quasar | 4237fb240d317a51416d08ffc076308fe1043c5bbddba50289fa6fbf965e144a

Analysis

max time kernel
1792s
max time network
1797s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
28-05-2024 08:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VapeV4.exe
Size

3.1MB
MD5

8a1eef0f51ecf22f782e9386b336f0b8
SHA1

f30b1e79466a5f50be6ba17954bb8dc67fce5940
SHA256

4237fb240d317a51416d08ffc076308fe1043c5bbddba50289fa6fbf965e144a
SHA512

307a3e0338b402d16973f3f5971898ceb7a5870db0a8641b73962819f66368c396900e95351d9ee8150de6f33ad431fed65aa74ab36cd0fba15d0c111df77fd6
SSDEEP

49152:mvyI22SsaNYfdPBldt698dBcjH5n8GmzlRoGdm/nTHHB72eh2NT:mvf22SsaNYfdPBldt6+dBcjH5n8/

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.0.19:65535

Mutex

4f1091c6-9310-46dc-8b99-4128f790dfdd

Attributes

encryption_key
BF250ADA82C0B44923851CC7C0A325B2D748FF1D
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
windows 32 process
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1844-1-0x0000000000820000-0x0000000000B44000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Executes dropped EXE 1 IoCs

Processes:

Client.exe

pid process

4908 Client.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2408 schtasks.exe
3572 schtasks.exe

pid	process
4908	Client.exe

pid	process
2408	schtasks.exe
3572	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133613584632026918"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

2596 chrome.exe
2596 chrome.exe
2616 chrome.exe
2616 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

chrome.exe

pid process

2596 chrome.exe
2596 chrome.exe
2596 chrome.exe
2596 chrome.exe
2596 chrome.exe
2596 chrome.exe
2596 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

VapeV4.exeClient.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	1844	VapeV4.exe
Token: SeDebugPrivilege	4908	Client.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeCreatePagefilePrivilege	2596	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

Processes:

chrome.exe

pid	process
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Client.exe

pid process

4908 Client.exe

pid	process
4908	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

VapeV4.exeClient.exechrome.exe

description	pid	process	target process
PID 1844 wrote to memory of 2408	1844	VapeV4.exe	schtasks.exe
PID 1844 wrote to memory of 2408	1844	VapeV4.exe	schtasks.exe
PID 1844 wrote to memory of 4908	1844	VapeV4.exe	Client.exe
PID 1844 wrote to memory of 4908	1844	VapeV4.exe	Client.exe
PID 4908 wrote to memory of 3572	4908	Client.exe	schtasks.exe
PID 4908 wrote to memory of 3572	4908	Client.exe	schtasks.exe
PID 2596 wrote to memory of 4116	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 4116	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1428	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1428	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1428	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1428	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1428	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1428	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1428	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1428	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1428	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1428	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1428	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1428	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1428	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1428	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1428	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1428	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1428	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1428	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1428	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1428	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1428	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1428	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1428	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1428	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1428	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1428	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1428	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1428	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1428	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1428	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1428	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1428	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1428	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1428	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1428	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1428	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1428	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 1428	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 4268	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 4268	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 4996	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 4996	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 4996	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 4996	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 4996	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 4996	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 4996	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 4996	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 4996	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 4996	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 4996	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 4996	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 4996	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 4996	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 4996	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 4996	2596	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\VapeV4.exe
"C:\Users\Admin\AppData\Local\Temp\VapeV4.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1844

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "windows 32 process" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:2408

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4908

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "windows 32 process" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:3572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff842b79758,0x7ff842b79768,0x7ff842b79778
2⤵
PID:4116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=480 --field-trial-handle=1892,i,15991095849516702776,16805146557511072386,131072 /prefetch:2
2⤵
PID:1428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1804 --field-trial-handle=1892,i,15991095849516702776,16805146557511072386,131072 /prefetch:8
2⤵
PID:4268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1616 --field-trial-handle=1892,i,15991095849516702776,16805146557511072386,131072 /prefetch:8
2⤵
PID:4996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2852 --field-trial-handle=1892,i,15991095849516702776,16805146557511072386,131072 /prefetch:1
2⤵
PID:3092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2864 --field-trial-handle=1892,i,15991095849516702776,16805146557511072386,131072 /prefetch:1
2⤵
PID:1744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4472 --field-trial-handle=1892,i,15991095849516702776,16805146557511072386,131072 /prefetch:1
2⤵
PID:4372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4640 --field-trial-handle=1892,i,15991095849516702776,16805146557511072386,131072 /prefetch:8
2⤵
PID:4444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4760 --field-trial-handle=1892,i,15991095849516702776,16805146557511072386,131072 /prefetch:8
2⤵
PID:520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4776 --field-trial-handle=1892,i,15991095849516702776,16805146557511072386,131072 /prefetch:8
2⤵
PID:2472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4904 --field-trial-handle=1892,i,15991095849516702776,16805146557511072386,131072 /prefetch:8
2⤵
PID:2792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5076 --field-trial-handle=1892,i,15991095849516702776,16805146557511072386,131072 /prefetch:8
2⤵
PID:2456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5092 --field-trial-handle=1892,i,15991095849516702776,16805146557511072386,131072 /prefetch:1
2⤵
PID:4700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5008 --field-trial-handle=1892,i,15991095849516702776,16805146557511072386,131072 /prefetch:1
2⤵
PID:3448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2976 --field-trial-handle=1892,i,15991095849516702776,16805146557511072386,131072 /prefetch:8
2⤵
PID:4980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5564 --field-trial-handle=1892,i,15991095849516702776,16805146557511072386,131072 /prefetch:8
2⤵
PID:4564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5608 --field-trial-handle=1892,i,15991095849516702776,16805146557511072386,131072 /prefetch:8
2⤵
PID:3568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5824 --field-trial-handle=1892,i,15991095849516702776,16805146557511072386,131072 /prefetch:1
2⤵
PID:1268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5896 --field-trial-handle=1892,i,15991095849516702776,16805146557511072386,131072 /prefetch:1
2⤵
PID:2236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6008 --field-trial-handle=1892,i,15991095849516702776,16805146557511072386,131072 /prefetch:8
2⤵
PID:2308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6152 --field-trial-handle=1892,i,15991095849516702776,16805146557511072386,131072 /prefetch:8
2⤵
PID:2456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5200 --field-trial-handle=1892,i,15991095849516702776,16805146557511072386,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2616

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001e

Filesize
206KB

MD5
f998b8f6765b4c57936ada0bb2eb4a5a

SHA1
13fb29dc0968838653b8414a125c124023c001df

SHA256
374db366966d7b48782f352c78a0b3670ffec33ed046d931415034d6f93dcfef

SHA512
d340ae61467332f99e4606ef022ff71c9495b9d138a40cc7c58b3206be0d080b25f4e877a811a55f4320db9a7f52e39f88f1aa426ba79fc5e78fc73dacf8c716

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
960B

MD5
cf8845c328a8c656208952e548d4e8bc

SHA1
2755efd7f112f4fc38246fe89d190f7d65fae3d9

SHA256
4a6f706a9fb508c261f5b6a1a298f04bdf2723d5fa54aa1105e5330c3741501b

SHA512
26ca8a1c1e1e2772cdda0ba789ec221ce0616432bb88be611cf8931c3c391d42d739a2ca4320090ff4b3c7a13281d2fa38f114b437e025ce4c04dda673d7af2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
ba8e8fb45c9bd5c1bcf8fbf82ea64060

SHA1
9f530a9a9ec8edad0dced58da0c511d85995c10f

SHA256
ce772c74808e176a264ccb005136c091797dc0d295277a30af8d19028484dcd1

SHA512
fe6a99da3b41c967f41a4f2988d0a2075eb3306f649b27801f7c0de4cba64220a70908c3ec48a60113cc3e524970adba94211abde2b61b1f5be1191b7b64bd50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
b90e0cb4faaaac653fd09f97b47a330f

SHA1
ffdde73692b3bf22b4057a2f2b20e1430f4d7a30

SHA256
3bf2968befe97be2d896cf054074b428bd78ff8eb6f440be7328d891456e6a5e

SHA512
c297fb49ef6881715708eb1d312454b32966c6323f189971aa9a9c6c333f9fe77789bf6ec488c84f35226de85cb532233afa9028b4bc26271dfcf539b8ddf336

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
14c3fa8481793268b9f2a446d9999660

SHA1
5b93581a083e73783394794bab14ceeaefad4953

SHA256
e15675f9e233515523876f373cebe3bc45e011964a0ba220c2116aecbbf26ddb

SHA512
c2f915d426befc3c819964093cb1e0db8986a985fe0eeeb0b731e077941d37faded13497d1288cb75ebe432df417ed8bcf278e1738600c77a2ed313946b420ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
29239f5e7618b6e78b585a95058ceb10

SHA1
033bc8e3c89530e3985027196c38ab7c86511a9e

SHA256
c5f973411f7bb94a3b524feb7edfddcf6cc70261ee23836f5185b48655b975ac

SHA512
24c918b74be9c2194a20a0a6cf398f5ba4f1dde5d585c52d6e1e8aeb654c35c9170c5938825c9bfb652ca289f271b5ea20c939909d3499e9be27b4662703a34c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
bf5bc413da3fa4f8bde0025d63cd2914

SHA1
e953b4c234208d4cd0f1bfb2c31a4b093119756e

SHA256
9a2471c4304ad0ffd1240a432b2435217f3e183c7882848dd69d03c9325a226a

SHA512
71c3777af5266b97d88d6510e8f678f5a1fa1e386d5581478ca36f37627ac97891b2438545017597dc4e199ca898a70a73506515c9cc07cd10b620721b45e941

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
f3622acf0824bf325b0c64fd02b294c3

SHA1
1dfdb13c4744b3fb9191b6bf385fdba5f4e88322

SHA256
98af86417d4e8d67eadda1f16aef7221a4504e60f85ad8d6e12fb4634971746a

SHA512
d03eb777c105eee1530e06f1b7a6e73ea4420395ca9bd9a7eed0a1991052841041af7f9eba3377a344aec47fbedae362e90d8820083668dd934eeb74711d19e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
586a1dfdeb9916108ef05a51db9d26dd

SHA1
b8226dd9427cee0b90bf19378703b2015b48ad35

SHA256
88bf887fb495f11daacab432ddbd9851bdf1ccf71fa7f4b79fecf645110a5857

SHA512
7ab3f89055fe8a52909f9296ceddfca79260e87d7b61785a0554e4c5377c962c377ee9c8cd63242fac3aa6cb2d24304be5eec16841747e7c78ee7189f58fe152

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
7981748379b7685eaa6e57f968bd82d8

SHA1
c6ede48591018235b284082aa2efe9c08d7b04fd

SHA256
667ba54cc63f2b9ab017adfcd147b772ffd19a9694104406ea842ba00cdbbc4b

SHA512
aa60f5509354af91d1862d10e9c8334d9a83dd285b6291e46ccc5689ce608ad1b0005c1d8333cb262d334a53245ea3e6d10ab9fffe05fb3e3a037418ba379c48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9315816d3e2657f31b83dba0224826a8

SHA1
441963b85ebb654aa7756f4166409bab89a16663

SHA256
5d17cf5cedbad189678f6ced37f1d46213f240a4c6ffd280f4a1e88dd169b8f3

SHA512
257c4759f45be104e8dbcb27556b4d4b584e288ecd2f66ce534a2fed92e8f6e968b46b8454bbecf0b0053e28ad041f50f30a2688372c1a2f0ebe01624fc51114

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
12KB

MD5
ce9ec24166e417ea53e015456cadab33

SHA1
e7c87325aabe5b703ffa6ef884a8bee67f306002

SHA256
11223b8697394cb9b0bd4975fd40ed2cbcc14adeacfcf54eb488f14c73ea6c3f

SHA512
86c4e9fd0879bc501424db8ae7f45122029720b1646cab25fd41044740994f25ecbc78abcbe5611d4d5f79eb1c176ee7dabcec3902535a3824a6dbc95c2c2892

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
277KB

MD5
77c69577cf57c02d0c1f97e9c7c50153

SHA1
a5fedc5f1dbee9f8136261ad206aaa4aa37f3b98

SHA256
a2b799ac2bc5928a889bf9aafbeae922d99bb7a83aa3c385a1f3e5eb03dcbe57

SHA512
18799055a3441f5cf88720ebfdd47deb38f40285a1b908b64d5cc9c014ad7fadc149ad73eae31786ba83070727891878ca026a1b8c61bd2db113901e042644d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
277KB

MD5
bc94d8a36aaba8c2c18ff8029bdede43

SHA1
cd8f3b281c6646517bb8d1b83797d345ee48c1e9

SHA256
e91c815e079b3fcac7e145f219e77c19db527fa80a4fcfe03873f30a5478bb59

SHA512
9e6d39887e50c7c23e9e661948237c3f088cdc3841810cd92fa5506419c0ad91307cc7f2f78e261293ca9650188c355688b8262cf2436dcd0eb9c2072deead51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
277KB

MD5
6bd78d890a206d8f2fb09c81623d1534

SHA1
364098d65369a4510a63ed5451796196bfdf9f06

SHA256
01ead0939f309af89830a172687c8a01b0c640277e92c8f5f7d19e8320a3ec91

SHA512
de51872111660086810e23f5bd5dd9a99adb986b575cfc9b87a7c345f7ad2eb7e9add5de6edb766bf684555e8391de1e75104060d6f0a3998892129562f672e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
101KB

MD5
017cf9ef75bc30320a92911adb0d28e0

SHA1
9cb729bb1dde55d7cae1f813a32e5920aa6905f1

SHA256
d2d10f42a011acf5a23eb1a218a34ee4f51a7cbaf91eee8b54e6f29c0d59e594

SHA512
a5a53be6ea4fc3f8d6adbe47bb6907f5cecac986d56e4f55af15788ac80ade3787bb375297b35526bf61ece6578ee7f76a9d205760a217ad4d7453b8e448ffa7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58b83f.TMP

Filesize
93KB

MD5
9a4c19698c9445504011996112a1d62a

SHA1
170318fc43504f3b414a8a330bab650af10177e5

SHA256
c990c8e35b48f89c391e73b7c87ddbf6cf10e56a8a4c5722c18a63b52c8244b5

SHA512
0add58360cbe066feab41f94801098a98bade78712ea4c9fd51adc8eeb64e95d20e84506d9cf8b2cf061ff0357b8e1cd50a821b0f566103247d9469e8064539a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
8a1eef0f51ecf22f782e9386b336f0b8

SHA1
f30b1e79466a5f50be6ba17954bb8dc67fce5940

SHA256
4237fb240d317a51416d08ffc076308fe1043c5bbddba50289fa6fbf965e144a

SHA512
307a3e0338b402d16973f3f5971898ceb7a5870db0a8641b73962819f66368c396900e95351d9ee8150de6f33ad431fed65aa74ab36cd0fba15d0c111df77fd6

Download Submit
\??\pipe\crashpad_2596_OMSGUPFIPCYGRGDI

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1844-9-0x00007FF831840000-0x00007FF83222C000-memory.dmp

Filesize
9.9MB

Download
memory/1844-1-0x0000000000820000-0x0000000000B44000-memory.dmp

Filesize
3.1MB

Download
memory/1844-0-0x00007FF831843000-0x00007FF831844000-memory.dmp

Filesize
4KB

Download
memory/1844-2-0x00007FF831840000-0x00007FF83222C000-memory.dmp

Filesize
9.9MB

Download
memory/4908-14-0x00007FF831840000-0x00007FF83222C000-memory.dmp

Filesize
9.9MB

Download
memory/4908-10-0x00007FF831840000-0x00007FF83222C000-memory.dmp

Filesize
9.9MB

Download
memory/4908-11-0x00007FF831840000-0x00007FF83222C000-memory.dmp

Filesize
9.9MB

Download
memory/4908-12-0x000000001BC70000-0x000000001BCC0000-memory.dmp

Filesize
320KB

Download
memory/4908-13-0x000000001BD80000-0x000000001BE32000-memory.dmp

Filesize
712KB

Download
memory/4908-34-0x000000001C6A0000-0x000000001CBC6000-memory.dmp

Filesize
5.1MB

Download