Analysis
-
max time kernel
1032s -
max time network
1042s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17-04-2024 15:18
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win7-20240221-en
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
eb8790c82d5096b84022449c2298c62a
-
SHA1
12030a6f4988fb744328bc1963c7017207e40276
-
SHA256
5bc8c6aa7ccb11de2b19cabc08c096025da18e7898c5e8227ef109c266820f82
-
SHA512
d4d7ac397e023e6c08dfd6681e802d4c52d56a45a4e66acd53bc0138d3ed45f3930ef0d90cdeaafcf478d08ecab28cae61ffe5c571fa4c37be39497f16891464
-
SSDEEP
49152:WvIt62XlaSFNWPjljiFa2RoUYIruW+dpfYoGdizZDTHHB72eh2NT:WvE62XlaSFNWPjljiFXRoUYI6W9
Malware Config
Extracted
quasar
1.4.1
Office04
192.168.1.240:4782
fcdb4cfb-dc40-4f51-b2c7-f723b5404e35
-
encryption_key
1074AFFC8845D6B93DCAD37B9C170AE9CD58D08A
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windowsstartup
-
subdirectory
SubDir
Signatures
-
Quasar payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2732-0-0x0000000000E50000-0x0000000001174000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar behavioral1/memory/2664-9-0x0000000000910000-0x0000000000C34000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
Processes:
Client.exepid process 2664 Client.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2904 schtasks.exe 2660 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Processes:
iexplore.exeIEXPLORE.EXEIEXPLORE.EXEdescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Height = "21" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5E1F2511-FCCE-11EE-917A-EA263619F6CB} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{EFB00E53-D0C7-11EE-917A-EA263619F6CB}.dat = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Height = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
chrome.exeiexplore.exepid process 2184 chrome.exe 2184 chrome.exe 2720 iexplore.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Client.exepid process 2664 Client.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Client-built.exeClient.exechrome.exedescription pid process Token: SeDebugPrivilege 2732 Client-built.exe Token: SeDebugPrivilege 2664 Client.exe Token: SeShutdownPrivilege 2184 chrome.exe Token: SeShutdownPrivilege 2184 chrome.exe Token: SeShutdownPrivilege 2184 chrome.exe Token: SeShutdownPrivilege 2184 chrome.exe Token: SeShutdownPrivilege 2184 chrome.exe Token: SeShutdownPrivilege 2184 chrome.exe Token: SeShutdownPrivilege 2184 chrome.exe Token: SeShutdownPrivilege 2184 chrome.exe Token: SeShutdownPrivilege 2184 chrome.exe Token: SeShutdownPrivilege 2184 chrome.exe Token: SeShutdownPrivilege 2184 chrome.exe Token: SeShutdownPrivilege 2184 chrome.exe Token: SeShutdownPrivilege 2184 chrome.exe Token: SeShutdownPrivilege 2184 chrome.exe Token: SeShutdownPrivilege 2184 chrome.exe Token: SeShutdownPrivilege 2184 chrome.exe Token: SeShutdownPrivilege 2184 chrome.exe Token: SeShutdownPrivilege 2184 chrome.exe Token: SeShutdownPrivilege 2184 chrome.exe Token: SeShutdownPrivilege 2184 chrome.exe Token: SeShutdownPrivilege 2184 chrome.exe Token: SeShutdownPrivilege 2184 chrome.exe Token: SeShutdownPrivilege 2184 chrome.exe Token: SeShutdownPrivilege 2184 chrome.exe Token: SeShutdownPrivilege 2184 chrome.exe Token: SeShutdownPrivilege 2184 chrome.exe Token: SeShutdownPrivilege 2184 chrome.exe Token: SeShutdownPrivilege 2184 chrome.exe Token: SeShutdownPrivilege 2184 chrome.exe Token: SeShutdownPrivilege 2184 chrome.exe Token: SeShutdownPrivilege 2184 chrome.exe Token: SeShutdownPrivilege 2184 chrome.exe Token: SeShutdownPrivilege 2184 chrome.exe Token: SeShutdownPrivilege 2184 chrome.exe Token: SeShutdownPrivilege 2184 chrome.exe Token: SeShutdownPrivilege 2184 chrome.exe Token: SeShutdownPrivilege 2184 chrome.exe Token: SeShutdownPrivilege 2184 chrome.exe Token: SeShutdownPrivilege 2184 chrome.exe Token: SeShutdownPrivilege 2184 chrome.exe Token: SeShutdownPrivilege 2184 chrome.exe Token: SeShutdownPrivilege 2184 chrome.exe Token: SeShutdownPrivilege 2184 chrome.exe Token: SeShutdownPrivilege 2184 chrome.exe Token: SeShutdownPrivilege 2184 chrome.exe Token: SeShutdownPrivilege 2184 chrome.exe Token: SeShutdownPrivilege 2184 chrome.exe Token: SeShutdownPrivilege 2184 chrome.exe Token: SeShutdownPrivilege 2184 chrome.exe Token: SeShutdownPrivilege 2184 chrome.exe Token: SeShutdownPrivilege 2184 chrome.exe Token: SeShutdownPrivilege 2184 chrome.exe Token: SeShutdownPrivilege 2184 chrome.exe Token: SeShutdownPrivilege 2184 chrome.exe Token: SeShutdownPrivilege 2184 chrome.exe Token: SeShutdownPrivilege 2184 chrome.exe Token: SeShutdownPrivilege 2184 chrome.exe Token: SeShutdownPrivilege 2184 chrome.exe Token: SeShutdownPrivilege 2184 chrome.exe Token: SeShutdownPrivilege 2184 chrome.exe Token: SeShutdownPrivilege 2184 chrome.exe Token: SeShutdownPrivilege 2184 chrome.exe -
Suspicious use of FindShellTrayWindow 36 IoCs
Processes:
chrome.exeiexplore.exepid process 2184 chrome.exe 2184 chrome.exe 2184 chrome.exe 2184 chrome.exe 2184 chrome.exe 2184 chrome.exe 2184 chrome.exe 2184 chrome.exe 2184 chrome.exe 2184 chrome.exe 2184 chrome.exe 2184 chrome.exe 2184 chrome.exe 2184 chrome.exe 2184 chrome.exe 2184 chrome.exe 2184 chrome.exe 2184 chrome.exe 2184 chrome.exe 2184 chrome.exe 2184 chrome.exe 2184 chrome.exe 2184 chrome.exe 2184 chrome.exe 2184 chrome.exe 2184 chrome.exe 2184 chrome.exe 2184 chrome.exe 2184 chrome.exe 2184 chrome.exe 2184 chrome.exe 2184 chrome.exe 2184 chrome.exe 2184 chrome.exe 2184 chrome.exe 2720 iexplore.exe -
Suspicious use of SendNotifyMessage 32 IoCs
Processes:
chrome.exepid process 2184 chrome.exe 2184 chrome.exe 2184 chrome.exe 2184 chrome.exe 2184 chrome.exe 2184 chrome.exe 2184 chrome.exe 2184 chrome.exe 2184 chrome.exe 2184 chrome.exe 2184 chrome.exe 2184 chrome.exe 2184 chrome.exe 2184 chrome.exe 2184 chrome.exe 2184 chrome.exe 2184 chrome.exe 2184 chrome.exe 2184 chrome.exe 2184 chrome.exe 2184 chrome.exe 2184 chrome.exe 2184 chrome.exe 2184 chrome.exe 2184 chrome.exe 2184 chrome.exe 2184 chrome.exe 2184 chrome.exe 2184 chrome.exe 2184 chrome.exe 2184 chrome.exe 2184 chrome.exe -
Suspicious use of SetWindowsHookEx 15 IoCs
Processes:
Client.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEpid process 2664 Client.exe 2720 iexplore.exe 2720 iexplore.exe 2428 IEXPLORE.EXE 2428 IEXPLORE.EXE 2720 iexplore.exe 2428 IEXPLORE.EXE 2428 IEXPLORE.EXE 1092 IEXPLORE.EXE 1092 IEXPLORE.EXE 2720 iexplore.exe 1092 IEXPLORE.EXE 1092 IEXPLORE.EXE 1092 IEXPLORE.EXE 2720 iexplore.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Client-built.exeClient.exechrome.exedescription pid process target process PID 2732 wrote to memory of 2904 2732 Client-built.exe schtasks.exe PID 2732 wrote to memory of 2904 2732 Client-built.exe schtasks.exe PID 2732 wrote to memory of 2904 2732 Client-built.exe schtasks.exe PID 2732 wrote to memory of 2664 2732 Client-built.exe Client.exe PID 2732 wrote to memory of 2664 2732 Client-built.exe Client.exe PID 2732 wrote to memory of 2664 2732 Client-built.exe Client.exe PID 2664 wrote to memory of 2660 2664 Client.exe schtasks.exe PID 2664 wrote to memory of 2660 2664 Client.exe schtasks.exe PID 2664 wrote to memory of 2660 2664 Client.exe schtasks.exe PID 2184 wrote to memory of 900 2184 chrome.exe chrome.exe PID 2184 wrote to memory of 900 2184 chrome.exe chrome.exe PID 2184 wrote to memory of 900 2184 chrome.exe chrome.exe PID 2184 wrote to memory of 1232 2184 chrome.exe chrome.exe PID 2184 wrote to memory of 1232 2184 chrome.exe chrome.exe PID 2184 wrote to memory of 1232 2184 chrome.exe chrome.exe PID 2184 wrote to memory of 1232 2184 chrome.exe chrome.exe PID 2184 wrote to memory of 1232 2184 chrome.exe chrome.exe PID 2184 wrote to memory of 1232 2184 chrome.exe chrome.exe PID 2184 wrote to memory of 1232 2184 chrome.exe chrome.exe PID 2184 wrote to memory of 1232 2184 chrome.exe chrome.exe PID 2184 wrote to memory of 1232 2184 chrome.exe chrome.exe PID 2184 wrote to memory of 1232 2184 chrome.exe chrome.exe PID 2184 wrote to memory of 1232 2184 chrome.exe chrome.exe PID 2184 wrote to memory of 1232 2184 chrome.exe chrome.exe PID 2184 wrote to memory of 1232 2184 chrome.exe chrome.exe PID 2184 wrote to memory of 1232 2184 chrome.exe chrome.exe PID 2184 wrote to memory of 1232 2184 chrome.exe chrome.exe PID 2184 wrote to memory of 1232 2184 chrome.exe chrome.exe PID 2184 wrote to memory of 1232 2184 chrome.exe chrome.exe PID 2184 wrote to memory of 1232 2184 chrome.exe chrome.exe PID 2184 wrote to memory of 1232 2184 chrome.exe chrome.exe PID 2184 wrote to memory of 1232 2184 chrome.exe chrome.exe PID 2184 wrote to memory of 1232 2184 chrome.exe chrome.exe PID 2184 wrote to memory of 1232 2184 chrome.exe chrome.exe PID 2184 wrote to memory of 1232 2184 chrome.exe chrome.exe PID 2184 wrote to memory of 1232 2184 chrome.exe chrome.exe PID 2184 wrote to memory of 1232 2184 chrome.exe chrome.exe PID 2184 wrote to memory of 1232 2184 chrome.exe chrome.exe PID 2184 wrote to memory of 1232 2184 chrome.exe chrome.exe PID 2184 wrote to memory of 1232 2184 chrome.exe chrome.exe PID 2184 wrote to memory of 1232 2184 chrome.exe chrome.exe PID 2184 wrote to memory of 1232 2184 chrome.exe chrome.exe PID 2184 wrote to memory of 1232 2184 chrome.exe chrome.exe PID 2184 wrote to memory of 1232 2184 chrome.exe chrome.exe PID 2184 wrote to memory of 1232 2184 chrome.exe chrome.exe PID 2184 wrote to memory of 1232 2184 chrome.exe chrome.exe PID 2184 wrote to memory of 1232 2184 chrome.exe chrome.exe PID 2184 wrote to memory of 1232 2184 chrome.exe chrome.exe PID 2184 wrote to memory of 1232 2184 chrome.exe chrome.exe PID 2184 wrote to memory of 1232 2184 chrome.exe chrome.exe PID 2184 wrote to memory of 1232 2184 chrome.exe chrome.exe PID 2184 wrote to memory of 1156 2184 chrome.exe chrome.exe PID 2184 wrote to memory of 1156 2184 chrome.exe chrome.exe PID 2184 wrote to memory of 1156 2184 chrome.exe chrome.exe PID 2184 wrote to memory of 2816 2184 chrome.exe chrome.exe PID 2184 wrote to memory of 2816 2184 chrome.exe chrome.exe PID 2184 wrote to memory of 2816 2184 chrome.exe chrome.exe PID 2184 wrote to memory of 2816 2184 chrome.exe chrome.exe PID 2184 wrote to memory of 2816 2184 chrome.exe chrome.exe PID 2184 wrote to memory of 2816 2184 chrome.exe chrome.exe PID 2184 wrote to memory of 2816 2184 chrome.exe chrome.exe PID 2184 wrote to memory of 2816 2184 chrome.exe chrome.exe PID 2184 wrote to memory of 2816 2184 chrome.exe chrome.exe PID 2184 wrote to memory of 2816 2184 chrome.exe chrome.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windowsstartup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:2904 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windowsstartup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:2660
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2948
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7feee179758,0x7feee179768,0x7feee1797782⤵PID:900
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1176 --field-trial-handle=1148,i,4498509610772567175,15961627691273312008,131072 /prefetch:22⤵PID:1232
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1512 --field-trial-handle=1148,i,4498509610772567175,15961627691273312008,131072 /prefetch:82⤵PID:1156
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1608 --field-trial-handle=1148,i,4498509610772567175,15961627691273312008,131072 /prefetch:82⤵PID:2816
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2188 --field-trial-handle=1148,i,4498509610772567175,15961627691273312008,131072 /prefetch:12⤵PID:1868
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2196 --field-trial-handle=1148,i,4498509610772567175,15961627691273312008,131072 /prefetch:12⤵PID:2032
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1404 --field-trial-handle=1148,i,4498509610772567175,15961627691273312008,131072 /prefetch:22⤵PID:1708
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1340 --field-trial-handle=1148,i,4498509610772567175,15961627691273312008,131072 /prefetch:12⤵PID:2912
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3448 --field-trial-handle=1148,i,4498509610772567175,15961627691273312008,131072 /prefetch:82⤵PID:860
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3576 --field-trial-handle=1148,i,4498509610772567175,15961627691273312008,131072 /prefetch:82⤵PID:2684
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3660 --field-trial-handle=1148,i,4498509610772567175,15961627691273312008,131072 /prefetch:82⤵PID:2492
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:2408
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2720 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2720 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2428 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2720 CREDAT:209938 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1092
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2804
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4f81⤵PID:1548
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5da48eebeaaf084758fc87530828e1f14
SHA18cb838c780257dd9fc9c7d675cfeb9ee9ab919f6
SHA2566c58522a9a7ea366ceab394b23c5729ac500e6461f29c0d0ef0bac8e7e76da2d
SHA512be1744ca874bd803f2b093a3168bb82a597cc67240c4fb7e468fb859aa444ecb42bd5f631a8739371ecd6ff385bd0820587f0da55bc4d2fd9f0213f52fd82dcc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5fa684bf465f2e77a377277bc6c985fc1
SHA1e5e8e46447995c70f762f1f6a21d0a9f4f68b51d
SHA25661e6f25c3bb4145a7dc3f8b090b71e34fe3672bb4ca7f8ba86d4482735823f25
SHA5125d371631054f88b9cc1ba440edcc6583d29e244bfaf4970cd4fd6c60510ef32cbc9d9f8ef2c03920de0e7c88cc279916ae2c6dea65ac89ae5a7185da31390b05
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5e0002d4181f250f063b41ae75970662f
SHA1315bb152c3a1bcdf39185876261468e1862b089e
SHA256931b2177b1b975c63562e9466d85ba24be5da00e938c71d3819a4eaa4b67483a
SHA51283547b61ea2b98155c62dc4d0e4b4a531f0feb1befe41412d361e91bd1c46acf1b2f7a9b1407b2a2fee8630992d56f9107af6508f9f3c5747bcbf0f717571425
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD54003540791072fa44394b82a2dad99b9
SHA1142d065d37f9bde36d2404edf2c13b110bb98d4c
SHA256d297c84100c593d81826ba461c6b445e47a9861df79a80e4822fe9e46c619e95
SHA51203f103e8c7f44bbb19f28e1ec166fc411f42faf12d929da8cb275750cbfbb42254fe4e5489d76f5a4d4b286049c17a2aab1e32ef68eb02f487cf6d3cd90e17e3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD572bf4c1251ebc2c021fd25e27b07f2a2
SHA1fd2f008ae6ea8e3090b6877157cb7da03085522a
SHA25615b0fbc83c71be7422f17cb32c4d075fdcc2010d85e15dfe2981f3cf6f9c4133
SHA512d71792fc225fbfb014afd6bdf7c2e069e12eae03c95e396c4dd82947dcdbe72b15107bae455d2f191b35269be4c368a0dc1c2e4adeb3ba4e105d32b69f44bea1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD599a697e0ba8e049d3b3d1c66157302f7
SHA1a397b020de273759748204766c4e3581dc459e1c
SHA256f12dc38796ed011e3c98c9758c1a9b8ab2ba2d8b5a781600a083ca5af2925bf1
SHA512defc2faf5475052b44bdfbf61903440382334049c45198031a5080510d6482fe384610227ea0d0ce5a7658a845a7fc5c54589625a92bbd9001b3ed6bfcd7abec
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5bfa6782193ede4bd80a9847f1557a755
SHA13a5ed2da9e0dafc1f3b68944a71398df916621d3
SHA25666b970bdfebe4f3486a2ecf6a94ad9702679fc1d1d77ddc46cce7a14a6f24344
SHA512d94d4bd55670d05645eb518e150cecd586ea736d8798653ea29377539b67f21e1bf5e28636d50c5c010f85eb1220bc0e6d7f4017c09e46f5b4ea6d93d0ec3e51
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5d52c26c5db1e9cc7baa446d6cdfa74fc
SHA1e8f809d5accc8ac1fe23c00ff21fdd0dfb8801b3
SHA2564961bc563f08171bac4f760708204415aa82abc3e21773d17c51396b09f6e476
SHA5126978af17ee103d51aa31c5ca208379bc3e28b91f4933963b9d945ccac717edc3b3b1a6ba25165c03d0ab03a3655f775afae59a40f539dd9f60f6670436ec06c2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD520c84877a02a358e70a9d1fb001aa275
SHA1d32b07c0f5eec8b9f1fb261e15fbaa65d78ee8ad
SHA2569bf43f80cf4206c6c88ab333a4894ce687392d7ba6f3f1fa541a58a2fe076bd5
SHA51275df494fc5b7cc85c4f40cac6b073d2a22e27711cf1d37e8f794badcf0ddd7ab2d98a3ea78e9f6646f1b2823ca0cd49b93d334f736d551da5dc7847c0b7852d1
-
Filesize
264KB
MD526914d75b08888a281f25f672021b7b5
SHA1070f719254f05230c63da22c74360c6987291e8b
SHA256af07b1d542962f430e02acd29b492e0fabeede995b235acfe83b34b41e23d12e
SHA5120d866a9c71b5c3248138e0308d041a44a94d40f634187ba1cf951be82ca6fb92ddb65ffffe41db038c9fdbe1d27facfb451f21530454426d62b8c856a5b66e25
-
Filesize
16B
MD5aefd77f47fb84fae5ea194496b44c67a
SHA1dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA2564166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
5KB
MD557ecc98a3a0933228956257918f6ed4e
SHA189418506cbedc423d31b8478b55f29b4a43fad10
SHA25671eec5739e1c1f0f5b75d78c55c23bffbf62c85775e6bdcb7d5f1c61a0aa1f4a
SHA512e47f049127e2bc622965abe56637bc0fb61ab24f519530d560f80c761d9f6fc7f529848d755262ec2f579e646621a4aaea138b963397446f06415e4a26fdb199
-
Filesize
5KB
MD570610c45e71ae60a1e721eb6c3cde9d4
SHA1df9de3a6008363e7771af9ec9c54dd40287e771c
SHA2566b7512776078c207e7bb635d355e5bbf53088638eb9bed566d0092bf7ac12495
SHA5126ef48b66bb5fdae4df26d8399cb9906360fa229111101d4d149df8b48e9a820a5c8583c36d0b1dc06f9c0c19b486e52124c674612562649c31adbd400953405f
-
Filesize
5KB
MD588d6d9d261dbdc8d693bc2334b7b6b17
SHA15cb4b8986afd02279e7716e18844b7c7b077cb9b
SHA256671eb917cfb3ef8d4c1c6dfc859ff424d3b68239abdbeead42fd14521f059d72
SHA512fe433e0dcd05717506b003c0038d2b96112fb915718c8021c8ed9d5a8438ed5095340cbebf8ffecea507c83af108f7528cfbba7f9dedf5c37cde6de24e4a8079
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp
Filesize16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
Filesize
264KB
MD5df8eaea0eb500c51ac55b4a132b7ed96
SHA1074605892329ba31d19032b28b0c8e036f0087c1
SHA2560ea8aa3113a0024fdc6f0b9affff698b9f18f61e658ab132c811afcbf2d24f57
SHA512aca2e38d57bb863317f82d355a3b861576475d21bb177bb9fa183d8db56b516cc5d39cda609aaf2bd2c545921d0d21202ee2f3d60caddfb6cbaf5016d344971e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EDQW9R5V\qsml[1].xml
Filesize601B
MD5b2130aab9684ead28494c033cdc03b27
SHA1f2a722f874edcf5fecd4b90dec824af651231d69
SHA2564e73d6ff38214f43dc41d85ce1c9c8d61ea842d1db20eae5f1a21c0e09c99454
SHA512447bc2b113ec995663b779e1b39741a43044a189896e460225ccc938d54636ebc5aed1d7fa7caefeecde2b839cfa080cbbb8996c4a66316a6a20d09aad44ff53
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EDQW9R5V\qsml[2].xml
Filesize610B
MD5bac742f0e7c5f35ac3505c93ca1104c9
SHA1a9635e3ba1abb12206bdaa4236fb44789ac8be5a
SHA256e2f18b1a6b5db2451c94083e09a93c8542d2be4434aab0993cb7f5e22f46fc02
SHA5124f6dfdda05595e41dcd319996e6c8b7145b4aeeea081003920fb6f3a04d7e0076d1cd2ce132bbc96c42e4bc844fbc9aef676ec8f071c0b1b76384309d01a32a0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EDQW9R5V\qsml[3].xml
Filesize611B
MD5da3e372243ed748f15b04ce84a6cd28c
SHA1e7f1c63b32d31b77631c783ac3e2739cb82cabc0
SHA256e2ecffea9da045ebbf5ba4faa746ebea2c8af1a8759c830d5362251e3add3a59
SHA512b3941b06762239e1b576c5a5f8b2c4889b261d8a549d8546dd8097a2d9683c70508fd2318cfcb260557976a817260ff4ec159779b96d7d2e1435a51428db6641
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EDQW9R5V\qsml[4].xml
Filesize612B
MD59cb760b23d8247e69005c5860659b469
SHA1ac3bf20ccefed1afbc424d9099e78872ea97b922
SHA256d4e5aa8c00d29970694212209cfb782168ad2bfcca178544a750ec970cb3c119
SHA512287a101d5be8e101b5124aadd89424e0758118aef35df554f049cf15236597109446867feda69aa58389eefe3a069f25f9cfa97f12265ceccfa6b4392c31c452
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
16KB
MD5e101698f9be392500cb7d249c21d6ecd
SHA1225bc9c3315a51d6231fc82d847e2813798b7c4f
SHA25627983beb2999ff35b9835c4de0d5ec424e1cacfe131d1082e2fed82eadc5766c
SHA512d6a996ff4fa8f0d5b1b86ed1513922c119c10dd583e9e04c45a1c6825664515d2551b8c5926d3863ea9b5b719eff1939fb135485e29ed9e7c3a91b52a871b804
-
Filesize
499B
MD5e3532e524b182ff59c0dbc45d51d04cb
SHA120dde2e88a2326d326dec6272d23f0f0a7b33185
SHA2563cded7c965508b61646eaa7c12a145411fdb5bf4e98da371abea3dc45ea9be0e
SHA512021f9f034f1bca1f4b1e65c2ae1c647d9cd693f17600eba82cdabe39f341db5cc8d3bfbcb634b86546e332130f64c0a17ca0930ac4d7fc1c9a5f3f7fd7765c74
-
Filesize
3.1MB
MD5eb8790c82d5096b84022449c2298c62a
SHA112030a6f4988fb744328bc1963c7017207e40276
SHA2565bc8c6aa7ccb11de2b19cabc08c096025da18e7898c5e8227ef109c266820f82
SHA512d4d7ac397e023e6c08dfd6681e802d4c52d56a45a4e66acd53bc0138d3ed45f3930ef0d90cdeaafcf478d08ecab28cae61ffe5c571fa4c37be39497f16891464
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e