quasar | hxxps://gofile[.]io/d/g5W7RR

Analysis

max time kernel
744s
max time network
449s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
19/04/2025, 03:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/g5W7RR

Score

10^/10

quasar defense_evasion discovery spyware trojan

Malware Config

Extracted

Family

quasar

Attributes

encryption_key
D18FCB787D16A5F82E1F348154C9AB4F57538F67
reconnect_delay
3

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000400000002ac9d-71.dat	family_quasar
behavioral1/memory/1308-100-0x00000244AAF10000-0x00000244AB09E000-memory.dmp	family_quasar

Downloads MZ/PE file 1 IoCs

flow	pid	Process
13	4576	chrome.exe

Executes dropped EXE 6 IoCs

pid	Process
1308	svchost4.0.exe
1076	svchost4.0 (1).exe
2156	svchost4.0 (2).exe
3148	svchost4.0 (3).exe
5284	svchost4.0 (4).exe
232	svchost4.0 (5).exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	api.gofile.io
7	api.gofile.io

Suspicious use of NtSetInformationThreadHideFromDebugger 55 IoCs

pid	Process
1308	svchost4.0.exe
1308	svchost4.0.exe
1308	svchost4.0.exe
1308	svchost4.0.exe
1308	svchost4.0.exe
1308	svchost4.0.exe
1308	svchost4.0.exe
1308	svchost4.0.exe
1308	svchost4.0.exe
1308	svchost4.0.exe
1308	svchost4.0.exe
1076	svchost4.0 (1).exe
1076	svchost4.0 (1).exe
1076	svchost4.0 (1).exe
1076	svchost4.0 (1).exe
1076	svchost4.0 (1).exe
1076	svchost4.0 (1).exe
1076	svchost4.0 (1).exe
1076	svchost4.0 (1).exe
1076	svchost4.0 (1).exe
1076	svchost4.0 (1).exe
1076	svchost4.0 (1).exe
2156	svchost4.0 (2).exe
2156	svchost4.0 (2).exe
2156	svchost4.0 (2).exe
2156	svchost4.0 (2).exe
2156	svchost4.0 (2).exe
2156	svchost4.0 (2).exe
2156	svchost4.0 (2).exe
2156	svchost4.0 (2).exe
2156	svchost4.0 (2).exe
2156	svchost4.0 (2).exe
2156	svchost4.0 (2).exe
5284	svchost4.0 (4).exe
5284	svchost4.0 (4).exe
5284	svchost4.0 (4).exe
5284	svchost4.0 (4).exe
5284	svchost4.0 (4).exe
5284	svchost4.0 (4).exe
5284	svchost4.0 (4).exe
5284	svchost4.0 (4).exe
5284	svchost4.0 (4).exe
5284	svchost4.0 (4).exe
5284	svchost4.0 (4).exe
232	svchost4.0 (5).exe
232	svchost4.0 (5).exe
232	svchost4.0 (5).exe
232	svchost4.0 (5).exe
232	svchost4.0 (5).exe
232	svchost4.0 (5).exe
232	svchost4.0 (5).exe
232	svchost4.0 (5).exe
232	svchost4.0 (5).exe
232	svchost4.0 (5).exe
232	svchost4.0 (5).exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 6 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\svchost4.0 (1).exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\svchost4.0 (2).exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\svchost4.0 (3).exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\svchost4.0 (4).exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\svchost4.0 (5).exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\svchost4.0.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133895063693138904"	chrome.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4144164418-4152157973-2926181071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Moniker = "cr.sb.odm3E4D1A088C1F6D498C84F3C86DE73CE49F82A104"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4144164418-4152157973-2926181071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Children	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4144164418-4152157973-2926181071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4144164418-4152157973-2926181071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\DisplayName = "Chrome Sandbox"	chrome.exe

NTFS ADS 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\svchost4.0 (5).exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\svchost4.0.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\svchost4.0 (1).exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\svchost4.0 (2).exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\svchost4.0 (3).exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\svchost4.0 (4).exe:Zone.Identifier	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5916	schtasks.exe
1516	schtasks.exe
2936	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1984	chrome.exe
1984	chrome.exe
1308	svchost4.0.exe
1308	svchost4.0.exe
1984	chrome.exe
1984	chrome.exe
1076	svchost4.0 (1).exe
2156	svchost4.0 (2).exe
2156	svchost4.0 (2).exe
5540	chrome.exe
5540	chrome.exe
3148	svchost4.0 (3).exe
5284	svchost4.0 (4).exe
5284	svchost4.0 (4).exe
232	svchost4.0 (5).exe
232	svchost4.0 (5).exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeDebugPrivilege	1308	svchost4.0.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe
Token: SeCreatePagefilePrivilege	1984	chrome.exe
Token: SeShutdownPrivilege	1984	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe
1984	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 1532	1984	chrome.exe	78
PID 1984 wrote to memory of 1532	1984	chrome.exe	78
PID 1984 wrote to memory of 1200	1984	chrome.exe	79
PID 1984 wrote to memory of 1200	1984	chrome.exe	79
PID 1984 wrote to memory of 1200	1984	chrome.exe	79
PID 1984 wrote to memory of 1200	1984	chrome.exe	79
PID 1984 wrote to memory of 1200	1984	chrome.exe	79
PID 1984 wrote to memory of 1200	1984	chrome.exe	79
PID 1984 wrote to memory of 1200	1984	chrome.exe	79
PID 1984 wrote to memory of 1200	1984	chrome.exe	79
PID 1984 wrote to memory of 1200	1984	chrome.exe	79
PID 1984 wrote to memory of 1200	1984	chrome.exe	79
PID 1984 wrote to memory of 1200	1984	chrome.exe	79
PID 1984 wrote to memory of 1200	1984	chrome.exe	79
PID 1984 wrote to memory of 1200	1984	chrome.exe	79
PID 1984 wrote to memory of 1200	1984	chrome.exe	79
PID 1984 wrote to memory of 1200	1984	chrome.exe	79
PID 1984 wrote to memory of 1200	1984	chrome.exe	79
PID 1984 wrote to memory of 1200	1984	chrome.exe	79
PID 1984 wrote to memory of 1200	1984	chrome.exe	79
PID 1984 wrote to memory of 1200	1984	chrome.exe	79
PID 1984 wrote to memory of 1200	1984	chrome.exe	79
PID 1984 wrote to memory of 1200	1984	chrome.exe	79
PID 1984 wrote to memory of 1200	1984	chrome.exe	79
PID 1984 wrote to memory of 1200	1984	chrome.exe	79
PID 1984 wrote to memory of 1200	1984	chrome.exe	79
PID 1984 wrote to memory of 1200	1984	chrome.exe	79
PID 1984 wrote to memory of 1200	1984	chrome.exe	79
PID 1984 wrote to memory of 1200	1984	chrome.exe	79
PID 1984 wrote to memory of 1200	1984	chrome.exe	79
PID 1984 wrote to memory of 1200	1984	chrome.exe	79
PID 1984 wrote to memory of 1200	1984	chrome.exe	79
PID 1984 wrote to memory of 4576	1984	chrome.exe	80
PID 1984 wrote to memory of 4576	1984	chrome.exe	80
PID 1984 wrote to memory of 3584	1984	chrome.exe	82
PID 1984 wrote to memory of 3584	1984	chrome.exe	82
PID 1984 wrote to memory of 3584	1984	chrome.exe	82
PID 1984 wrote to memory of 3584	1984	chrome.exe	82
PID 1984 wrote to memory of 3584	1984	chrome.exe	82
PID 1984 wrote to memory of 3584	1984	chrome.exe	82
PID 1984 wrote to memory of 3584	1984	chrome.exe	82
PID 1984 wrote to memory of 3584	1984	chrome.exe	82
PID 1984 wrote to memory of 3584	1984	chrome.exe	82
PID 1984 wrote to memory of 3584	1984	chrome.exe	82
PID 1984 wrote to memory of 3584	1984	chrome.exe	82
PID 1984 wrote to memory of 3584	1984	chrome.exe	82
PID 1984 wrote to memory of 3584	1984	chrome.exe	82
PID 1984 wrote to memory of 3584	1984	chrome.exe	82
PID 1984 wrote to memory of 3584	1984	chrome.exe	82
PID 1984 wrote to memory of 3584	1984	chrome.exe	82
PID 1984 wrote to memory of 3584	1984	chrome.exe	82
PID 1984 wrote to memory of 3584	1984	chrome.exe	82
PID 1984 wrote to memory of 3584	1984	chrome.exe	82
PID 1984 wrote to memory of 3584	1984	chrome.exe	82
PID 1984 wrote to memory of 3584	1984	chrome.exe	82
PID 1984 wrote to memory of 3584	1984	chrome.exe	82
PID 1984 wrote to memory of 3584	1984	chrome.exe	82
PID 1984 wrote to memory of 3584	1984	chrome.exe	82
PID 1984 wrote to memory of 3584	1984	chrome.exe	82
PID 1984 wrote to memory of 3584	1984	chrome.exe	82
PID 1984 wrote to memory of 3584	1984	chrome.exe	82
PID 1984 wrote to memory of 3584	1984	chrome.exe	82
PID 1984 wrote to memory of 3584	1984	chrome.exe	82
PID 1984 wrote to memory of 3584	1984	chrome.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://gofile.io/d/g5W7RR
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa0ca0dcf8,0x7ffa0ca0dd04,0x7ffa0ca0dd10
  2⤵
  PID:1532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1956,i,10825865542232645355,1631059434464076400,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=1952 /prefetch:2
  2⤵
  PID:1200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1412,i,10825865542232645355,1631059434464076400,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=2216 /prefetch:11
  2⤵
  - Downloads MZ/PE file
  PID:4576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2332,i,10825865542232645355,1631059434464076400,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=2496 /prefetch:13
  2⤵
  PID:3584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3176,i,10825865542232645355,1631059434464076400,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:4796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3204,i,10825865542232645355,1631059434464076400,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:5352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4204,i,10825865542232645355,1631059434464076400,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=4228 /prefetch:9
  2⤵
  PID:4848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4620,i,10825865542232645355,1631059434464076400,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=4652 /prefetch:1
  2⤵
  PID:1136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5128,i,10825865542232645355,1631059434464076400,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5140 /prefetch:14
  2⤵
  PID:3796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5192,i,10825865542232645355,1631059434464076400,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5160 /prefetch:1
  2⤵
  PID:5436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5716,i,10825865542232645355,1631059434464076400,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5720 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:2204
- C:\Users\Admin\Downloads\svchost4.0.exe
  "C:\Users\Admin\Downloads\svchost4.0.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5676,i,10825865542232645355,1631059434464076400,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5516 /prefetch:14
  2⤵
  PID:3956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5900,i,10825865542232645355,1631059434464076400,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5940 /prefetch:14
  2⤵
  PID:2392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4736,i,10825865542232645355,1631059434464076400,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5980 /prefetch:14
  2⤵
  PID:4804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4240,i,10825865542232645355,1631059434464076400,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=4188 /prefetch:1
  2⤵
  PID:4292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4320,i,10825865542232645355,1631059434464076400,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5372 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:4616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5392,i,10825865542232645355,1631059434464076400,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5512 /prefetch:1
  2⤵
  PID:388
- C:\Users\Admin\Downloads\svchost4.0 (1).exe
  "C:\Users\Admin\Downloads\svchost4.0 (1).exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:1076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4248,i,10825865542232645355,1631059434464076400,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5516 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:4084
- C:\Users\Admin\Downloads\svchost4.0 (2).exe
  "C:\Users\Admin\Downloads\svchost4.0 (2).exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:2156
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\folder\svchost.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=5520,i,10825865542232645355,1631059434464076400,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=4424 /prefetch:10
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=on_device_model.mojom.OnDeviceModelService --lang=en-US --service-sandbox-type=on_device_model_execution --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5308,i,10825865542232645355,1631059434464076400,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=4348 /prefetch:14
  2⤵
  PID:5904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=4476,i,10825865542232645355,1631059434464076400,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=4256 /prefetch:1
  2⤵
  PID:1776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6044,i,10825865542232645355,1631059434464076400,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5184 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:252
- C:\Users\Admin\Downloads\svchost4.0 (3).exe
  "C:\Users\Admin\Downloads\svchost4.0 (3).exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3148
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\folder\svchost.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=5960,i,10825865542232645355,1631059434464076400,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=4344 /prefetch:1
  2⤵
  PID:2984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5384,i,10825865542232645355,1631059434464076400,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5432 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:1100
- C:\Users\Admin\Downloads\svchost4.0 (4).exe
  "C:\Users\Admin\Downloads\svchost4.0 (4).exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:5284
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\folder\svchost.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=6004,i,10825865542232645355,1631059434464076400,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5448 /prefetch:1
  2⤵
  PID:2144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4972,i,10825865542232645355,1631059434464076400,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=740 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:808
- C:\Users\Admin\Downloads\svchost4.0 (5).exe
  "C:\Users\Admin\Downloads\svchost4.0 (5).exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:232

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:4256

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3008

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\8b721661-f34d-461f-b60e-79692bd56ea2.tmp

Filesize
78KB

MD5
9247881803cbf9436c18d828bf75b786

SHA1
f02a36da0489d3ac867d8ebc383b42ed797ad9eb

SHA256
d4df100bbca3c698060d8ce18d19d9e4f3808e51a3cae5c2c82b79fc81977a87

SHA512
40b9213c1621e643af52ae6b90f7b5511eaeb73a07f3930783d9b79e77ab4d167075f2c3c7351fa475341b085e7ee8c757a5ccc4157e136cbcd65264f0fd4096

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
f087eddfa8b8a365295cb671dae59c3f

SHA1
8459718ee698fdecc04564484540a640d8caf9a1

SHA256
bfd7136692e1d3c62451fdfbde50b6e1d79fa840951c388736addb977f90ffd1

SHA512
489ac4a031cca92cdf29fcdc69eb358c37bee32994c960ded63d8c65424f4fa790ada5ff0a0ad422c472d1d0d04908b6bb88d41a4498362b8305fc9c2e775dc0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
6494d47c5ae16d994bfc032d89097a38

SHA1
bf7dae4bd8d82f5b09a8d88e133a93f66a0478b5

SHA256
c3e59c427d6554996dc0b1d61dc69706e882466c49bc94fd0359ceef2e83f21e

SHA512
9e7e230f0e1d56c0128d3a6920829c89d44e29bd99387138c77e35468b6fbcd637ba986f35cc280a95365f90d0890cdacd17396e25e03af35b8abf5e397f82c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
0c8258968375ee0e7d1871e2259aa6be

SHA1
a1d91b81d38583a3bc2df1f14001bcf73b8b74d2

SHA256
ba56e920467829857133ec85a24e38fa6f0751d6392f82201fa5fe0471a51e46

SHA512
26c344dcf392cdb3cab23ee10c4f8f8a19f17c35f5a560c23a7d873521548102823b0f0568c3e3078373c598e5b03948e9fadc996eb52222c2e15b873193db72

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
89f1cbc63b032a60f3bcd89465848814

SHA1
c9b734e89d0a239dcbdc8df70b41865452fea3b2

SHA256
68149ec794042483ce71bb1c42c709608949fd9e88094c990d30b0405571c700

SHA512
8ed796aae87142a7d6e48ca007d0ffd2791018e705c99d3309e301ea8d4ee04369bedf43346ebb484bb6eee8545275ffcd96792f8c2be6a070e167bdb4e44733

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
fee581ccd7cd3cc2db519fb2f835cf33

SHA1
b8ff156fc2dd908b8024b6bce93be2389f524253

SHA256
fe50acad0bfdff9e41f180c45aa13ad3de49cb8bec6e8d4df1db413c0535eac4

SHA512
fd925b3dbb62971ed4356c08365adddb2dbf7fb2873a578889db62e9f4418afafd858bd01add4fbdfaa7c44dc048a082cdb1cb5edd78b60fcacf1417076fa7db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
c20edbb6aa3f402ab5932842c814cd5a

SHA1
c79ca0fbb29cfa93da72a55e3b030cd0178b98df

SHA256
c4ab592bbddeb54bb6d406d5409aaa9827119c4c66f9c52a052e596ea8e430ed

SHA512
e83d8a511852cfe4d50cf62ec3d987558116bbab0ae420765808f4d2ff1c86667ef414123bec0a0488a6ea320315c732219bd3cf4cd315599e791ac15eacba07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
f3ee97c7af4ceb19265fd7d3b2edbc1e

SHA1
ac004d0d022920b137c0153f08f18020eb77ca2a

SHA256
5f8a73a14cbff8d5f529c29f189c288397e0a4020f9c40eee18aaf30c0919963

SHA512
1bf06f4791adabacef8d9ca1a58276f5b5ad31ea989cbd8c787f4a6d47f1da8b06a5b0890aeebad5a26552478549eb44b5ab5ec268eb55d51267716cd5734b04

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d233482d6c4bd6f376383f20567e101b

SHA1
fc0b69075db00b2f1d3269c2de7376aec81a3667

SHA256
e1a2f1f88c7b02a042b3611fd92a4c023bd27952ed76b330369211e1a6129a28

SHA512
061ea62db6535d15a25c71895d04d2f83bb684048db2cc3c993b396ac716d8ceabd83e2efbb8e71b0a5eaadee4dea9ab3ec6095f72fa45845b0cb9e62efa4396

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
77b3d38485a3fc383e336769bf1468d8

SHA1
66807828bba9976d3ee77d2eda02a124bdae662e

SHA256
65b34cf96785d0ec582b945ece1b58664296550719385a81b8e5d27196eab7d9

SHA512
d601d62d26be6ff4c67f81591072d4a4ab5b0c5913db10fd6bea2f7ae4a7559c0bbc06e4f64c83d3540caf466934f68090043f157b33b731896d26036260473e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
7ca247bac35eb4c2acf7c921a6090664

SHA1
f1c8c2cf6b29e1509583a8f13dbccc518e94da15

SHA256
662691638da3c0fe0833bcbc59e1fb6b890c198e609cd3498d55546d53be93f9

SHA512
9ece58657b5d78e5ce0dffe9e01d7d88fb67121e3a93e31a7cf774d77861ca595537159f8852628172293ea72a52c2704d3f4beff091e7c9abdd91ce141a6ab6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
9be86913547f43bc50755551f713780d

SHA1
4a047016448bbf60cbecc81742fbb64364c263d5

SHA256
9f9fceb771c61d32f482f9aa894e3a6b1a9a37a09ddc4e70d0c1d6ffe91ec80c

SHA512
8c02456ebc5fe47ceb445c883cccfb4276d94b54e6c767fd0ad0d78f05cc915adfb1a98b4b42f79c74e3864805343429bd85ad36ca322fe3886fba1db26846e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
5de03c3fc20c1625310b5b50892ce07e

SHA1
d02ce12f7f807c4563e7f8b563bd40665435f5e7

SHA256
e4e448a6c1e7145bdee24f8f9f0ed7ce76f48c988e8cb2b6141a96a4c341dd3f

SHA512
e4c8e0224bc9e59240485867db675773d340997a8bb4a8b099f2936fce87cfe8dcdcf50b07159ba0989fa9bdf1961933b141964271a71e4471f0b9137425c96e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
716ba2636a0cb360207d76644a5a90a5

SHA1
f46902bff35305940ed70fc3e615f4f59a226f16

SHA256
b315fd0b3aaf64593f9a056c8c216426fdf3ea074964bbada0303e6e3b133291

SHA512
012e49c7cecb50d8afee817aefde72603f2dd3545f484b0bf2f89c8fd5f4730b745d651983b3ac1edd2dac6ab4e97882f538bbf5f58da5daf29db5da2fdf6823

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
d7dadd84ed3c27124999833093dc80a7

SHA1
056729baf602bbacdb3c0bd2d8777c2b8a9ba572

SHA256
123972fc14f6444a6103064a97bc89fd028513d0368e5c1f038401abcd1f888a

SHA512
f87140383e49b355fa243d19c8ed19d0bd4d07c8bea588356e70a0cc70cfda56925cc2e842c97b283076f038a0e5e65cc126a84d317b87ee4db29f342b3dbbe8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
97e5b347e6c6f9aa0a144bbdb11eaf15

SHA1
84972bc280db219c878825dc4d68ed0dd782eb6e

SHA256
d3592bf9dd65ab700b79b227f00687e8b5dec71b163fd145d780cc2609f76303

SHA512
67cf2403e968e55692d98ca86e071547a45f0540174e3c5632a03d7d25bcce0b9613f06f24ecf7d238461bdb1b5725a4b68c401b30d8921ad278fc85dff0a7c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57a0e3.TMP

Filesize
48B

MD5
5b8d0078084f2c7ff9404004fe8d8b92

SHA1
39c3bcb4e6c1c97f0f08a18200bff025cb3550e8

SHA256
0eb9d878d0c0dbdcc7eff0d149f0089612503ab95228210345eb04930dd55c2d

SHA512
1afcbfb0f3863f76aba78ba0faeec6058656a279f79323a03c49968689922fe516cf8bf9cb34363bdd044709dc273d0d101efdc4524a7c234f8baba4870b3dfa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
79KB

MD5
e1049fb5eb7ab6e561164f57b6f16dc6

SHA1
63087e7faf04021bf9cfcea3eb182130c31db261

SHA256
2c0c0aeaf946b4c1a5d4e84cd9b1ade415cd06b0cdbcf2a1bd69d221e809d7cb

SHA512
7f0378a19381064785f7ae851cfa8bfb5e69c08d32cddb338cfd31e970168cc9c5418fd6722c4a2d618c9afdb7cb8bfb7b686755a81320d5f03d55fcb95fa3ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
79KB

MD5
f3f43b1416c752170a621baa022c503e

SHA1
2f32a94d4afdb7926dbf9ddec28495fe31f928a9

SHA256
c6f8ee3de1c46098c96c3414f124d08bca8e4a8d0ab1749428a8ccb8997c4ffd

SHA512
bb90e62306a6718e9b3c97f4428cd99c188d137366a6f5eead50bc26e343329d7c98cad5feb7006e03a3d58396dba2504216801718b0c43e1c1c747f90613513

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
79KB

MD5
4ced590470360e975c2cc290756de666

SHA1
b1dcb4dfa4db5aa239e686ccf8ac42987d79c47a

SHA256
9d4054056f3ba5174603b93e1c554071917fd20a160c0670782a4c66a2564e04

SHA512
141749a410705b7497917f54f1998889463680fea4171062c7fa6361d5cd1b8dce345d7e87dab928ec600c7fcc0f99c14aefd78a71ced7f47363fb07c54d184a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 345962.crdownload

Filesize
1.5MB

MD5
dd58b5614e9c2c27994979ba81311481

SHA1
9e17ddc81a1742ec3b77047c805d57f0a7d9c9ba

SHA256
928258ede9fdf8aa6f0644dec496dbeeb3de5d2d491187961ba4a4ea1f48a0e8

SHA512
e932b98bf06a038f119fe9c2ab8c9a2a6c455a5af3e3e77881e5113aa360856a9ade6d6dbc401091ee288cb36648778597ea55d514eac131f10d9ab83735d959

Download Submit
C:\Users\Admin\Downloads\svchost4.0 (2).exe:Zone.Identifier

Filesize
58B

MD5
f328e184c322cba91dc3c014fe2ef3e9

SHA1
2aab1f0a70009051dcc87350e0f3b079da02fbb2

SHA256
fe25e31061b432c3a3fdd8f797c6dadad253e83dfb305ee997a7302cd70b618d

SHA512
e59501b550ea64155d134ae832812004ec298a44519eb03183542599174b7691be3225f6fa5064d45ed7ec81f0a93721eb8f401d7e2a49c4b91a70ded006c97e

Download Submit
C:\Users\Admin\Downloads\svchost4.0 (3).exe:Zone.Identifier

Filesize
157B

MD5
71b1cc17231d9e318a18741556af7cec

SHA1
b40c8c0fb9dc67b7e77e5bc73fe7e0d9a27dc2ea

SHA256
1d7f917333948a640d50d7e2b7adafabb3e6702d283ba3a656c3cca7ce6ec03f

SHA512
092b193c18b2714fdd720a872aefe92536f0f3a8a0a85a8e18c95d5d09f5476ad8f74862015335d174f5eb51dd5e30316e4f68279436bd05928804279ac116fd

Download Submit
C:\Users\Admin\Downloads\svchost4.0.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/1308-101-0x00000244ACD00000-0x00000244ACD1A000-memory.dmp

Filesize
104KB

Download
memory/1308-102-0x00007FF9E8EF0000-0x00007FF9E99B2000-memory.dmp

Filesize
10.8MB

Download
memory/1308-100-0x00000244AAF10000-0x00000244AB09E000-memory.dmp

Filesize
1.6MB

Download
memory/1308-103-0x00007FF9E8EF0000-0x00007FF9E99B2000-memory.dmp

Filesize
10.8MB

Download
memory/1308-99-0x00007FF9E8EF3000-0x00007FF9E8EF5000-memory.dmp

Filesize
8KB

Download
memory/3148-271-0x00007FF9E8640000-0x00007FF9E9102000-memory.dmp

Filesize
10.8MB

Download
memory/5284-302-0x00007FF9E9320000-0x00007FF9E9DE2000-memory.dmp

Filesize
10.8MB

Download