch:8
  2⤵
  PID:4712

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
a1818bd6fac0d3528c876f3fc7220e5e

SHA1
7a4979bf941e2859fdecf491c2c9b49e154e4a3d

SHA256
ab734684c19a7a409e5789694ec677696db5c41ec0aa426a24e0b1348dac30fd

SHA512
12e950e2385e84e6803f1afec6e5c60d7536ac3e45e7ce555a18099160a94c195986c516abc33bda59d64127f6cdba95effcbbaedd23d1105ec7490759e006b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
7ca06f196b761b83ad8017656cb47772

SHA1
88426d1611e698f38ba953094e3d25999a8389ee

SHA256
788482c9871c3e92b9c46bd36c1fcf110456e2fd57cdb5a5338dc07812fc23f6

SHA512
d841e85ac205602b314dc64a4987e080ba8c1b2dbfbe0d22696fa02c8f27d021ca0ae49fd49bf7d6165236beee1d0eb50eb9e988829ca25fe041a68bb1690073

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
7ee8aa026970e5e3d9c5d51d9644f4ec

SHA1
7cb6bcda27fbfc29c7449788051f251068172be9

SHA256
5308990fcf3cb8196534b2b114c5c76c4e76de336ee3793c69bc7f9bfbc028ae

SHA512
6375d1639fddee65be1c5b54d39f17bd572f1d1a37a04942123b2ba4bab72785231866a2af728b2db609e428ca2448cf0475a0926b6623b88c48bda3ae8ae9b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7cff02e38d0c22a256953fb375af1891

SHA1
31ae225752ad5491a0232b430e88d5190158debc

SHA256
fb5a9c41f8083ec220b187610a0d7eb20e2b76d5247aea89f41f44d713c1ea57

SHA512
b9b1cab0800bff93629e4caff1ee5081d5b045c0d4f65ba1b34e48220d49e00c15fff0fcea5f48845bb8335addea0f607374c7ab6a2a8851c750e3892ad8b50e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
e81496e467a36b55b758ab3a389844f2

SHA1
7331f7018d0dcf719da561cd43299c136a9e8381

SHA256
c29ab6dd1c4c685256409ea5fead18627c868a482e229d5fecd1cd27cb56c0b8

SHA512
1283333d824d66b17aeca91b450fbb1771ba4766df1ac718b0fff2658fca716f4b05289e846fb4d0346ca1793afd672cdce71bf77dcd8e5b1a7d9f247002011c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
80ac4101b5c5b072129b150964fb6130

SHA1
0ffef18e3c84d60863a7889af7fe6653b43134c7

SHA256
4f0aa30bfed5331e48997ed28e3a2dc61b03070c9335e7e6d93e5efafee9892c

SHA512
7abf8bd52787cd0653827caa091d4f797bb4e130e7765a268ca873de2f79adcd9d4bee71e78afc507adc3c4d1392ae15e94249622bb59d27dbccae8a071005de

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe

Filesize
3.1MB

MD5
414600d00de783a17b23b21c76716f12

SHA1
3932c9844bb194a155910ad90478296e2ae0cffa

SHA256
7ad17f624e1bb05a2851647c2bd1abce1b4ebd204d29df513bcda18d4749e921

SHA512
01eabaeb3b205661157961af880c4a15a23b3f0c64b2f1d2a8c759b715e5e9dd10875299aac61b7dcea645cffd462acb1d580399d9f1efd78bed9d2896835399

Download Submit
memory/232-19-0x000000001CD50000-0x000000001D278000-memory.dmp

Filesize
5.2MB

Download
memory/232-18-0x000000001C660000-0x000000001C712000-memory.dmp

Filesize
712KB

Download
memory/232-37-0x000000001C600000-0x000000001C612000-memory.dmp

Filesize
72KB

Download
memory/232-38-0x000000001CC60000-0x000000001CC9C000-memory.dmp

Filesize
240KB

Download
memory/232-179-0x00007FFCB57D0000-0x00007FFCB6292000-memory.dmp

Filesize
10.8MB

Download
memory/232-17-0x000000001C550000-0x000000001C5A0000-memory.dmp

Filesize
320KB

Download
memory/232-7-0x00007FFCB57D0000-0x00007FFCB6292000-memory.dmp

Filesize
10.8MB

Download
memory/232-6-0x00007FFCB57D0000-0x00007FFCB6292000-memory.dmp

Filesize
10.8MB

Download
memory/380-0-0x00007FFCB57D3000-0x00007FFCB57D5000-memory.dmp

Filesize
8KB

Download
memory/380-5-0x00007FFCB57D0000-0x00007FFCB6292000-memory.dmp

Filesize
10.8MB

Download
memory/380-2-0x00007FFCB57D0000-0x00007FFCB6292000-memory.dmp

Filesize
10.8MB

Download
memory/380-1-0x0000000000190000-0x00000000004B6000-memory.dmp

Filesize
3.1MB

Download