quasar | hxxps://gofile[.]io/d/atP8It

Analysis

max time kernel
898s
max time network
450s
platform
windows11-21h2_x64
resource
win11-20250411-en
resource tags

arch:x64arch:x86image:win11-20250411-enlocale:en-usos:windows11-21h2-x64system
submitted
19/04/2025, 03:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/atP8It

Score

10^/10

quasar defense_evasion discovery spyware trojan

Malware Config

Extracted

Family

quasar

Attributes

encryption_key
33A9AAB923C4CB779A5E0B85A03E4081A8AB87DC
log_directory
��
reconnect_delay
3

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001900000002b07d-66.dat	family_quasar
behavioral1/memory/4088-98-0x0000024635BE0000-0x0000024635D72000-memory.dmp	family_quasar

Downloads MZ/PE file 1 IoCs

flow	pid	Process
18	6052	chrome.exe

Executes dropped EXE 1 IoCs

pid	Process
4088	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
6	api.gofile.io
9	api.gofile.io
11	api.gofile.io

Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs

pid	Process
4088	svchost.exe
4088	svchost.exe
4088	svchost.exe
4088	svchost.exe
4088	svchost.exe
4088	svchost.exe
4088	svchost.exe
4088	svchost.exe
4088	svchost.exe
4088	svchost.exe
4088	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\svchost.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133895071366564952"	chrome.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\DisplayName = "Chrome Sandbox"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Moniker = "cr.sb.odm3E4D1A088C1F6D498C84F3C86DE73CE49F82A104"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Children	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\svchost.exe:Zone.Identifier	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2416	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2752	chrome.exe
2752	chrome.exe
4088	svchost.exe
4088	svchost.exe
2752	chrome.exe
2752	chrome.exe
348	chrome.exe
348	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeDebugPrivilege	4088	svchost.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe
Token: SeCreatePagefilePrivilege	2752	chrome.exe
Token: SeShutdownPrivilege	2752	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe
2752	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 5776	2752	chrome.exe	78
PID 2752 wrote to memory of 5776	2752	chrome.exe	78
PID 2752 wrote to memory of 944	2752	chrome.exe	79
PID 2752 wrote to memory of 944	2752	chrome.exe	79
PID 2752 wrote to memory of 944	2752	chrome.exe	79
PID 2752 wrote to memory of 944	2752	chrome.exe	79
PID 2752 wrote to memory of 944	2752	chrome.exe	79
PID 2752 wrote to memory of 944	2752	chrome.exe	79
PID 2752 wrote to memory of 944	2752	chrome.exe	79
PID 2752 wrote to memory of 944	2752	chrome.exe	79
PID 2752 wrote to memory of 944	2752	chrome.exe	79
PID 2752 wrote to memory of 944	2752	chrome.exe	79
PID 2752 wrote to memory of 944	2752	chrome.exe	79
PID 2752 wrote to memory of 944	2752	chrome.exe	79
PID 2752 wrote to memory of 944	2752	chrome.exe	79
PID 2752 wrote to memory of 944	2752	chrome.exe	79
PID 2752 wrote to memory of 944	2752	chrome.exe	79
PID 2752 wrote to memory of 944	2752	chrome.exe	79
PID 2752 wrote to memory of 944	2752	chrome.exe	79
PID 2752 wrote to memory of 944	2752	chrome.exe	79
PID 2752 wrote to memory of 944	2752	chrome.exe	79
PID 2752 wrote to memory of 944	2752	chrome.exe	79
PID 2752 wrote to memory of 944	2752	chrome.exe	79
PID 2752 wrote to memory of 944	2752	chrome.exe	79
PID 2752 wrote to memory of 944	2752	chrome.exe	79
PID 2752 wrote to memory of 944	2752	chrome.exe	79
PID 2752 wrote to memory of 944	2752	chrome.exe	79
PID 2752 wrote to memory of 944	2752	chrome.exe	79
PID 2752 wrote to memory of 944	2752	chrome.exe	79
PID 2752 wrote to memory of 944	2752	chrome.exe	79
PID 2752 wrote to memory of 944	2752	chrome.exe	79
PID 2752 wrote to memory of 944	2752	chrome.exe	79
PID 2752 wrote to memory of 6052	2752	chrome.exe	80
PID 2752 wrote to memory of 6052	2752	chrome.exe	80
PID 2752 wrote to memory of 5772	2752	chrome.exe	81
PID 2752 wrote to memory of 5772	2752	chrome.exe	81
PID 2752 wrote to memory of 5772	2752	chrome.exe	81
PID 2752 wrote to memory of 5772	2752	chrome.exe	81
PID 2752 wrote to memory of 5772	2752	chrome.exe	81
PID 2752 wrote to memory of 5772	2752	chrome.exe	81
PID 2752 wrote to memory of 5772	2752	chrome.exe	81
PID 2752 wrote to memory of 5772	2752	chrome.exe	81
PID 2752 wrote to memory of 5772	2752	chrome.exe	81
PID 2752 wrote to memory of 5772	2752	chrome.exe	81
PID 2752 wrote to memory of 5772	2752	chrome.exe	81
PID 2752 wrote to memory of 5772	2752	chrome.exe	81
PID 2752 wrote to memory of 5772	2752	chrome.exe	81
PID 2752 wrote to memory of 5772	2752	chrome.exe	81
PID 2752 wrote to memory of 5772	2752	chrome.exe	81
PID 2752 wrote to memory of 5772	2752	chrome.exe	81
PID 2752 wrote to memory of 5772	2752	chrome.exe	81
PID 2752 wrote to memory of 5772	2752	chrome.exe	81
PID 2752 wrote to memory of 5772	2752	chrome.exe	81
PID 2752 wrote to memory of 5772	2752	chrome.exe	81
PID 2752 wrote to memory of 5772	2752	chrome.exe	81
PID 2752 wrote to memory of 5772	2752	chrome.exe	81
PID 2752 wrote to memory of 5772	2752	chrome.exe	81
PID 2752 wrote to memory of 5772	2752	chrome.exe	81
PID 2752 wrote to memory of 5772	2752	chrome.exe	81
PID 2752 wrote to memory of 5772	2752	chrome.exe	81
PID 2752 wrote to memory of 5772	2752	chrome.exe	81
PID 2752 wrote to memory of 5772	2752	chrome.exe	81
PID 2752 wrote to memory of 5772	2752	chrome.exe	81
PID 2752 wrote to memory of 5772	2752	chrome.exe	81

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://gofile.io/d/atP8It
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff980e2dcf8,0x7ff980e2dd04,0x7ff980e2dd10
  2⤵
  PID:5776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1944,i,6864116096662283968,16597060738300328555,262144 --variations-seed-version=20250410-184111.240000 --mojo-platform-channel-handle=1936 /prefetch:2
  2⤵
  PID:944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1428,i,6864116096662283968,16597060738300328555,262144 --variations-seed-version=20250410-184111.240000 --mojo-platform-channel-handle=2224 /prefetch:11
  2⤵
  - Downloads MZ/PE file
  PID:6052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2312,i,6864116096662283968,16597060738300328555,262144 --variations-seed-version=20250410-184111.240000 --mojo-platform-channel-handle=2448 /prefetch:13
  2⤵
  PID:5772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3160,i,6864116096662283968,16597060738300328555,262144 --variations-seed-version=20250410-184111.240000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:4356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3180,i,6864116096662283968,16597060738300328555,262144 --variations-seed-version=20250410-184111.240000 --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:4796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4172,i,6864116096662283968,16597060738300328555,262144 --variations-seed-version=20250410-184111.240000 --mojo-platform-channel-handle=4192 /prefetch:9
  2⤵
  PID:4872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4152,i,6864116096662283968,16597060738300328555,262144 --variations-seed-version=20250410-184111.240000 --mojo-platform-channel-handle=4624 /prefetch:1
  2⤵
  PID:3360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5112,i,6864116096662283968,16597060738300328555,262144 --variations-seed-version=20250410-184111.240000 --mojo-platform-channel-handle=5108 /prefetch:14
  2⤵
  PID:3936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5140,i,6864116096662283968,16597060738300328555,262144 --variations-seed-version=20250410-184111.240000 --mojo-platform-channel-handle=5108 /prefetch:1
  2⤵
  PID:2092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5784,i,6864116096662283968,16597060738300328555,262144 --variations-seed-version=20250410-184111.240000 --mojo-platform-channel-handle=5788 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:2028
- C:\Users\Admin\Downloads\svchost.exe
  "C:\Users\Admin\Downloads\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4088
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5804,i,6864116096662283968,16597060738300328555,262144 --variations-seed-version=20250410-184111.240000 --mojo-platform-channel-handle=5840 /prefetch:14
  2⤵
  PID:6084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5556,i,6864116096662283968,16597060738300328555,262144 --variations-seed-version=20250410-184111.240000 --mojo-platform-channel-handle=6028 /prefetch:14
  2⤵
  PID:1316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5152,i,6864116096662283968,16597060738300328555,262144 --variations-seed-version=20250410-184111.240000 --mojo-platform-channel-handle=5500 /prefetch:14
  2⤵
  PID:5316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=5052,i,6864116096662283968,16597060738300328555,262144 --variations-seed-version=20250410-184111.240000 --mojo-platform-channel-handle=5284 /prefetch:10
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=on_device_model.mojom.OnDeviceModelService --lang=en-US --service-sandbox-type=on_device_model_execution --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4712,i,6864116096662283968,16597060738300328555,262144 --variations-seed-version=20250410-184111.240000 --mojo-platform-channel-handle=4208 /prefetch:14
  2⤵
  PID:6032

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:4804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2128

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\8959dd96-498d-42b0-8519-1125533ef3ce.tmp

Filesize
10KB

MD5
98a1eed94858742c6ae08e498a5a9f49

SHA1
db9a7658c77b2bdadd95595a9a65227a78e100a6

SHA256
341eb1d110ab4b5763ac9f30706eee27e84e9f0321d5ecf55f7294083784d4fa

SHA512
1dc380c45fba44d49b007262dd4b92360d58be553b68cac655ef6a15281703d38bd2b40aeb0e736467f7f9d43af9a06d4897d054e590b500697d922811c57616

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
206b2bb9cf475b781009f1cdf111252e

SHA1
b55241963a80e9f5fab85490a22a6e89f8092e3f

SHA256
77453ae475c79a7b0bfcf6846f9484bc392df97aead7e09624b575a6b7622f85

SHA512
5bcc58e09410ef44580e4866a8af1628b29ce71b46fb22c1fa4dedbf8c165c8217e6fb4551bae13243ba4c17e874f0635c36b9b050e86fcc6f54293b213e208d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
a99ea16563ebad76be2e8d4f9cc919ec

SHA1
e70236067e1de7116d1bc9b2b69cd2d1dca33722

SHA256
6fcd984d962b1e2934c2d52060e155fd6cfbc1a577238083cddc65233fba6060

SHA512
94dcf3d5c962ee7decdde19d67b25edd5f815cea9c17825d9747d5f3c4006445a2e39018f962caa2fe1540b1d414cc93b860f15325ba38d298855e0b57de1f9d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
db789dbe8dde6e29510ad8ef3e5bf00b

SHA1
0b2ea3bd53750f0e6d2ea521c9d47baaf68e235e

SHA256
3d2d2d74cafdf67cb6e3581f0d2da0d8dcf98fc9bf3103d23229a8f5ce696a2c

SHA512
77487a49647d8d9c70b5bce11d83c39be70bcfe4828cd857a774114ed1c871801a9f892f31ac8c20b8e755337874cb0fad10c17f95fcacc7fae5472705c33c43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
344ecf4f5a27947e42b161403bf70e92

SHA1
89405bd039351c86d5fb3fc0d7ad4732d5884675

SHA256
4d319c3d63a65b3dfe188b9661fd8e116c97816d4e6c7911535e2ad8acadaa83

SHA512
f91e1052758297392e89b2578d9692d3fdd88de768bfdccdf2731d42a1358b0c4c6ca897ef0b7281209fdbd0b37602401d540098ca995f9fd8cb9615732c2e87

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
e79419bcdbe0e7758c7e889b43f940b1

SHA1
23af27477d1192ad8ab24550eff1c65eb809ef96

SHA256
bead4b3c23e278e70bf3671f91825283f31f22844b3bf9e476651509eace7939

SHA512
6e2580a54e45303f8c41e5318fbadd98b303c1c476be8aac5bd5af376cc4ba4c0a59d65deb6b2d2b6e5c744c3edd4ae6d2b583e073e5037adcbfeb71e55b4b02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
b6dad49bfc79d8daa28d08bbc0a2d75b

SHA1
3ad5c345f858597bad56677f341412e825f80026

SHA256
3e68cb378ab4423098449bd5ecfd1f964c47d5a0a93cad412dde28810343f4f0

SHA512
7154b0559aa420193b25c6d7d9dd63e415b8b8833e8912d530a89235bc4901ea2ea8be094205607c34671a871887f56ccef0a32cdc612aa8ab1f9852d12623e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
bf47742f8993537f99eb021df136c625

SHA1
1e4cfd58b087c6f2a618c55688bbfc3402cf03f4

SHA256
ad894b15ffff3eb1dbd73e58af2485f0b20c7f81403a6f7254ceaf2b9b6489dd

SHA512
d5fe3537b8d3a19df580c9f354b47b947cf4c45beb51878485a62efbd3c2a4789a37f1f3aa12ae0a212dbf0f6587819c5b1c34fe8e9228271cd5415783037cfa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
559522c65d317823ab22414134ca5158

SHA1
f0678dd948c6d434b6f107cc69189300f7fb1259

SHA256
0659677b6d5f1a11a6b6fa5d3b05906a40db264d98f1fae25b9b2bd76c2a75d6

SHA512
67cefbb03d02a118841dbad26ddcddddd4788b83b87270543c1c7673b6330d03ffc47a6c77665e4cffcb09f5b4dbd9f65d05ca5bb7bcfdbac3f7d309f1d29d0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57b517.TMP

Filesize
48B

MD5
299b8aefd2b13ac50091cfddef396844

SHA1
f53d6f6cf3c78b2d20fe59724592899f657d8e36

SHA256
d016d74a30e3d874d92739629679333baf2498d5227b1dd2376f0c16fad36742

SHA512
4b53b8c564db11eae2fb02cc6ca645dba761230d0eafa54a4d76eeb866ae40e9138e5ab9daa65281dad9b35a17f2400f80351c118b24646347b2ff4b78e6e9b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
fa9547b9f0277703967a47ff62070e7d

SHA1
19ce91586975715277cd5a8ce9aede3915aa0b11

SHA256
9cf04e8d69b202d3a3214f3ba3df1829a473b73281af060d8421fdbcf76234ec

SHA512
62d0210541a27b25312104abbd270de6e79b589fc2df3cf76f9f881a715766c4cef7e79805c5ac13dd3789b76a79bfa8c0cf1265599d7cbc670250f6660410e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
78KB

MD5
bb3029170fcad45af7fa90eae815d23c

SHA1
72e634b9d76da0691f6b8ae0e00f76e596767317

SHA256
057da8ac3f783711d0718c816b75512cfa08cedfb52d9713bac6d9dfc6f20eb1

SHA512
949f3f558462150d1daa1321f8f3be672e2515500dd7a5ec9f33f092ef949a3d62554d6d16a3447f1a45a8e14483851d7ddb3f0e79649eaad3185e7f042afccf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
6ef96fc85431c060d376a411a9d1e891

SHA1
c230152a3ef8705d73997e5ad5849a401adc6867

SHA256
35efcd5e1f32d6e21984f02c36c66d705bad96e5c35615b8e679b7651224121f

SHA512
483b51a3496dbcab402461d025b5125b55d00f25c4ce23b16e0c99fa485a7609a1984e165e70ecf15a200f9fafbef3755ad5d4200b3a918be7a61d9a6ad75e73

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
79KB

MD5
4b736ffda6ec24e0f46ab4163aa1040d

SHA1
b8b785e83dfc06594c064eaf5d2cc82f9f36c830

SHA256
4aa98d6e38c90b80df16b37471275a09036fe1450363c2522083a05a1a4f3903

SHA512
2ffad906504adf6ee1e4cbc125f029262149df50f9cdda27b4bd9ba244dc84673a308243f2a3d1d793cde4a8ca08c992d64fd6b6596eee48b11a82106afc85a3

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 484959.crdownload

Filesize
1.5MB

MD5
897c1752c2f4213fe20bdbe590757272

SHA1
3b5015e9823d5d67e141642425adfe4ffc5a4c4d

SHA256
cdb70145f89c67353b14fcb317f4cb66194b31ba8ccc47e7e8ca3bd262ecdc19

SHA512
2264f3a15505c55f1b9cee7d0b3dc9f80f271982288b836720f1e4e7fca71643f49bb08364c4622f44e33ce43301b89a155d2e5f4cb04938f585ac6fd3f32ad3

Download Submit
C:\Users\Admin\Downloads\svchost.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/4088-98-0x0000024635BE0000-0x0000024635D72000-memory.dmp

Filesize
1.6MB

Download
memory/4088-111-0x00007FF95EB10000-0x00007FF95F5D2000-memory.dmp

Filesize
10.8MB

Download
memory/4088-101-0x00007FF95EB10000-0x00007FF95F5D2000-memory.dmp

Filesize
10.8MB

Download
memory/4088-99-0x000002464FFE0000-0x000002464FFFA000-memory.dmp

Filesize
104KB

Download
memory/4088-97-0x00007FF95EB13000-0x00007FF95EB15000-memory.dmp

Filesize
8KB

Download