quasar | 913818cbb566744d97334e44051152cba76e7f51e0ca0d54ea3d401e304480a3

Analysis

max time kernel
85s
max time network
81s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
05-02-2025 12:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Windows-Defender-Secuirty.exe
Size

3.2MB
MD5

9ba5115936784f8cb9ac69bd61736c55
SHA1

dac63ba8cc947740f97d83d734eb6010a67e983c
SHA256

913818cbb566744d97334e44051152cba76e7f51e0ca0d54ea3d401e304480a3
SHA512

9628b5787262619bf752e66bbefd668ffde71036beb8672b4ec35c0cea5d37ce2b181e3a2c7ca56bacab4752516174ee72b917954d4dfe5790fe986da9b79d22
SSDEEP

49152:4vElL26AaNeWgPhlmVqvMQ7XSK4MR16tbR3NoGdq6THHB72eh2NT:4vkL26AaNeWgPhlmVqkQ7XSK4MR16Z

Score

10^/10

quasar minecraft discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Minecraft

193.161.193.99:31740

Mutex

7424fadc-becc-4b4c-bea3-27b51a34ad76

Attributes

encryption_key
69C432FEA7A429312DD8D56BD03E551FF7516129
install_name
SecurityHealthManager.exe
log_directory
lom
reconnect_delay
3000
startup_key
SecurityHealthManager
subdirectory
Health

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/4416-1-0x0000000000800000-0x0000000000B3E000-memory.dmp	family_quasar
behavioral2/files/0x000d000000023b6b-6.dat	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
2044	SecurityHealthManager.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133832331743743304"	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2476	schtasks.exe
344	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4652	chrome.exe
4652	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4416	Windows-Defender-Secuirty.exe
Token: SeDebugPrivilege	2044	SecurityHealthManager.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
2044	SecurityHealthManager.exe
2044	SecurityHealthManager.exe
2044	SecurityHealthManager.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
2044	SecurityHealthManager.exe
2044	SecurityHealthManager.exe
2044	SecurityHealthManager.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2044	SecurityHealthManager.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4416 wrote to memory of 2476	4416	Windows-Defender-Secuirty.exe	86
PID 4416 wrote to memory of 2476	4416	Windows-Defender-Secuirty.exe	86
PID 4416 wrote to memory of 2044	4416	Windows-Defender-Secuirty.exe	88
PID 4416 wrote to memory of 2044	4416	Windows-Defender-Secuirty.exe	88
PID 2044 wrote to memory of 344	2044	SecurityHealthManager.exe	89
PID 2044 wrote to memory of 344	2044	SecurityHealthManager.exe	89
PID 4652 wrote to memory of 5112	4652	chrome.exe	99
PID 4652 wrote to memory of 5112	4652	chrome.exe	99
PID 4652 wrote to memory of 228	4652	chrome.exe	100
PID 4652 wrote to memory of 228	4652	chrome.exe	100
PID 4652 wrote to memory of 228	4652	chrome.exe	100
PID 4652 wrote to memory of 228	4652	chrome.exe	100
PID 4652 wrote to memory of 228	4652	chrome.exe	100
PID 4652 wrote to memory of 228	4652	chrome.exe	100
PID 4652 wrote to memory of 228	4652	chrome.exe	100
PID 4652 wrote to memory of 228	4652	chrome.exe	100
PID 4652 wrote to memory of 228	4652	chrome.exe	100
PID 4652 wrote to memory of 228	4652	chrome.exe	100
PID 4652 wrote to memory of 228	4652	chrome.exe	100
PID 4652 wrote to memory of 228	4652	chrome.exe	100
PID 4652 wrote to memory of 228	4652	chrome.exe	100
PID 4652 wrote to memory of 228	4652	chrome.exe	100
PID 4652 wrote to memory of 228	4652	chrome.exe	100
PID 4652 wrote to memory of 228	4652	chrome.exe	100
PID 4652 wrote to memory of 228	4652	chrome.exe	100
PID 4652 wrote to memory of 228	4652	chrome.exe	100
PID 4652 wrote to memory of 228	4652	chrome.exe	100
PID 4652 wrote to memory of 228	4652	chrome.exe	100
PID 4652 wrote to memory of 228	4652	chrome.exe	100
PID 4652 wrote to memory of 228	4652	chrome.exe	100
PID 4652 wrote to memory of 228	4652	chrome.exe	100
PID 4652 wrote to memory of 228	4652	chrome.exe	100
PID 4652 wrote to memory of 228	4652	chrome.exe	100
PID 4652 wrote to memory of 228	4652	chrome.exe	100
PID 4652 wrote to memory of 228	4652	chrome.exe	100
PID 4652 wrote to memory of 228	4652	chrome.exe	100
PID 4652 wrote to memory of 228	4652	chrome.exe	100
PID 4652 wrote to memory of 228	4652	chrome.exe	100
PID 4652 wrote to memory of 3532	4652	chrome.exe	101
PID 4652 wrote to memory of 3532	4652	chrome.exe	101
PID 4652 wrote to memory of 1940	4652	chrome.exe	102
PID 4652 wrote to memory of 1940	4652	chrome.exe	102
PID 4652 wrote to memory of 1940	4652	chrome.exe	102
PID 4652 wrote to memory of 1940	4652	chrome.exe	102
PID 4652 wrote to memory of 1940	4652	chrome.exe	102
PID 4652 wrote to memory of 1940	4652	chrome.exe	102
PID 4652 wrote to memory of 1940	4652	chrome.exe	102
PID 4652 wrote to memory of 1940	4652	chrome.exe	102
PID 4652 wrote to memory of 1940	4652	chrome.exe	102
PID 4652 wrote to memory of 1940	4652	chrome.exe	102
PID 4652 wrote to memory of 1940	4652	chrome.exe	102
PID 4652 wrote to memory of 1940	4652	chrome.exe	102
PID 4652 wrote to memory of 1940	4652	chrome.exe	102
PID 4652 wrote to memory of 1940	4652	chrome.exe	102
PID 4652 wrote to memory of 1940	4652	chrome.exe	102
PID 4652 wrote to memory of 1940	4652	chrome.exe	102
PID 4652 wrote to memory of 1940	4652	chrome.exe	102
PID 4652 wrote to memory of 1940	4652	chrome.exe	102
PID 4652 wrote to memory of 1940	4652	chrome.exe	102
PID 4652 wrote to memory of 1940	4652	chrome.exe	102
PID 4652 wrote to memory of 1940	4652	chrome.exe	102
PID 4652 wrote to memory of 1940	4652	chrome.exe	102
PID 4652 wrote to memory of 1940	4652	chrome.exe	102
PID 4652 wrote to memory of 1940	4652	chrome.exe	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Windows-Defender-Secuirty.exe
"C:\Users\Admin\AppData\Local\Temp\Windows-Defender-Secuirty.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4416
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "SecurityHealthManager" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Health\SecurityHealthManager.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2476
- C:\Users\Admin\AppData\Roaming\Health\SecurityHealthManager.exe
  "C:\Users\Admin\AppData\Roaming\Health\SecurityHealthManager.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "SecurityHealthManager" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Health\SecurityHealthManager.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:344

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff84d0ecc40,0x7ff84d0ecc4c,0x7ff84d0ecc58
  2⤵
  PID:5112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1920,i,4743310477815524498,5878126210967137421,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=1916 /prefetch:2
  2⤵
  PID:228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1916,i,4743310477815524498,5878126210967137421,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=2096 /prefetch:3
  2⤵
  PID:3532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2296,i,4743310477815524498,5878126210967137421,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=2364 /prefetch:8
  2⤵
  PID:1940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,4743310477815524498,5878126210967137421,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3292,i,4743310477815524498,5878126210967137421,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:4520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3712,i,4743310477815524498,5878126210967137421,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3728 /prefetch:1
  2⤵
  PID:4504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4768,i,4743310477815524498,5878126210967137421,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4784 /prefetch:8
  2⤵
  PID:2540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5076,i,4743310477815524498,5878126210967137421,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5084 /prefetch:8
  2⤵
  PID:4672

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
f720f02d02f0428d3b7d2885de382d35

SHA1
dc63522988b24437f6ba605c652e8807838f8a31

SHA256
de1fe62af04b443c7e927c1695254e2cd71af521ed07577779142f8ae6bf7c17

SHA512
5d5b3b142a4f7d8a54fb4952fb95d695a3479c9ec4229976bcd04049284c223bc61a00368aa8c4030432674a924b4f63adf0325bb66991493407ef09d53f5056

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
e7adf8523e5cc5f01fb4a0fa95b8a973

SHA1
fb81334bdd4252600e3080e4b45981f9d8fb4b59

SHA256
4d92529b9f30596ee924a4ed75defe16a2077e11ffb43815b5ac1a291b405960

SHA512
92e74db7f918e5bdab15fcaf93ca6709d8b90f73c3576f8794720dc63ea12608e9c2ade5c25399e2920097d6f26f3bab20ae1bfed275c64a714712c618fc01fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
6bc7890d57231c1a51538ec80ef59a19

SHA1
3057aaaa2790e1ed66060fd747865bc65cec413c

SHA256
92b433fbb5867ff489e724f79af58f64184443146902306af4857e528448e688

SHA512
ab79b7575d5c5c3479f906d76b9826ed27a09cb56c20734a8dccd51198c8280940222f94e842d904dda475e94ca3837fe3e9a6ca6a22babe8a90fb9d846e3c69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
efb1708cc5b217e3ffa0ddf984a2151a

SHA1
a9ed5f72f3d5c32ff12cd7347fe5aea39d8e6e11

SHA256
cadd33926fe5c610fa09994ef86bf9ed01fe8b5946781f73bc7ad624c7c5983d

SHA512
667df7ea57f3d0c25dc1eaa19d3a14f1872ad326c20c5a2dc2888a1d89b3fff6abe7496f3dc7bfe23ece6801999355232748f3b7c226d456e1ac9a4bec439049

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\ca6a9d49-9eb9-47f7-bd29-a9988aaa3a4b.tmp

Filesize
8KB

MD5
9098c5d3929b2f382ec60f09aa0fd19b

SHA1
a3d12d262fe875d1f148f7bf93d227240e55460d

SHA256
75881bc3ee6fe15aa3de6dbbbc17cddeb631c929d453e759046a4805ef348c8f

SHA512
caf19e39ff9c2993fdc0afe7189a660b8f6430eec1d03b809be19f41738e0ef90bdf200284e9610caa87b5bced8b6217ec132c03de83e3feb509277d6622763e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\d41ccdfa-4950-4dab-81a2-883e3371f6cb.tmp

Filesize
242KB

MD5
2286553da995a2c6223dd81aceefdea9

SHA1
fb017271cba4c4c1a5e9e5d87e6b02135e4532f2

SHA256
7fd156392ea46ad36fa7f24ac8fee1013d862ca317634bcf742caf075c914103

SHA512
499ca5e3ef7c7eee2136ff14ac7140f0288efa5ad30b8be3d12418014e30485511d5d130e2399eaa73a5c7ccb4b6cd7621eeb364ae796e7777ab422cfaeb0c60

Download Submit
C:\Users\Admin\AppData\Roaming\Health\SecurityHealthManager.exe

Filesize
3.2MB

MD5
9ba5115936784f8cb9ac69bd61736c55

SHA1
dac63ba8cc947740f97d83d734eb6010a67e983c

SHA256
913818cbb566744d97334e44051152cba76e7f51e0ca0d54ea3d401e304480a3

SHA512
9628b5787262619bf752e66bbefd668ffde71036beb8672b4ec35c0cea5d37ce2b181e3a2c7ca56bacab4752516174ee72b917954d4dfe5790fe986da9b79d22

Download Submit
memory/2044-15-0x000000001C600000-0x000000001CB28000-memory.dmp

Filesize
5.2MB

Download
memory/2044-12-0x000000001B5D0000-0x000000001B620000-memory.dmp

Filesize
320KB

Download
memory/2044-18-0x000000001BD50000-0x000000001BD62000-memory.dmp

Filesize
72KB

Download
memory/2044-19-0x000000001BDB0000-0x000000001BDEC000-memory.dmp

Filesize
240KB

Download
memory/2044-14-0x00007FF852DF0000-0x00007FF8538B1000-memory.dmp

Filesize
10.8MB

Download
memory/2044-25-0x000000001CE30000-0x000000001CFD9000-memory.dmp

Filesize
1.7MB

Download
memory/2044-13-0x000000001BE10000-0x000000001BEC2000-memory.dmp

Filesize
712KB

Download
memory/2044-9-0x00007FF852DF0000-0x00007FF8538B1000-memory.dmp

Filesize
10.8MB

Download
memory/2044-11-0x00007FF852DF0000-0x00007FF8538B1000-memory.dmp

Filesize
10.8MB

Download
memory/2044-63-0x000000001CE30000-0x000000001CFD9000-memory.dmp

Filesize
1.7MB

Download
memory/4416-10-0x00007FF852DF0000-0x00007FF8538B1000-memory.dmp

Filesize
10.8MB

Download
memory/4416-0-0x00007FF852DF3000-0x00007FF852DF5000-memory.dmp

Filesize
8KB

Download
memory/4416-2-0x00007FF852DF0000-0x00007FF8538B1000-memory.dmp

Filesize
10.8MB

Download
memory/4416-1-0x0000000000800000-0x0000000000B3E000-memory.dmp

Filesize
3.2MB

Download