Analysis
-
max time kernel
146s -
max time network
152s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
12-04-2024 06:14
General
-
Target
Premium_Cleaner(Cracked by st).exe
-
Size
3.2MB
-
MD5
f89428aba2b28f3124d40f262710fc46
-
SHA1
0b9db50a873682e781b0e378004b0d7e6b415f78
-
SHA256
e51b436055f0e48e04b3c7c89dce20ac35aef6d63b178c42d6285cf21401ec4a
-
SHA512
16e576b694ed0ee9796d13504a6489ff501eb2b9cd576e442318090d46f5433afce4ce39d031e8eca92b95a4b90a6dc9926b13d04021ef48d9bf3d8698165540
-
SSDEEP
49152:QvyI22SsaNYfdPBldt698dBcjHAfRJ6pbR3LoGdFkTHHB72eh2NT:Qvf22SsaNYfdPBldt6+dBcjHAfRJ6r
Malware Config
Extracted
quasar
1.4.1
Office04
Sentiax-51535.portmap.io:51535
b16f14a5-eba8-46dc-b974-11a9193ee5c1
-
encryption_key
504CA536F80AA42E62457478D8A6A72CDC6CA06F
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Premium_Cleaner(Cracked by st)
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/4900-0-0x0000000000CA0000-0x0000000000FD4000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar -
Executes dropped EXE 1 IoCs
Processes:
Client.exepid process 4264 Client.exe -
Drops file in Windows directory 4 IoCs
Processes:
UserOOBEBroker.exedescription ioc process File opened for modification C:\Windows\Panther\UnattendGC\setupact.log UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml UserOOBEBroker.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1444 schtasks.exe 2768 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133573761396919162" chrome.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
chrome.exepid process 436 chrome.exe 436 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs
Processes:
chrome.exepid process 436 chrome.exe 436 chrome.exe 436 chrome.exe 436 chrome.exe 436 chrome.exe 436 chrome.exe 436 chrome.exe 436 chrome.exe 436 chrome.exe 436 chrome.exe 436 chrome.exe 436 chrome.exe 436 chrome.exe 436 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Premium_Cleaner(Cracked by st).exeClient.exechrome.exedescription pid process Token: SeDebugPrivilege 4900 Premium_Cleaner(Cracked by st).exe Token: SeDebugPrivilege 4264 Client.exe Token: SeShutdownPrivilege 436 chrome.exe Token: SeCreatePagefilePrivilege 436 chrome.exe Token: SeShutdownPrivilege 436 chrome.exe Token: SeCreatePagefilePrivilege 436 chrome.exe Token: SeShutdownPrivilege 436 chrome.exe Token: SeCreatePagefilePrivilege 436 chrome.exe Token: SeShutdownPrivilege 436 chrome.exe Token: SeCreatePagefilePrivilege 436 chrome.exe Token: SeShutdownPrivilege 436 chrome.exe Token: SeCreatePagefilePrivilege 436 chrome.exe Token: SeShutdownPrivilege 436 chrome.exe Token: SeCreatePagefilePrivilege 436 chrome.exe Token: SeShutdownPrivilege 436 chrome.exe Token: SeCreatePagefilePrivilege 436 chrome.exe Token: SeShutdownPrivilege 436 chrome.exe Token: SeCreatePagefilePrivilege 436 chrome.exe Token: SeShutdownPrivilege 436 chrome.exe Token: SeCreatePagefilePrivilege 436 chrome.exe Token: SeShutdownPrivilege 436 chrome.exe Token: SeCreatePagefilePrivilege 436 chrome.exe Token: SeShutdownPrivilege 436 chrome.exe Token: SeCreatePagefilePrivilege 436 chrome.exe Token: SeShutdownPrivilege 436 chrome.exe Token: SeCreatePagefilePrivilege 436 chrome.exe Token: SeShutdownPrivilege 436 chrome.exe Token: SeCreatePagefilePrivilege 436 chrome.exe Token: SeShutdownPrivilege 436 chrome.exe Token: SeCreatePagefilePrivilege 436 chrome.exe Token: SeShutdownPrivilege 436 chrome.exe Token: SeCreatePagefilePrivilege 436 chrome.exe Token: SeShutdownPrivilege 436 chrome.exe Token: SeCreatePagefilePrivilege 436 chrome.exe Token: SeShutdownPrivilege 436 chrome.exe Token: SeCreatePagefilePrivilege 436 chrome.exe Token: SeShutdownPrivilege 436 chrome.exe Token: SeCreatePagefilePrivilege 436 chrome.exe Token: SeShutdownPrivilege 436 chrome.exe Token: SeCreatePagefilePrivilege 436 chrome.exe Token: SeShutdownPrivilege 436 chrome.exe Token: SeCreatePagefilePrivilege 436 chrome.exe Token: SeShutdownPrivilege 436 chrome.exe Token: SeCreatePagefilePrivilege 436 chrome.exe Token: SeShutdownPrivilege 436 chrome.exe Token: SeCreatePagefilePrivilege 436 chrome.exe Token: SeShutdownPrivilege 436 chrome.exe Token: SeCreatePagefilePrivilege 436 chrome.exe Token: SeShutdownPrivilege 436 chrome.exe Token: SeCreatePagefilePrivilege 436 chrome.exe Token: SeShutdownPrivilege 436 chrome.exe Token: SeCreatePagefilePrivilege 436 chrome.exe Token: SeShutdownPrivilege 436 chrome.exe Token: SeCreatePagefilePrivilege 436 chrome.exe Token: SeShutdownPrivilege 436 chrome.exe Token: SeCreatePagefilePrivilege 436 chrome.exe Token: SeShutdownPrivilege 436 chrome.exe Token: SeCreatePagefilePrivilege 436 chrome.exe Token: SeShutdownPrivilege 436 chrome.exe Token: SeCreatePagefilePrivilege 436 chrome.exe Token: SeShutdownPrivilege 436 chrome.exe Token: SeCreatePagefilePrivilege 436 chrome.exe Token: SeShutdownPrivilege 436 chrome.exe Token: SeCreatePagefilePrivilege 436 chrome.exe -
Suspicious use of FindShellTrayWindow 27 IoCs
Processes:
chrome.exepid process 436 chrome.exe 436 chrome.exe 436 chrome.exe 436 chrome.exe 436 chrome.exe 436 chrome.exe 436 chrome.exe 436 chrome.exe 436 chrome.exe 436 chrome.exe 436 chrome.exe 436 chrome.exe 436 chrome.exe 436 chrome.exe 436 chrome.exe 436 chrome.exe 436 chrome.exe 436 chrome.exe 436 chrome.exe 436 chrome.exe 436 chrome.exe 436 chrome.exe 436 chrome.exe 436 chrome.exe 436 chrome.exe 436 chrome.exe 436 chrome.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
chrome.exepid process 436 chrome.exe 436 chrome.exe 436 chrome.exe 436 chrome.exe 436 chrome.exe 436 chrome.exe 436 chrome.exe 436 chrome.exe 436 chrome.exe 436 chrome.exe 436 chrome.exe 436 chrome.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Client.exepid process 4264 Client.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Premium_Cleaner(Cracked by st).exeClient.exechrome.exedescription pid process target process PID 4900 wrote to memory of 1444 4900 Premium_Cleaner(Cracked by st).exe schtasks.exe PID 4900 wrote to memory of 1444 4900 Premium_Cleaner(Cracked by st).exe schtasks.exe PID 4900 wrote to memory of 4264 4900 Premium_Cleaner(Cracked by st).exe Client.exe PID 4900 wrote to memory of 4264 4900 Premium_Cleaner(Cracked by st).exe Client.exe PID 4264 wrote to memory of 2768 4264 Client.exe schtasks.exe PID 4264 wrote to memory of 2768 4264 Client.exe schtasks.exe PID 436 wrote to memory of 3948 436 chrome.exe chrome.exe PID 436 wrote to memory of 3948 436 chrome.exe chrome.exe PID 436 wrote to memory of 2336 436 chrome.exe chrome.exe PID 436 wrote to memory of 2336 436 chrome.exe chrome.exe PID 436 wrote to memory of 2336 436 chrome.exe chrome.exe PID 436 wrote to memory of 2336 436 chrome.exe chrome.exe PID 436 wrote to memory of 2336 436 chrome.exe chrome.exe PID 436 wrote to memory of 2336 436 chrome.exe chrome.exe PID 436 wrote to memory of 2336 436 chrome.exe chrome.exe PID 436 wrote to memory of 2336 436 chrome.exe chrome.exe PID 436 wrote to memory of 2336 436 chrome.exe chrome.exe PID 436 wrote to memory of 2336 436 chrome.exe chrome.exe PID 436 wrote to memory of 2336 436 chrome.exe chrome.exe PID 436 wrote to memory of 2336 436 chrome.exe chrome.exe PID 436 wrote to memory of 2336 436 chrome.exe chrome.exe PID 436 wrote to memory of 2336 436 chrome.exe chrome.exe PID 436 wrote to memory of 2336 436 chrome.exe chrome.exe PID 436 wrote to memory of 2336 436 chrome.exe chrome.exe PID 436 wrote to memory of 2336 436 chrome.exe chrome.exe PID 436 wrote to memory of 2336 436 chrome.exe chrome.exe PID 436 wrote to memory of 2336 436 chrome.exe chrome.exe PID 436 wrote to memory of 2336 436 chrome.exe chrome.exe PID 436 wrote to memory of 2336 436 chrome.exe chrome.exe PID 436 wrote to memory of 2336 436 chrome.exe chrome.exe PID 436 wrote to memory of 2336 436 chrome.exe chrome.exe PID 436 wrote to memory of 2336 436 chrome.exe chrome.exe PID 436 wrote to memory of 2336 436 chrome.exe chrome.exe PID 436 wrote to memory of 2336 436 chrome.exe chrome.exe PID 436 wrote to memory of 2336 436 chrome.exe chrome.exe PID 436 wrote to memory of 2336 436 chrome.exe chrome.exe PID 436 wrote to memory of 2336 436 chrome.exe chrome.exe PID 436 wrote to memory of 2336 436 chrome.exe chrome.exe PID 436 wrote to memory of 2336 436 chrome.exe chrome.exe PID 436 wrote to memory of 2336 436 chrome.exe chrome.exe PID 436 wrote to memory of 2336 436 chrome.exe chrome.exe PID 436 wrote to memory of 2336 436 chrome.exe chrome.exe PID 436 wrote to memory of 2336 436 chrome.exe chrome.exe PID 436 wrote to memory of 2336 436 chrome.exe chrome.exe PID 436 wrote to memory of 2336 436 chrome.exe chrome.exe PID 436 wrote to memory of 2336 436 chrome.exe chrome.exe PID 436 wrote to memory of 908 436 chrome.exe chrome.exe PID 436 wrote to memory of 908 436 chrome.exe chrome.exe PID 436 wrote to memory of 2148 436 chrome.exe chrome.exe PID 436 wrote to memory of 2148 436 chrome.exe chrome.exe PID 436 wrote to memory of 2148 436 chrome.exe chrome.exe PID 436 wrote to memory of 2148 436 chrome.exe chrome.exe PID 436 wrote to memory of 2148 436 chrome.exe chrome.exe PID 436 wrote to memory of 2148 436 chrome.exe chrome.exe PID 436 wrote to memory of 2148 436 chrome.exe chrome.exe PID 436 wrote to memory of 2148 436 chrome.exe chrome.exe PID 436 wrote to memory of 2148 436 chrome.exe chrome.exe PID 436 wrote to memory of 2148 436 chrome.exe chrome.exe PID 436 wrote to memory of 2148 436 chrome.exe chrome.exe PID 436 wrote to memory of 2148 436 chrome.exe chrome.exe PID 436 wrote to memory of 2148 436 chrome.exe chrome.exe PID 436 wrote to memory of 2148 436 chrome.exe chrome.exe PID 436 wrote to memory of 2148 436 chrome.exe chrome.exe PID 436 wrote to memory of 2148 436 chrome.exe chrome.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Premium_Cleaner(Cracked by st).exe"C:\Users\Admin\AppData\Local\Temp\Premium_Cleaner(Cracked by st).exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Premium_Cleaner(Cracked by st)" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:1444 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Premium_Cleaner(Cracked by st)" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:2768
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcc8459758,0x7ffcc8459768,0x7ffcc84597782⤵PID:3948
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1588 --field-trial-handle=1732,i,5133188471218467162,12617213908173350631,131072 /prefetch:22⤵PID:2336
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=1732,i,5133188471218467162,12617213908173350631,131072 /prefetch:82⤵PID:908
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2212 --field-trial-handle=1732,i,5133188471218467162,12617213908173350631,131072 /prefetch:82⤵PID:2148
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3184 --field-trial-handle=1732,i,5133188471218467162,12617213908173350631,131072 /prefetch:12⤵PID:1756
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3204 --field-trial-handle=1732,i,5133188471218467162,12617213908173350631,131072 /prefetch:12⤵PID:1180
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4008 --field-trial-handle=1732,i,5133188471218467162,12617213908173350631,131072 /prefetch:12⤵PID:4136
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4684 --field-trial-handle=1732,i,5133188471218467162,12617213908173350631,131072 /prefetch:82⤵PID:3616
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4816 --field-trial-handle=1732,i,5133188471218467162,12617213908173350631,131072 /prefetch:82⤵PID:3512
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4788 --field-trial-handle=1732,i,5133188471218467162,12617213908173350631,131072 /prefetch:82⤵PID:4564
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5072 --field-trial-handle=1732,i,5133188471218467162,12617213908173350631,131072 /prefetch:82⤵PID:2476
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5096 --field-trial-handle=1732,i,5133188471218467162,12617213908173350631,131072 /prefetch:82⤵PID:2064
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5328 --field-trial-handle=1732,i,5133188471218467162,12617213908173350631,131072 /prefetch:12⤵PID:3908
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5184 --field-trial-handle=1732,i,5133188471218467162,12617213908173350631,131072 /prefetch:12⤵PID:1184
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5172 --field-trial-handle=1732,i,5133188471218467162,12617213908173350631,131072 /prefetch:12⤵PID:2488
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4808 --field-trial-handle=1732,i,5133188471218467162,12617213908173350631,131072 /prefetch:12⤵PID:1452
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3340 --field-trial-handle=1732,i,5133188471218467162,12617213908173350631,131072 /prefetch:12⤵PID:1432
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5572 --field-trial-handle=1732,i,5133188471218467162,12617213908173350631,131072 /prefetch:82⤵PID:2344
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5628 --field-trial-handle=1732,i,5133188471218467162,12617213908173350631,131072 /prefetch:12⤵PID:1596
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=3448 --field-trial-handle=1732,i,5133188471218467162,12617213908173350631,131072 /prefetch:12⤵PID:1460
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=5276 --field-trial-handle=1732,i,5133188471218467162,12617213908173350631,131072 /prefetch:12⤵PID:4368
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=5848 --field-trial-handle=1732,i,5133188471218467162,12617213908173350631,131072 /prefetch:12⤵PID:2852
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=5988 --field-trial-handle=1732,i,5133188471218467162,12617213908173350631,131072 /prefetch:12⤵PID:4576
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=6108 --field-trial-handle=1732,i,5133188471218467162,12617213908173350631,131072 /prefetch:12⤵PID:4520
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:5092
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:5628
-
C:\Windows\System32\oobe\UserOOBEBroker.exeC:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding1⤵
- Drops file in Windows directory
PID:5900
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵PID:1884
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD587e8230a9ca3f0c5ccfa56f70276e2f2
SHA1eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7
SHA256e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9
SHA51237690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8
-
Filesize
1KB
MD5c72854a9e316bab3b90aac75c6a11073
SHA19709e7e4df82f1010d4678e813e0a2e8450324c9
SHA256552e504a64f290b464d7260ad091ef565418ccc9640cb2218e6410e6005b634d
SHA5127698dcb7f7cab0b4f9f209b64160dfc9956afb45b975fe6947ba6a14f70d4dacbdcd67891c47edfac3c19cfcf4d15a62664d184e8eb186588f4622901f46d8e8
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
264KB
MD50987e9435b532566664cbe69ec16c56d
SHA10f4aecdeacb815bcd06b180b160adab6addc9a4d
SHA25639e42489ba92e6392eccf271709ff445713e939d06e07a4837c0609093e97973
SHA5121b85e1316f21065e59bfef2775d0fb964461153ba3ff7036336b8e951f656aee1ec6d8b7b12d200943b660476dcb31fdb46cea5b09e0ef7cc3feadfc83344d49
-
Filesize
6KB
MD501809afd508ea5d8e571dce752299582
SHA177d94fd8899c3309213c7dd59c007bc2422e9df7
SHA2560912eb874fe1f5df12912ad8ac78f74c5561312eb3e6401755bca189d504dda4
SHA512f6eb843dc808715814e22760d4ea38ec05ec54c3a1ed5cb9aab6054a6b361d3e07ccadca70693f0ab2fd1f00c14723e00d11c8c48e7e3948fa2d67a6aefe28a3
-
Filesize
2KB
MD5b94fed8c9d2b8fe3c68a5333e0f3bcb6
SHA1c9d254702c6cf8d1b94bf0be83b2907026358838
SHA2561ed09c28dbe5954520a3eb0dbfda93646b018f8e6dfa546aef3bad206df527ee
SHA5126750381c584c31faa6722636b271fba70f7f95d158b2701ab404b831181eaf30315f87fadd88a5f4aeb785b3f5f0ced72b702f2ea733eec27c0d93c59ca49d44
-
Filesize
2KB
MD5f608319569d869943c708f80edbf312d
SHA10a788b9aa13c8dc9ab950e471fa10ac643012d4e
SHA256ac6f7aca70e6eacbdc5ef81b0e9c2bc42bd4b4cd517dc0e7bf14798b6b369d25
SHA51261b490db1933f45a4d9f5905153f46db99f4a711210a6f6eed2d983023ae042a079852666c73b9ecce3d8def16343dd50ac4bc671f59b302fadf442f5d96c732
-
Filesize
369B
MD5b2e0bf0a97539fee44e9cf2409817014
SHA1bcdf37e23a08fad83332774b1f70e12e508dc36a
SHA256030ceecfe48b3bff541fb5894987079b2ac6e7e76f674149e25382d9de5e35ac
SHA5129745ae34cd504a47b5491c518dd849a82f6895ed700ac7ca9ec3d74df018b454d0ee1648cb7956c96368484ae33958bc7a1ea79434569f696b3bbdb16c34cc03
-
Filesize
6KB
MD5472d82ca15031902fdcbfd945f372c9b
SHA1a29b121f575365de067f526866557c05bf5f4355
SHA2567bf2e53126e55ee9987173e5151fa978f7e0ded13fb5ddef984ff7165552e63b
SHA512db9a77feb598f94307c0e6ea5d3491a47389bb03f736d99ec4472e76b6bdc5e07b875211e22d48339ea9ed6f2cb1bc130fd909e3e7bbaa06f03645ec7288ea37
-
Filesize
6KB
MD5b0df50294f12fe2197d1d40702999652
SHA110df0dce7a43f8c5cdf3e716a9e12c62cf30d1fc
SHA256f9cf99249765b7629fba00cd487a8f0d9b4effcfb27b7ceabd8588751cdcce19
SHA512c370d81914f264a67cdbd833eed5017d95210d2f3789d35d10ec3dd0598691a286e4f2a283289d14807a523e9f96ea49894242bfbd4e077b19b12e6127f98757
-
Filesize
6KB
MD5b7473074abad7247e6b6cbbe0a741ced
SHA1f7f7e0469c1643a659018ee642fbf607a903e06a
SHA2562333d65fb9d6de2abcc41e17a7ecb15036eae63385b2698c3294d8381a3aa98e
SHA512e16f68453a75dd5629e640dd5ac63c785dcdf0859cb80762b9f274853d002192ab12e00f0fa358e44b48a7be25c8e8a72e20c9604d41fc4ffec9c4b27a2a584f
-
Filesize
15KB
MD582d145ee63c0c38fd569c7666a23dad1
SHA13c623f4ef29745f957c7b35a0acbe024659344f4
SHA256ccde2724f01e1b7d90a34fb28cfe9dc7bc6f4c8eed54d7ac7ed975e6f605dee2
SHA512032a0dc5111250263685986b7d591e154a80ba493c11b13b178376ab0412697774b9b7a7f68058aa73aae23fd10fee08349e7498060ecc57d4c466c3d2cdc3ac
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize96B
MD5974f80acae74537227d5a2fa912aa01f
SHA1642c9faf7ac4cd0ddbc16bc00bdb9449566d574b
SHA2565e8312d3331e93896f12b4088cdffacc6e1fa891a6be0c0d6c51acad5d3978bf
SHA512414a3b3bf374cded1b0fe37745a2cbafa98ebbfbbe6547d1668ff4cb421096f1b3c5e9d236a975a673dc51ac6966b36a4db4f2d897363af373e42ace634d3c78
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe585196.TMP
Filesize48B
MD590389c2e7de92cdbbc4c4912cd9bcdaa
SHA16529940e77eaace3a1b9a3f018bd9662f97006b0
SHA2561a96a09b5877a959672a4c631aa22b93a8e34fa220dd2e0b22c1784865761ce0
SHA512ba71e2e68030b1a2a4be2938c8516c11958e899f1feb284486c7dd99fae3c405282ce7ebb547420d445448f2218f8bdb87e365f83bd0a92d365298be142db325
-
Filesize
264KB
MD583ede1afdd7bce5a3fd7b427ba48cba9
SHA1babdaf2cfa9052e4b305ce4ea0ab58b7a9376fc2
SHA256b1c4c1680c54b9565b775086be6fd90437d7a180d9f2db11ce809e0c85b81ee2
SHA5125b2135f395f002ad57c64cdda339ee0ff6657d268d1fd2b9dc05049211345312c96fedfc7daf1b92d3d6bf1256e363fd1d73b1d832ef1e5d5cbbd8126ebaf114
-
Filesize
263KB
MD52be9525a698aa2721c578a5341de7e1a
SHA14010c60aec9d592f104c5f4d77896a0df3b4124b
SHA2560fe655c5791ba52681d14bbf59e362b8f12c45c2322c92fb51366f6ad15f03d8
SHA512bbd99609c915f50f999199eeb655dd3583782b677f4df109af6617c542b64fc0c0cb4340de7f295d4208e94727ee7c28f6707f0aff76c0e6650f2ca280ee8f7c
-
Filesize
92KB
MD5edb500f549933c97d42ead38756aa692
SHA1f1623d6fc0d16883750ae98bad91c599fea0043a
SHA25651d14b51a69acd73560fe380786c686bdb57451d25b78e10a5459c76bb16d3cc
SHA512844ed72ccf1443ac64af537619c6922f1967eeb3d896ed3a0a1c2f4b6d3d4423a0e69792bb256347733e1977c3b45c4e5b21cad34bb3e897e485bf07a6aab2b9
-
Filesize
89KB
MD5371b762b655ab269b2c59a3644df0be1
SHA19cc4a654a4556a4c4286da8d6a9fb0d63953b5b8
SHA256529738a6d4a12dd59b08f9cd702fb29ae733caea5bc961b8e343fb877d7aa59e
SHA512a5f5d1627013c5152684d7115a18137d7e3bfb3ed97b6d57beeaf0c7a6b46b624b3bbc21d7e502a3ca4c4dc7cb013309f540e17e5b3d8b0f240696dba3e2796e
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
3.2MB
MD5f89428aba2b28f3124d40f262710fc46
SHA10b9db50a873682e781b0e378004b0d7e6b415f78
SHA256e51b436055f0e48e04b3c7c89dce20ac35aef6d63b178c42d6285cf21401ec4a
SHA51216e576b694ed0ee9796d13504a6489ff501eb2b9cd576e442318090d46f5433afce4ce39d031e8eca92b95a4b90a6dc9926b13d04021ef48d9bf3d8698165540
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e