quasar | 085ebdee80d776053153a77ba8396b84a134b2ccb2c6774b06d7d59805d39595

Analysis

max time kernel
699s
max time network
698s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
16-11-2024 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fun.exe
Size

3.1MB
MD5

08bf40bfcb734f6fbb2b1b8a15081a75
SHA1

f20375b288aa16fde380543c388fab32e3991905
SHA256

085ebdee80d776053153a77ba8396b84a134b2ccb2c6774b06d7d59805d39595
SHA512

ef3977ba5ffbb49de9e7016cca0fb3d0a69dc830363e77bbadf5e5665288826efe87bc3759475c23fbae0bf03b6863b73cbed5961df049ecdf3b7d794e49a8ef
SSDEEP

49152:rvyI22SsaNYfdPBldt698dBcjH/wtxNESE8k/ivLoGdbj6uTHHB72eh2NT:rvf22SsaNYfdPBldt6+dBcjH/6xnz

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

azxq0ap.localto.net:9224

Mutex

e51e2b65-e963-4051-9736-67d57ed46798

Attributes

encryption_key
AEA258EF65BF1786F0F767C0BE2497ECC304C46F
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1256-1-0x0000000000280000-0x00000000005A4000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Executes dropped EXE 1 IoCs

Processes:

Client.exe

pid process

4884 Client.exe
Drops file in Windows directory 1 IoCs

Processes:

chrome.exe

description ioc process

File opened for modification C:\Windows\SystemTemp chrome.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4884	Client.exe

description	ioc	process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exemsedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133762116777024490"	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

4876 schtasks.exe
788 schtasks.exe

pid	process
4876	schtasks.exe
788	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

chrome.exechrome.exemsedge.exemsedge.exe

pid	process
1276	chrome.exe
1276	chrome.exe
1420	chrome.exe
1420	chrome.exe
1420	chrome.exe
1420	chrome.exe
1160	msedge.exe
1160	msedge.exe
3960	msedge.exe
3960	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

chrome.exemsedge.exe

pid process

1276 chrome.exe
1276 chrome.exe
1276 chrome.exe
1276 chrome.exe
3960 msedge.exe
3960 msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

fun.exeClient.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	1256	fun.exe
Token: SeDebugPrivilege	4884	Client.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

Processes:

chrome.exemsedge.exe

pid	process
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
3960	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Client.exe

pid process

4884 Client.exe

pid	process
4884	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

fun.exeClient.exechrome.exe

description	pid	process	target process
PID 1256 wrote to memory of 4876	1256	fun.exe	schtasks.exe
PID 1256 wrote to memory of 4876	1256	fun.exe	schtasks.exe
PID 1256 wrote to memory of 4884	1256	fun.exe	Client.exe
PID 1256 wrote to memory of 4884	1256	fun.exe	Client.exe
PID 4884 wrote to memory of 788	4884	Client.exe	schtasks.exe
PID 4884 wrote to memory of 788	4884	Client.exe	schtasks.exe
PID 1276 wrote to memory of 4520	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 4520	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 3820	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 3820	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 3820	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 3820	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 3820	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 3820	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 3820	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 3820	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 3820	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 3820	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 3820	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 3820	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 3820	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 3820	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 3820	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 3820	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 3820	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 3820	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 3820	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 3820	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 3820	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 3820	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 3820	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 3820	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 3820	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 3820	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 3820	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 3820	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 3820	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 3820	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 2540	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 2540	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 2240	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 2240	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 2240	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 2240	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 2240	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 2240	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 2240	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 2240	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 2240	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 2240	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 2240	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 2240	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 2240	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 2240	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 2240	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 2240	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 2240	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 2240	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 2240	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 2240	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 2240	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 2240	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 2240	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 2240	1276	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\fun.exe
"C:\Users\Admin\AppData\Local\Temp\fun.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4876
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4884
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:788
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.porn.com/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:3960
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffa87e146f8,0x7ffa87e14708,0x7ffa87e14718
      4⤵
      PID:4740
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,9687047827672681785,15312734025028948424,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
      4⤵
      PID:2284
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,9687047827672681785,15312734025028948424,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2500 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1160
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,9687047827672681785,15312734025028948424,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
      4⤵
      PID:2104
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,9687047827672681785,15312734025028948424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3664 /prefetch:1
      4⤵
      PID:5108
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,9687047827672681785,15312734025028948424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3676 /prefetch:1
      4⤵
      PID:2900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x22c,0x230,0x234,0x208,0x238,0x7ffa87bbcc40,0x7ffa87bbcc4c,0x7ffa87bbcc58
  2⤵
  PID:4520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1952,i,14996927666562347496,6272257800160880480,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1944 /prefetch:2
  2⤵
  PID:3820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2044,i,14996927666562347496,6272257800160880480,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2076 /prefetch:3
  2⤵
  PID:2540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2292,i,14996927666562347496,6272257800160880480,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2272 /prefetch:8
  2⤵
  PID:2240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3180,i,14996927666562347496,6272257800160880480,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:1188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3196,i,14996927666562347496,6272257800160880480,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:4472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4568,i,14996927666562347496,6272257800160880480,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3728 /prefetch:1
  2⤵
  PID:5040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4860,i,14996927666562347496,6272257800160880480,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4856 /prefetch:8
  2⤵
  PID:4124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5004,i,14996927666562347496,6272257800160880480,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5020 /prefetch:8
  2⤵
  PID:3148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4868,i,14996927666562347496,6272257800160880480,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4796 /prefetch:1
  2⤵
  PID:664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=900,i,14996927666562347496,6272257800160880480,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3448 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1420

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:2688

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4608

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
321b9afa638790c988f38f529ccd3cd9

SHA1
e6b9fd96a1821f09d18664862be7673a02d8e4db

SHA256
d3c9e46ecb40f8837bd89ca374c1d72a113010efd3dd421e1af2ae774e3b0277

SHA512
9a4afce1a3504ce7ac06045a8245b28a7fb76edc367ec1d14373b4be24ac95023494699b84b401ed27dcc58442c580c465d3232dc5810a5858b8896fef7d1d41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
e579aca9a74ae76669750d8879e16bf3

SHA1
0b8f462b46ec2b2dbaa728bea79d611411bae752

SHA256
6e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf

SHA512
df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
0594f39041eda9fbf5f4d9f1d0c5e4e3

SHA1
2bba9ea879dadb25b6caf4235b58135e519b1bb3

SHA256
b3fff36d265401f701d37d9dd299cf638d0746e6f2eca763f4d4faa7bba75210

SHA512
611ab4da1263ee8b7fca9466140af3aed405834c1232cce508dad376ffca3f7deabf9529119c23879da383c23de1130545974dd4e0838b2145c034956f160c5c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
30d0a52e3b6e29eed120b6aa45850818

SHA1
c5e819bc60a5ee3247b5bbc5420e43a7ae4e2937

SHA256
c41ef0325e389f0df7f890a0d16be229ec33e668d30a2fb41534927a6de809fb

SHA512
6c66dcc4cd71d5a5d0068295412fab9f5cffd4cfa10a2e3c4b5b8af88ff8529c3019a4d9322f9d761b7ba7021f7847ed8ac413279f55b296293e492b216f1ad6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
3da3896c60475e7aecc46bec92de1c1c

SHA1
35f2e15a5523d772308375e7adeb4f3c69aed455

SHA256
80779b225499e954b42970feee577a69f900c6ba7a6da6f4ad7ecab92c1da241

SHA512
9cab99047696de381606cc5b1dc315af14547febeb57bcaf99a4a0a5b395f6b4381ff6264bbd4ceaca22f982359d4466bb86d7acbbe58e4b6b3e80abadc367d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
7481818ba342e6b34a6b8fd95ad7a6e1

SHA1
d495f1764cee3a82ad504777f9b67b2d363dea24

SHA256
99f02aeb702eb5317ad29092dc31205ab8eaa79695cf813d7c23cb0d210715f3

SHA512
ce272c5dcee699f00fa12d4a6276061cd6ac0bb7f59c5394e5994b87851292cdc4752c0a99da8157aad18d848baaa9c26b3a6aeb0ebf9fe76dda7e477cd9e471

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
092725c63b57c8adb7b58d24801886bb

SHA1
30ce864ea89bf83b2523c605c449c22dc8b66d2a

SHA256
ab043e138af7e110d9b48c0e7e3ce216ce69cb5abdb471815145fed74821f86a

SHA512
6ef2b43f9fd467fd7c6f020ee364e4b02fbf1f53af4ba6eb71766c465caa5ecaaa9c157687d5b5bff69c5602e4a5010083ceab7a466ab2bc84371ca32125acbc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
400c4e7d3d2e16f9913c18a303e4da9a

SHA1
b631d5f95943c18986cdaff1d946f120c8a39da8

SHA256
ad6e722721e31525966b27c7cda3ad67baed58193eef3d3b56d748febed425f5

SHA512
6b670680c67eccd315dabeb685fd59d27f6c3a32e4eee8225857f2f0f47ee7e080649c0b41e449e45f038a33e017e39da3f243e85cdf9654a8c8c7a28c86561d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
050c816f137b2569e81ade2ce13eab76

SHA1
417492831244459f651306fd6bc062091c93934c

SHA256
0a10018faff90fe86b230eb8714f3ca91f398025af3609a575535b739caadfa9

SHA512
eb5380b0bba49fd1b7ec63980d9eaae1759ea93174d2b761b8d0b58bdfbd2afd4d196a8af4087019af2d30778c91eaef89f8d6a866678967a15e2fc6e6912fae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
703ce8c4a734673060beb2aaae845586

SHA1
1650f0c422d3221db11986590054b97f93ef2ca9

SHA256
3897d52016843b72b14411bce2ee21352e3e0d69325c54bb7c0e24ce6bcf3648

SHA512
a898889f4bfb9d611cb2b1751c6afc2b4d056f41857c1902844bceea8b0692670050d43038e972c470d3f7a26e833cd94d6f6a7c8e9d9bb4f8c62d0eec05db08

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c567ec6d5ce3ac1829eea78732f9006a

SHA1
a7c5af13166a606be023be054cfae96fc6e8295b

SHA256
e4781d2c76b692927e6db9a63d95fe37ad5a9f068e37cf4325dae5fcdf1eaa32

SHA512
87f7bd53f9521c24cbe38c28ee7697776672347a393aa5563244c4cf7d8828611fad4e522dedf097fabcdc307e3c04a20aa292a4f214b65c912ed7f8960096af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4b4735ac692cc1f4545316ec78a59acf

SHA1
6515fb4b7a2ca67e71e5bcfd2d436373c0e8b653

SHA256
1759664893a66312b67b1d714a828deed47fa463f20596b4e0be39ca8cc6ae90

SHA512
8eb1ffdda4258478695b4abf5c527e45e4f8b9594e424c97a8e9b0651b979d274cbbc6bf216f1d96405e549f685de26ac8a3b0ceb73d99700eab5822791582b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a04ae2624ef06259576d90b2be6eda9d

SHA1
e8a9b55f991b6224e832398f368c875713528d46

SHA256
cdaccbdb0608909308b1d5e6a0a829e05e35e1c4dbd6b42cd75bd23a595d0c15

SHA512
8df7ed5a0306520e872185a645dae207ccd638a12df45358e1bca53fe01e96cf60d3f1cbf9795990b6fc8730215e1ff334f2591023fa83c9280ed282c46a1046

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
85c6754d5f84553f2c89c7f9d73d5c6a

SHA1
69d455a4087f836e95e83271653539c0b11fb341

SHA256
b4ea4b69e8352d11fbef5de8587c459d7e6f182ba441dda7ac00d5f258a00d4a

SHA512
7c969371b6a33260fe411e81aa1059a73e0d193cc1b4037307ff66fa20eceddc5e4080d2aeefd4b9615dd0a68624e479bd7888e9f7b4c3158fe8f2261813665d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bc762c4c31471caaeb2b6546b00f2789

SHA1
aad1c7ae942181c7134c8d81a23f3bb1fa1552ee

SHA256
4d7c67626489fd90a8d052da7f481b3363c9b5e5d8b0676836d1bcc85c258a1e

SHA512
4e99084a675863c9bd9a85582e7f9fc50cbe269d6ca75ad31c7e9a6197b88b009eebe4f10c147da6d30d0281e12d5b0f600dab2e6e84689341c6f13a1ee06bdb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4ddd7b7481c006512f5ad2b07aae1ef4

SHA1
547670b409413a7f4a98979443acef101a4d092d

SHA256
1d6ec192ae1ecacde07b847b389996c6cd990dedaa58646709f3afb1f8ee1798

SHA512
c001f0e9634b1b363b41814ef53b290d0aae4713eb674f48149628857e67a7b766542bdf656483693aa72c7e7d0e627dd6a699484997583dea1bd08b7cbaf74a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f086e80a0592c9d41adabf1283ce8df9

SHA1
ad43d0a1c0b0c37fb2e26c906bd60fc355152a20

SHA256
addaaf15c8b8da6b678769f151de422ebaef062854f690978dc73ca53fb096a0

SHA512
97cad7280ec170b90950802578adfd14bf91ff4d9e6be4a0ebfd1bf88c2c582489b82c47a050570abcf892550cb1689c542942c89205dc7266ec4b0b3fa2c06c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0d1817dc9ed86bcfabcdd67cdb6fa50b

SHA1
be9344b42fa4b5519a5fbeb2d06951e5f443432d

SHA256
96f30edb12eadb3bb50cf5ec1256db3d2ab9fedffe703b0f0fe76bb60881f967

SHA512
5d33ebe80f1cc2f8c2c9b6c24fdb817ab4a3c758021ae23ef3c0b421433c5be432c916086a6595dea3412a36d2e088658c001e652638e7b93bbf264f4ffa6be4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
31f9679c0b712cfdb93802eb66ef6548

SHA1
0fdbdf8d0d027bdb57718a2152cbc5af451ef9d8

SHA256
95d8dc56bd63d28c009c902314237c0227d96eed2f1bce0e563f7ae1dbef0004

SHA512
b9f013b88738e5579e303e2650fac162ed9935c99ebf07f11a36241311f30cf75bb69756484bd418e4db9c77fe790bf50745ba791ed6c391bc5dcc6dd53d3177

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7ce94637c279992ab3b1b86d09885fd5

SHA1
0697e367bdce5a075eefdf23afe92b74d421c2f6

SHA256
e4b726f40d2dcf536b997f380a408be96a3decf4b3551eb5cf13da74c85e1d99

SHA512
50712df260bf84d886bade74efaa1c2017df1d8a6a82f082fabcde6aa425c2134a52fe427099a6780517cfa4bc985f86a30b3d2ded3f4e92670cb4bb51d52ace

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
28a3dc83355fffd1b8121b9e507d7695

SHA1
c46b228ee67c22d9384f4210730b0bf11b80a0c0

SHA256
4c28d2b8c1c62c1d93d971ffea115e988e78e9e54a22d84414eb187cd4a99ec9

SHA512
d15145451217be5bcfc7b4fe10eefa290c5913a54e59ef7d75c80e62caf76550c4eaa2ad61b092418698df83c35553565e0989466be8bdc8f128765f18879e49

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e20f2faca98ba3f9ffe6f1f379dfb226

SHA1
9510f32f5ce773b7e71bf4cf170c689c7826c83b

SHA256
91e3d10658678629ddf087e1a4d40d84462b37f6bbd7529b86f02d1ce2b711bc

SHA512
2a3f0d02dc1cd476962bf02f7ecef884d7c7cc09ea83947f7f61633b03f6cae3729134369f71fbe4f51b478cc6f4c47ef69f7c5d2af532d1de6890a77484ffd8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
621b32f0b8734acfad1183ed9f5550b9

SHA1
081b0bebe665993e931b6614a2f3e5346599e35d

SHA256
d964303adae1dbc658a099f319a0147058e7ef694542781cc588e6ab5174558b

SHA512
05d14e132c45c7714357eb9851a01a7543369a0f1173cfcf4871b0523c7eee8ea1d3ce77e7897064d80e8325feb1e89563a6d4345b4ab9eff21b91e4830cf368

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bf7999d0af6ef3e2515ab91f2e68ecf1

SHA1
b7ebcbecba3cf6a408894a2e9fa834a4221ccb05

SHA256
6865337e9b441c71238ae6b12b739ff91603014cd0c30fde8fa37121ee1a2c9a

SHA512
6dca51073417c98aba06538719ccb51e3357ee26b94806fc4ffe3219c4d0fb9b34403039542e152a1d9c8bd2da2984469fc223bfeefec29173df56d9b629caa8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
88e13a18d507632f0b23371fc72468b9

SHA1
a3c1b8fd66c1aa03e758e15f77724115f0639675

SHA256
a109bff7e8dfb3ede1df9cf7aee0d923a1d52145a099e24032dfdce182acaa79

SHA512
9148792e4483b602fc326fec5dad6b12a721a1b9cf3661a0909bda2057393f8ba075716f70694913e57be49979f84245fe2c89ec105e3b0e42fb8b65908366eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
33094e15391c22a1ae173a6f969017e6

SHA1
565f877cd7a33a835bd1936b3342ac40ec6700c9

SHA256
1e53ffa3a23cb7fcd9b037c7bb8c875513b126e64e5f66657a056b6cbda21b45

SHA512
59cc36ef59fd60c3dc4af15a7d38ec7332fe15a2be3d5828fdc236fd61748c8a494e50f928deca5502473914c97767d7d230136a0214c9b446d85b9ec428c076

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2de9bd3b337bf2554ad2d401ec27bc3b

SHA1
985959b486e5a0647ea99464253ea9836aa056f5

SHA256
790c1c3c39a117d6fe06c9ecb8dfadd37f65bf245e28f9489c3103136502ec68

SHA512
4a5c3b05514b3883e31a80642080b87a5ac2ffd5458fb53d156e28b1840eb644db5ebd29be6e6e38ccf3204d48d94047b77c5dbf095719dd4dc93f66601d3eae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
ef39356982b6408377e7c1c2f5981ef4

SHA1
402c9e48ec4df315ba3f5ace99c9accf34f885cd

SHA256
26632ed3e79850c2bc9f0096d212252eab04c80423a33711cb1bc29010db78d2

SHA512
386fb013d1f0752964d050e518cbcf9ed6e80a1eb88fe280c1c923833ae904b5a4172046370b7e2f8935a8f96ffad77006ebf6fb51cffe2a2f3b9af4ffae4757

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\c6dfda8d-933e-4486-886c-48aacda0a132.tmp

Filesize
9KB

MD5
0a71c4ccf1dfe00b8c22613239540d4e

SHA1
924d869176c3752ffa652312390eb2254ac7574e

SHA256
8acd3d0fa277dc96d1167d3cce0984d423d8dc8cb8262d48bf133899f6a49fd4

SHA512
84a0cd3e2549863e82998cb73b0325e6438f8d9a3cc327382f772cb0e155b533472221d2deb2ed3c39da3cf4fb5582ae04954f3ae4c3a5b2df4abd8461cdff82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\db13de32-f6c6-4e31-a20c-7b08865a9d46.tmp

Filesize
9KB

MD5
a0e7caca319bad4bd1a6fa58259cfe22

SHA1
ad8d89f710b9917407f0bd947d7b8b8fbd9855bf

SHA256
5b9ce2f85c85c659bd3c2e1d97af98bbc4f4827d668bee91d741e6d30cfa312c

SHA512
a78c1f0e745925452dafe4427ff96c66f4f3b766c3534cbe20a924e786e1cfe85d26c6aca00d35a6e5e38d5ae3bfb28966db640d954b236aa771a6db6b623c7f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
235KB

MD5
4a4b62d19aa502939e6011affe09e4f6

SHA1
c927d58edd662ff70359cb6a28b6a28d23fd2236

SHA256
e067bd19117051519343543d9eaa160d892fda6bc3c6fb28b4d842e2b3ef9400

SHA512
0e045163ddd24d7f64e54fafa2811df61e3ecc0040dff5fc929be6975e3e10b910830a9b33772d5dad333c397150a6c8876935dedce2af376604d5868ebb6ddd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
235KB

MD5
071af9c1fa4aa396f4c4823d505edff7

SHA1
711fbc03f8417db662edd1db12a0d19355506149

SHA256
32e3fcb1f6cf1cf932b5f6ff05c2dcb1c3b845311a4f4e8d592abebc8a385ffc

SHA512
ca33b0c30dab27eff585b02afe6953bb6e9e6aaa8765df4b3153550fbf1d80717db403f8bc62ae7003edab67bfa7593edb278146746012c23c9043ebe9e4052c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fccab8a2a3330ebd702a08d6cc6c1aee

SHA1
2d0ea7fa697cb1723d240ebf3c0781ce56273cf7

SHA256
fa39b46c6f11977f5a2e6f4cd495db424063320fbac26a2eae7466e82ffeb712

SHA512
5339b52bad5dff926b66044067aa3e1a6147c389a27ebd89b0f16e1267621d7ce7af9810010bee81cba7b08c77a33ede8ef4675fe049b9fb2ed510fcaef93d6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9d533e1f93a61b94eea29bf4313b0a8e

SHA1
96c1f0811d9e2fbf408e1b7186921b855fc891db

SHA256
ae95a7d192b6dfed1a8a5611850df994c63ba2038018901d59ef4dae64b74ed3

SHA512
b10de657d0cef4255e96daa1b6ad0c99c70b16c13b8e86790ea226e37e9ded1a8f8bed1e137f976d86ebc3ea9a4b5eb67ce2f5b0200025d35dc8e94c947ff3f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
31141c210e7e17484c91bb795baa12f3

SHA1
7da93a4a4bd3ee994c2fd120a87049860ef74e3f

SHA256
812cddf8ca6d1c7637e4ad87c53cca458cdb87c19c587f13920512273a401d23

SHA512
c35b0960b2fcdb9bd16e5415a921c4e37511f73170a4ba17f8b40db9338ef4bdd00aa66878922802a9fccc8606bcb5c8ae9eea1ace86853ed9713d4d75fab051

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
861c5d2c0be7cd45e88d74470a650262

SHA1
947d409fa69ef729280637a6ac5ff45f656e29f1

SHA256
21cb34fb27f533702bbe20fb82b2903fc2b6e0cd767440dac9ef4a0a0d13d6c2

SHA512
6545d4583277c7d5d701d2613db778633762ee3680aee507f8965a458e7036ac9d148876c48f75b985eb9c17e301afe2ef5e3eb7fdd40b9666b9154e19b7be69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ab79cb587f2cc0de6ca6cea00d8926b8

SHA1
1650a3efa8468d25d807df0aa9bccbb3c828b12d

SHA256
90a0fe29d28c756e2b1cfb7a2b96aaf19ef765170de8c762b0e4b31a7972383e

SHA512
f9dcdb691054404d10b7440d6ff78e23c43a736bc9521678d37b0cdbd8c38a641a9abe087ff07f73ed3a234715b1db733c43a927cba7bfa1d134dcffb804b7d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
2ebd444a301d559e28c4695a1d974b56

SHA1
5135a2bc25eb4470ac257474d5df31a9ad52b2ca

SHA256
3d46514fbaeb9d2da8644b559c82f374e7ca5a19572ca20a57a61fa17e82b5df

SHA512
7054c1ff6850efb85832d7f1b6b549dfe6ef2391d1b28b026bd9d1bf00df680182a75110476f0edd0f5c878e72ee881ff52b479c3d8af5c75b24d3740483af7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
ed659b1d7a51e558246bd24f62fff931

SHA1
84685d6f04379c290e4261ff04e9e1879d54d42c

SHA256
23fafd9073812d5ff8b523b84bc981e4cb410bebbf3675db2b29cfac0dae9690

SHA512
1c3203328583241895db9fb165fcfd595f642e218ee3a453ab6873cbac10ddab693cd2f913bab15c8bb7b5a12c5768b3dfcb278aad754dec1fbffe66b81843cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
7ec09c7cbd7cb0b8a777b3a9e2a1892e

SHA1
3b07979e57b6c93be7d5a6cd8fa954dee91bd8dd

SHA256
a623633f34a241b0dbc9fd26f34446d716955f94e90b2ff9ac8b9df801bdae5e

SHA512
5fff0a38a3b6e4b29d402eef2650011e4d9df514e0624767c84ea31cb73cbba10c7e0b5711cb487976d637f0f60a85c431cf0db54b519411245684c116c07b7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\d9971646-0461-423c-9976-bf3720b5e4cc.tmp

Filesize
8KB

MD5
1d970ddfff0bcc0b481261871d5a1b7f

SHA1
d9fad093a4f50deca89e59a3d6bccfcbf1ccb5b2

SHA256
eca8008a8f70614b89943c3f9e1f1c4680f638d438370c0e3a18060e2ebc1a69

SHA512
9b1162c7e43d44d929f6d6b5acb3fd858346a5cc52759fee68c435b2a70d4f845d0ad870e1d2ece632bc10883117b795b6e010dcfa2145ef2813567d9b0151f6

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
08bf40bfcb734f6fbb2b1b8a15081a75

SHA1
f20375b288aa16fde380543c388fab32e3991905

SHA256
085ebdee80d776053153a77ba8396b84a134b2ccb2c6774b06d7d59805d39595

SHA512
ef3977ba5ffbb49de9e7016cca0fb3d0a69dc830363e77bbadf5e5665288826efe87bc3759475c23fbae0bf03b6863b73cbed5961df049ecdf3b7d794e49a8ef

Download Submit
\??\pipe\crashpad_1276_PKPJMWBRYSPFFUFU

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1256-2-0x00007FFA7CAD0000-0x00007FFA7D592000-memory.dmp

Filesize
10.8MB

Download
memory/1256-5-0x00007FFA7CAD0000-0x00007FFA7D592000-memory.dmp

Filesize
10.8MB

Download
memory/1256-1-0x0000000000280000-0x00000000005A4000-memory.dmp

Filesize
3.1MB

Download
memory/1256-0-0x00007FFA7CAD3000-0x00007FFA7CAD5000-memory.dmp

Filesize
8KB

Download
memory/4884-12-0x000000001C3B0000-0x000000001C3C2000-memory.dmp

Filesize
72KB

Download
memory/4884-6-0x00007FFA7CAD0000-0x00007FFA7D592000-memory.dmp

Filesize
10.8MB

Download
memory/4884-13-0x000000001D040000-0x000000001D07C000-memory.dmp

Filesize
240KB

Download
memory/4884-14-0x00007FFA7CAD0000-0x00007FFA7D592000-memory.dmp

Filesize
10.8MB

Download
memory/4884-9-0x000000001C440000-0x000000001C4F2000-memory.dmp

Filesize
712KB

Download
memory/4884-8-0x000000001B200000-0x000000001B250000-memory.dmp

Filesize
320KB

Download
memory/4884-7-0x00007FFA7CAD0000-0x00007FFA7D592000-memory.dmp

Filesize
10.8MB

Download
memory/4884-39-0x000000001DAE0000-0x000000001E008000-memory.dmp

Filesize
5.2MB

Download