quasar | c4f4b783e9b152a00d5cac8b82d2ae0c74fa848aaa4a524dc5cb81b1576aaab5

Analysis

max time kernel
300s
max time network
302s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02-06-2024 06:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uni/Uni - Copy.exe
Size

409KB
MD5

b70fdac25a99501e3cae11f1b775249e
SHA1

3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256

51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512

43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44
SSDEEP

12288:gpbJjGut6AoE3hVVdFaC/eZPTMTDlpgfJCKuMsVs:oVaurMLcDlpRKai

Score

10^/10

quasar seroxen spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

panel-slave.gl.at.ply.gg:57059

panel-slave.gl.at.ply.gg:27892

Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes

encryption_key
Lme7VBS3l58VwLM69PNM
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT 4 IoCs
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Processes:

schtasks.exe

pid process

2168 schtasks.exe
11 ip-api.com
24 api.ipify.org
29 ip-api.com

pid	process
2168	schtasks.exe
11	ip-api.com
24	api.ipify.org
29	ip-api.com

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral12/memory/2004-1-0x0000000000F40000-0x0000000000FAC000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Executes dropped EXE 2 IoCs

Processes:

Client.exehoFereQpkkpq.exe

pid process

5056 Client.exe
3748 hoFereQpkkpq.exe
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

24 api.ipify.org
29 ip-api.com
11 ip-api.com
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

SCHTASKS.exeschtasks.exeSCHTASKS.exeschtasks.exe

pid process

1644 SCHTASKS.exe
1372 schtasks.exe
1796 SCHTASKS.exe
2168 schtasks.exe

pid	process
5056	Client.exe
3748	hoFereQpkkpq.exe

flow	ioc
24	api.ipify.org
29	ip-api.com
11	ip-api.com

pid	process
1644	SCHTASKS.exe
1372	schtasks.exe
1796	SCHTASKS.exe
2168	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133617831779424509"	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

5064 NOTEPAD.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exe

pid process

2344 chrome.exe
2344 chrome.exe
2344 chrome.exe
2344 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

2344 chrome.exe
2344 chrome.exe
2344 chrome.exe
2344 chrome.exe

pid	process
5064	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Uni - Copy.exeClient.exeAUDIODG.EXEchrome.exe

description	pid	process
Token: SeDebugPrivilege	2004	Uni - Copy.exe
Token: SeDebugPrivilege	5056	Client.exe
Token: 33	1240	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1240	AUDIODG.EXE
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeCreatePagefilePrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeCreatePagefilePrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeCreatePagefilePrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeCreatePagefilePrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeCreatePagefilePrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeCreatePagefilePrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeCreatePagefilePrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeCreatePagefilePrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeCreatePagefilePrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeCreatePagefilePrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeCreatePagefilePrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeCreatePagefilePrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeCreatePagefilePrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeCreatePagefilePrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeCreatePagefilePrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeCreatePagefilePrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeCreatePagefilePrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeCreatePagefilePrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeCreatePagefilePrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeCreatePagefilePrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeCreatePagefilePrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeCreatePagefilePrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeCreatePagefilePrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeCreatePagefilePrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeCreatePagefilePrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeCreatePagefilePrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeCreatePagefilePrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeCreatePagefilePrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeCreatePagefilePrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeCreatePagefilePrivilege	2344	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

Processes:

chrome.exe

pid	process
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Client.exehoFereQpkkpq.exe

pid process

5056 Client.exe
3748 hoFereQpkkpq.exe

pid	process
5056	Client.exe
3748	hoFereQpkkpq.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Uni - Copy.exeClient.exechrome.exe

description	pid	process	target process
PID 2004 wrote to memory of 2168	2004	Uni - Copy.exe	schtasks.exe
PID 2004 wrote to memory of 2168	2004	Uni - Copy.exe	schtasks.exe
PID 2004 wrote to memory of 2168	2004	Uni - Copy.exe	schtasks.exe
PID 2004 wrote to memory of 5056	2004	Uni - Copy.exe	Client.exe
PID 2004 wrote to memory of 5056	2004	Uni - Copy.exe	Client.exe
PID 2004 wrote to memory of 5056	2004	Uni - Copy.exe	Client.exe
PID 2004 wrote to memory of 1644	2004	Uni - Copy.exe	SCHTASKS.exe
PID 2004 wrote to memory of 1644	2004	Uni - Copy.exe	SCHTASKS.exe
PID 2004 wrote to memory of 1644	2004	Uni - Copy.exe	SCHTASKS.exe
PID 5056 wrote to memory of 1372	5056	Client.exe	schtasks.exe
PID 5056 wrote to memory of 1372	5056	Client.exe	schtasks.exe
PID 5056 wrote to memory of 1372	5056	Client.exe	schtasks.exe
PID 5056 wrote to memory of 3748	5056	Client.exe	hoFereQpkkpq.exe
PID 5056 wrote to memory of 3748	5056	Client.exe	hoFereQpkkpq.exe
PID 5056 wrote to memory of 3748	5056	Client.exe	hoFereQpkkpq.exe
PID 2344 wrote to memory of 4352	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 4352	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 4652	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 4652	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 4652	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 4652	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 4652	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 4652	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 4652	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 4652	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 4652	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 4652	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 4652	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 4652	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 4652	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 4652	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 4652	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 4652	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 4652	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 4652	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 4652	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 4652	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 4652	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 4652	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 4652	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 4652	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 4652	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 4652	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 4652	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 4652	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 4652	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 4652	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 4652	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 224	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 224	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 5020	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 5020	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 5020	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 5020	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 5020	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 5020	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 5020	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 5020	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 5020	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 5020	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 5020	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 5020	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 5020	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 5020	2344	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy.exe" /rl HIGHEST /f
2⤵
- Quasar RAT
- Creates scheduled task(s)
PID:2168

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5056

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:1372

C:\Users\Admin\AppData\Local\Temp\hoFereQpkkpq.exe
"C:\Users\Admin\AppData\Local\Temp\hoFereQpkkpq.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3748

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Client.exe" /tr "'C:\Users\Admin\AppData\Roaming\SubDir\Client.exe'" /sc onlogon /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:1796

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy.exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:1644

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x508 0x514
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1240

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\PublishStop.ini
1⤵
- Opens file in notepad (likely ransom note)
PID:5064

C:\Windows\System32\fontview.exe
"C:\Windows\System32\fontview.exe" C:\Users\Admin\Desktop\ShowRevoke.otf
1⤵
PID:2260

C:\Windows\System32\fontview.exe
"C:\Windows\System32\fontview.exe" C:\Users\Admin\Desktop\ShowRevoke.otf
1⤵
PID:1416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xbc,0x128,0x7ffba1feab58,0x7ffba1feab68,0x7ffba1feab78
2⤵
PID:4352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1708 --field-trial-handle=3084,i,15000409840414264968,8906945958844123789,131072 /prefetch:2
2⤵
PID:4652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1760 --field-trial-handle=3084,i,15000409840414264968,8906945958844123789,131072 /prefetch:8
2⤵
PID:224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2036 --field-trial-handle=3084,i,15000409840414264968,8906945958844123789,131072 /prefetch:8
2⤵
PID:5020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2668 --field-trial-handle=3084,i,15000409840414264968,8906945958844123789,131072 /prefetch:1
2⤵
PID:3620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2676 --field-trial-handle=3084,i,15000409840414264968,8906945958844123789,131072 /prefetch:1
2⤵
PID:4384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4320 --field-trial-handle=3084,i,15000409840414264968,8906945958844123789,131072 /prefetch:1
2⤵
PID:3760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4492 --field-trial-handle=3084,i,15000409840414264968,8906945958844123789,131072 /prefetch:8
2⤵
PID:756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4612 --field-trial-handle=3084,i,15000409840414264968,8906945958844123789,131072 /prefetch:8
2⤵
PID:3500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4772 --field-trial-handle=3084,i,15000409840414264968,8906945958844123789,131072 /prefetch:8
2⤵
PID:4920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4932 --field-trial-handle=3084,i,15000409840414264968,8906945958844123789,131072 /prefetch:8
2⤵
PID:3592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4620 --field-trial-handle=3084,i,15000409840414264968,8906945958844123789,131072 /prefetch:8
2⤵
PID:3116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4040 --field-trial-handle=3084,i,15000409840414264968,8906945958844123789,131072 /prefetch:8
2⤵
PID:3988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4872 --field-trial-handle=3084,i,15000409840414264968,8906945958844123789,131072 /prefetch:8
2⤵
PID:2332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4560 --field-trial-handle=3084,i,15000409840414264968,8906945958844123789,131072 /prefetch:1
2⤵
PID:3500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4364 --field-trial-handle=3084,i,15000409840414264968,8906945958844123789,131072 /prefetch:8
2⤵
PID:640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5040 --field-trial-handle=3084,i,15000409840414264968,8906945958844123789,131072 /prefetch:8
2⤵
PID:384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4408 --field-trial-handle=3084,i,15000409840414264968,8906945958844123789,131072 /prefetch:8
2⤵
PID:1616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2060 --field-trial-handle=3084,i,15000409840414264968,8906945958844123789,131072 /prefetch:8
2⤵
PID:1948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4508 --field-trial-handle=3084,i,15000409840414264968,8906945958844123789,131072 /prefetch:8
2⤵
PID:3116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4848 --field-trial-handle=3084,i,15000409840414264968,8906945958844123789,131072 /prefetch:8
2⤵
PID:1556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5148 --field-trial-handle=3084,i,15000409840414264968,8906945958844123789,131072 /prefetch:8
2⤵
PID:3128

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:5084

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
9bf592706f5109ca5c62cc633dd17b7d

SHA1
b458f0e046627f0aa3113ac278906e6b287c6fa6

SHA256
9ade915e175293f5060f29f0bb170d794218542e688378a72ff92485a1f76c7d

SHA512
f6a29d89bb8383af3c689f2c8edeee8b4bf17360a7d1b68948d105ecea8d7ae577d4f29f0fa6ee1d01bb5c0a32b9287f65f6e795c5702c78c2e3b4911cc98f6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
354B

MD5
ef3ca2c459384b93dd1b8f78de3ef872

SHA1
10334eb40940c55dc2ebe02157459784d6b1c163

SHA256
0b21bf51ae440984a7b15d4d8e38b7c8ca2def3a0845860e562bee829ee15078

SHA512
1b1e7fff141e06366a82c88ddb187d7cb1a60f2645f440f8754f952cb9d13ab235cec4d7fc916511440bfcef36cb4c60edf7127a4460c839d807ee06f23ddd46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
27b8e6170d6ae0fe0afea46968c8826a

SHA1
d68a68b0890ce5b224364b01de1ea403c9c1a5cd

SHA256
31b60d6ad52830ff4e404b90007e0102eb8b51b08b672c6d5feb74509257b10c

SHA512
5f607b2d90b1b7f4a91a08cecedb3a6cbc96598d29b39cd2d95a589468743f0d711f4c22d3bc7eb692c932164fa2ab03fafafb65ed35635df67cd6118acbebaa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
668aa87320003192111041fafc9d6860

SHA1
a09d723c23181876a7fafaa01a7c32cc0343af07

SHA256
3fd3fbef0dd8fd07d3fb8c3cbe04f4c0740bd09293e728ce201943fcc7377c6c

SHA512
61544b3a4dcb6196428a0fc641992e25c719fb80a7ae156385c24446419a2054df4acb1cb0455eafbc38de90fd8f19fbb3bea1d13af5d98705a69aded4e9bedc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
2ed1cda2ec2d8cb93a940379053667c2

SHA1
71a94110299de1452c1c3696fc7a9d7be7c29bd3

SHA256
04e5d80af8e74d2a681dc05ad59650f5f25df847d3a6854340a98c2713697023

SHA512
b35e236da280332cdc499889441c45a5498dabf0d2207247e0f3bb8c0d96879c8d2ba4f049b8566358b92cc29706e06d90432d32198d5258965ddeb398377502

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
12408ae5d32e6b0b8b44b279864c2990

SHA1
404528488a58c6a87becb1eec3073a460f13a270

SHA256
03406179e3adc8dad5ae2b0ab3368354392a369890a5e286e192f947ab9ea88f

SHA512
3a71b93321ec37c99d96d6bc95108a436f4c46f9ed54b7084a3ecfe9245aa0b14ff51d9552741235f517819a028cb3257b4a2e340e009d3a30207072089e8cd3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
257KB

MD5
d2f33afda639a2709fa285b036e490c6

SHA1
f5113ccd1a1fe9fc5d289de1b234afd42dec121e

SHA256
90071edc7daf548d20edece8444918f4deddb23267c3149967edc49d2e1c73cc

SHA512
7a5e7166aa2e7dab1891b44c2c028acb730871dbe53df9bad8747d5dc7e4bc9b8a4bb95120ea9000391061201b33d3e27eff269657f16e0f8bfc8955fe42e8f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
297KB

MD5
f6f7d1cfa46da46f23bf883d39b76df6

SHA1
f0ab24d8695ac305acd4ca34b50318e174207f4e

SHA256
ae0a0b7216c7a94ddee61dd26cd63f587bd2ceba14f23c3131ea28ae88a134a0

SHA512
a1c1b0de6762c3838043d52fae4ca1073ead471c1c451f346829e6f70338024d7d1771eccc41b92fd73532ea723b0e7d4b158941eb79945f7ef79ded1700b9d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
263KB

MD5
3f44fa13a662f1b12c6babce8101435a

SHA1
b370adadc00e9b61762ed1ff4ae224b2fb4dfee1

SHA256
37898165011ffed408d019876593e510444273a2bcc234166ded5ffca4762361

SHA512
69c34f4c8d1374f224dac6470e6d186759d1d3780c0e53999563ff22ca184959a11577f83a91f6ae1d03d3e939c98045750d56345474092914a0213faf643818

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
92KB

MD5
27bcd4f3815b51c510da689f5a924246

SHA1
48d0c935016ab42d49200e412460ac913f84c90d

SHA256
2b2047e1d8562c9ee57674f0444f5fba75ae7c7757a6614a7fb947e42e11ee01

SHA512
08400c07e90aaba37e04bb07682dc6f5cd0efc8c95b69d66c8792e2e285808edbfbb56d6cabd6febd896c460b5d40549385f97dee97e585076daa71da466176f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5b57b2.TMP
Filesize
89KB

MD5
bcce3e6949e65c22aef504d0f3e774aa

SHA1
a824a10775f7bce9bd94e56c90bbc0dd49a66ce7

SHA256
a57e605c1f7740fff52d41a97ad9a3c374f166ef96a52cd15dac87e5a1005a73

SHA512
d5e6eb8e63c9f6cffcea2b04e234713f9952d9c146fa1f8bef98524513c7b4514709c151abf4f9f8ec33916ab57cf9edf36dbebed7214e736878f03a960b4a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\hoFereQpkkpq.exe
Filesize
277KB

MD5
dac0c5b2380cbdd93b46763427c9f8df

SHA1
038089e1a0ac8375be797fc3ce7ae719abc72834

SHA256
d02538788fb57f568ece292f5fc20e9775c86d504de67f57e22534f84adc73c6

SHA512
05cc1f6bf25a6545a06c735ae7a4a7fc25489bdb9fbc8d5797be623982662c4a93cba2d20bfe14313ef1548eaaa691e55fabdd8e3d3e45de9ab42dc62f9a7023

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
409KB

MD5
b70fdac25a99501e3cae11f1b775249e

SHA1
3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71

SHA256
51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246

SHA512
43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

Download Submit
\??\pipe\crashpad_2344_NMCZDBGULKWCYYSV
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2004-4-0x0000000074870000-0x0000000075020000-memory.dmp

Filesize
7.7MB

Download
memory/2004-6-0x0000000005A50000-0x0000000005A62000-memory.dmp

Filesize
72KB

Download
memory/2004-1-0x0000000000F40000-0x0000000000FAC000-memory.dmp

Filesize
432KB

Download
memory/2004-2-0x0000000005EA0000-0x0000000006444000-memory.dmp

Filesize
5.6MB

Download
memory/2004-15-0x0000000074870000-0x0000000075020000-memory.dmp

Filesize
7.7MB

Download
memory/2004-3-0x0000000005830000-0x00000000058C2000-memory.dmp

Filesize
584KB

Download
memory/2004-5-0x0000000005960000-0x00000000059C6000-memory.dmp

Filesize
408KB

Download
memory/2004-0-0x000000007487E000-0x000000007487F000-memory.dmp

Filesize
4KB

Download
memory/5056-12-0x0000000074870000-0x0000000075020000-memory.dmp

Filesize
7.7MB

Download
memory/5056-18-0x0000000006570000-0x000000000657A000-memory.dmp

Filesize
40KB

Download
memory/5056-155-0x0000000074870000-0x0000000075020000-memory.dmp

Filesize
7.7MB

Download
memory/5056-20-0x0000000074870000-0x0000000075020000-memory.dmp

Filesize
7.7MB

Download
memory/5056-13-0x0000000074870000-0x0000000075020000-memory.dmp

Filesize
7.7MB

Download
memory/5056-16-0x00000000060B0000-0x00000000060EC000-memory.dmp

Filesize
240KB

Download
memory/5056-19-0x0000000074870000-0x0000000075020000-memory.dmp

Filesize
7.7MB

Download