quasar | c4f4b783e9b152a00d5cac8b82d2ae0c74fa848aaa4a524dc5cb81b1576aaab5

Analysis

max time kernel
300s
max time network
300s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02-06-2024 06:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uni/Uni - Copy (5).exe
Size

409KB
MD5

b70fdac25a99501e3cae11f1b775249e
SHA1

3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256

51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512

43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44
SSDEEP

12288:gpbJjGut6AoE3hVVdFaC/eZPTMTDlpgfJCKuMsVs:oVaurMLcDlpRKai

Score

10^/10

quasar seroxen spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

panel-slave.gl.at.ply.gg:57059

panel-slave.gl.at.ply.gg:27892

Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes

encryption_key
Lme7VBS3l58VwLM69PNM
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT 4 IoCs
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Processes:

schtasks.exe

pid process

60 schtasks.exe
11 ip-api.com
30 api.ipify.org
38 ip-api.com

pid	process
60	schtasks.exe
11	ip-api.com
30	api.ipify.org
38	ip-api.com

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral8/memory/2072-1-0x0000000000960000-0x00000000009CC000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Executes dropped EXE 2 IoCs

Processes:

Client.exeXJKoOH7Ng70W.exe

pid process

936 Client.exe
3036 XJKoOH7Ng70W.exe
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 ip-api.com
30 api.ipify.org
38 ip-api.com
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeSCHTASKS.exeschtasks.exeSCHTASKS.exe

pid process

60 schtasks.exe
2692 SCHTASKS.exe
2792 schtasks.exe
5920 SCHTASKS.exe

pid	process
936	Client.exe
3036	XJKoOH7Ng70W.exe

flow	ioc
11	ip-api.com
30	api.ipify.org
38	ip-api.com

pid	process
60	schtasks.exe
2692	SCHTASKS.exe
2792	schtasks.exe
5920	SCHTASKS.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133617831931829620"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

vlc.exe

pid process

3472 vlc.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

1076 chrome.exe
1076 chrome.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vlc.exe

pid process

3472 vlc.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

1076 chrome.exe
1076 chrome.exe
1076 chrome.exe

pid	process
1076	chrome.exe
1076	chrome.exe

pid	process
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Uni - Copy (5).exeClient.exeAUDIODG.EXEsvchost.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	2072	Uni - Copy (5).exe
Token: SeDebugPrivilege	936	Client.exe
Token: 33	2924	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2924	AUDIODG.EXE
Token: SeBackupPrivilege	3340	svchost.exe
Token: SeRestorePrivilege	3340	svchost.exe
Token: SeSecurityPrivilege	3340	svchost.exe
Token: SeTakeOwnershipPrivilege	3340	svchost.exe
Token: 35	3340	svchost.exe
Token: SeShutdownPrivilege	1076	chrome.exe
Token: SeCreatePagefilePrivilege	1076	chrome.exe
Token: SeShutdownPrivilege	1076	chrome.exe
Token: SeCreatePagefilePrivilege	1076	chrome.exe
Token: SeShutdownPrivilege	1076	chrome.exe
Token: SeCreatePagefilePrivilege	1076	chrome.exe
Token: SeShutdownPrivilege	1076	chrome.exe
Token: SeCreatePagefilePrivilege	1076	chrome.exe
Token: SeShutdownPrivilege	1076	chrome.exe
Token: SeCreatePagefilePrivilege	1076	chrome.exe
Token: SeShutdownPrivilege	1076	chrome.exe
Token: SeCreatePagefilePrivilege	1076	chrome.exe
Token: SeShutdownPrivilege	1076	chrome.exe
Token: SeCreatePagefilePrivilege	1076	chrome.exe
Token: SeShutdownPrivilege	1076	chrome.exe
Token: SeCreatePagefilePrivilege	1076	chrome.exe
Token: SeShutdownPrivilege	1076	chrome.exe
Token: SeCreatePagefilePrivilege	1076	chrome.exe
Token: SeShutdownPrivilege	1076	chrome.exe
Token: SeCreatePagefilePrivilege	1076	chrome.exe
Token: SeShutdownPrivilege	1076	chrome.exe
Token: SeCreatePagefilePrivilege	1076	chrome.exe
Token: SeShutdownPrivilege	1076	chrome.exe
Token: SeCreatePagefilePrivilege	1076	chrome.exe
Token: SeShutdownPrivilege	1076	chrome.exe
Token: SeCreatePagefilePrivilege	1076	chrome.exe
Token: SeShutdownPrivilege	1076	chrome.exe
Token: SeCreatePagefilePrivilege	1076	chrome.exe
Token: SeShutdownPrivilege	1076	chrome.exe
Token: SeCreatePagefilePrivilege	1076	chrome.exe
Token: SeShutdownPrivilege	1076	chrome.exe
Token: SeCreatePagefilePrivilege	1076	chrome.exe
Token: SeShutdownPrivilege	1076	chrome.exe
Token: SeCreatePagefilePrivilege	1076	chrome.exe
Token: SeShutdownPrivilege	1076	chrome.exe
Token: SeCreatePagefilePrivilege	1076	chrome.exe
Token: SeShutdownPrivilege	1076	chrome.exe
Token: SeCreatePagefilePrivilege	1076	chrome.exe
Token: SeShutdownPrivilege	1076	chrome.exe
Token: SeCreatePagefilePrivilege	1076	chrome.exe
Token: SeShutdownPrivilege	1076	chrome.exe
Token: SeCreatePagefilePrivilege	1076	chrome.exe
Token: SeShutdownPrivilege	1076	chrome.exe
Token: SeCreatePagefilePrivilege	1076	chrome.exe
Token: SeShutdownPrivilege	1076	chrome.exe
Token: SeCreatePagefilePrivilege	1076	chrome.exe
Token: SeShutdownPrivilege	1076	chrome.exe
Token: SeCreatePagefilePrivilege	1076	chrome.exe
Token: SeShutdownPrivilege	1076	chrome.exe
Token: SeCreatePagefilePrivilege	1076	chrome.exe
Token: SeShutdownPrivilege	1076	chrome.exe
Token: SeCreatePagefilePrivilege	1076	chrome.exe
Token: SeShutdownPrivilege	1076	chrome.exe
Token: SeCreatePagefilePrivilege	1076	chrome.exe
Token: SeShutdownPrivilege	1076	chrome.exe

Suspicious use of FindShellTrayWindow 59 IoCs

Processes:

vlc.exechrome.exe

pid	process
3472	vlc.exe
3472	vlc.exe
3472	vlc.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe

Suspicious use of SendNotifyMessage 54 IoCs

Processes:

vlc.exechrome.exe

pid	process
3472	vlc.exe
3472	vlc.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

Client.exeXJKoOH7Ng70W.exevlc.exe

pid process

936 Client.exe
3036 XJKoOH7Ng70W.exe
3472 vlc.exe

pid	process
936	Client.exe
3036	XJKoOH7Ng70W.exe
3472	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Uni - Copy (5).exeClient.exechrome.exechrome.exe

description	pid	process	target process
PID 2072 wrote to memory of 60	2072	Uni - Copy (5).exe	schtasks.exe
PID 2072 wrote to memory of 60	2072	Uni - Copy (5).exe	schtasks.exe
PID 2072 wrote to memory of 60	2072	Uni - Copy (5).exe	schtasks.exe
PID 2072 wrote to memory of 936	2072	Uni - Copy (5).exe	Client.exe
PID 2072 wrote to memory of 936	2072	Uni - Copy (5).exe	Client.exe
PID 2072 wrote to memory of 936	2072	Uni - Copy (5).exe	Client.exe
PID 2072 wrote to memory of 2692	2072	Uni - Copy (5).exe	SCHTASKS.exe
PID 2072 wrote to memory of 2692	2072	Uni - Copy (5).exe	SCHTASKS.exe
PID 2072 wrote to memory of 2692	2072	Uni - Copy (5).exe	SCHTASKS.exe
PID 936 wrote to memory of 2792	936	Client.exe	schtasks.exe
PID 936 wrote to memory of 2792	936	Client.exe	schtasks.exe
PID 936 wrote to memory of 2792	936	Client.exe	schtasks.exe
PID 936 wrote to memory of 3036	936	Client.exe	XJKoOH7Ng70W.exe
PID 936 wrote to memory of 3036	936	Client.exe	XJKoOH7Ng70W.exe
PID 936 wrote to memory of 3036	936	Client.exe	XJKoOH7Ng70W.exe
PID 1392 wrote to memory of 1188	1392	chrome.exe	chrome.exe
PID 1392 wrote to memory of 1188	1392	chrome.exe	chrome.exe
PID 1076 wrote to memory of 5056	1076	chrome.exe	chrome.exe
PID 1076 wrote to memory of 5056	1076	chrome.exe	chrome.exe
PID 1076 wrote to memory of 3748	1076	chrome.exe	chrome.exe
PID 1076 wrote to memory of 3748	1076	chrome.exe	chrome.exe
PID 1076 wrote to memory of 3748	1076	chrome.exe	chrome.exe
PID 1076 wrote to memory of 3748	1076	chrome.exe	chrome.exe
PID 1076 wrote to memory of 3748	1076	chrome.exe	chrome.exe
PID 1076 wrote to memory of 3748	1076	chrome.exe	chrome.exe
PID 1076 wrote to memory of 3748	1076	chrome.exe	chrome.exe
PID 1076 wrote to memory of 3748	1076	chrome.exe	chrome.exe
PID 1076 wrote to memory of 3748	1076	chrome.exe	chrome.exe
PID 1076 wrote to memory of 3748	1076	chrome.exe	chrome.exe
PID 1076 wrote to memory of 3748	1076	chrome.exe	chrome.exe
PID 1076 wrote to memory of 3748	1076	chrome.exe	chrome.exe
PID 1076 wrote to memory of 3748	1076	chrome.exe	chrome.exe
PID 1076 wrote to memory of 3748	1076	chrome.exe	chrome.exe
PID 1076 wrote to memory of 3748	1076	chrome.exe	chrome.exe
PID 1076 wrote to memory of 3748	1076	chrome.exe	chrome.exe
PID 1076 wrote to memory of 3748	1076	chrome.exe	chrome.exe
PID 1076 wrote to memory of 3748	1076	chrome.exe	chrome.exe
PID 1076 wrote to memory of 3748	1076	chrome.exe	chrome.exe
PID 1076 wrote to memory of 3748	1076	chrome.exe	chrome.exe
PID 1076 wrote to memory of 3748	1076	chrome.exe	chrome.exe
PID 1076 wrote to memory of 3748	1076	chrome.exe	chrome.exe
PID 1076 wrote to memory of 3748	1076	chrome.exe	chrome.exe
PID 1076 wrote to memory of 3748	1076	chrome.exe	chrome.exe
PID 1076 wrote to memory of 3748	1076	chrome.exe	chrome.exe
PID 1076 wrote to memory of 3748	1076	chrome.exe	chrome.exe
PID 1076 wrote to memory of 3748	1076	chrome.exe	chrome.exe
PID 1076 wrote to memory of 3748	1076	chrome.exe	chrome.exe
PID 1076 wrote to memory of 3748	1076	chrome.exe	chrome.exe
PID 1076 wrote to memory of 3748	1076	chrome.exe	chrome.exe
PID 1076 wrote to memory of 3748	1076	chrome.exe	chrome.exe
PID 1076 wrote to memory of 2804	1076	chrome.exe	chrome.exe
PID 1076 wrote to memory of 2804	1076	chrome.exe	chrome.exe
PID 1076 wrote to memory of 4064	1076	chrome.exe	chrome.exe
PID 1076 wrote to memory of 4064	1076	chrome.exe	chrome.exe
PID 1076 wrote to memory of 4064	1076	chrome.exe	chrome.exe
PID 1076 wrote to memory of 4064	1076	chrome.exe	chrome.exe
PID 1076 wrote to memory of 4064	1076	chrome.exe	chrome.exe
PID 1076 wrote to memory of 4064	1076	chrome.exe	chrome.exe
PID 1076 wrote to memory of 4064	1076	chrome.exe	chrome.exe
PID 1076 wrote to memory of 4064	1076	chrome.exe	chrome.exe
PID 1076 wrote to memory of 4064	1076	chrome.exe	chrome.exe
PID 1076 wrote to memory of 4064	1076	chrome.exe	chrome.exe
PID 1076 wrote to memory of 4064	1076	chrome.exe	chrome.exe
PID 1076 wrote to memory of 4064	1076	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (5).exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (5).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2072

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (5).exe" /rl HIGHEST /f
2⤵
- Quasar RAT
- Creates scheduled task(s)
PID:60

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:936

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2792

C:\Users\Admin\AppData\Local\Temp\XJKoOH7Ng70W.exe
"C:\Users\Admin\AppData\Local\Temp\XJKoOH7Ng70W.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3036

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Client.exe" /tr "'C:\Users\Admin\AppData\Roaming\SubDir\Client.exe'" /sc onlogon /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:5920

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (5).exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (5).exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:2692

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4cc 0x404
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3340

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\NewSave.aifc"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff810ebab58,0x7ff810ebab68,0x7ff810ebab78
2⤵
PID:1188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1736 --field-trial-handle=2012,i,5315048740570660780,16862333404287456683,131072 /prefetch:2
2⤵
PID:932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1700 --field-trial-handle=2012,i,5315048740570660780,16862333404287456683,131072 /prefetch:8
2⤵
PID:1788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff810ebab58,0x7ff810ebab68,0x7ff810ebab78
2⤵
PID:5056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1668 --field-trial-handle=1664,i,1327322760827374239,17337318274107148458,131072 /prefetch:2
2⤵
PID:3748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1804 --field-trial-handle=1664,i,1327322760827374239,17337318274107148458,131072 /prefetch:8
2⤵
PID:2804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2008 --field-trial-handle=1664,i,1327322760827374239,17337318274107148458,131072 /prefetch:8
2⤵
PID:4064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3052 --field-trial-handle=1664,i,1327322760827374239,17337318274107148458,131072 /prefetch:1
2⤵
PID:624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3080 --field-trial-handle=1664,i,1327322760827374239,17337318274107148458,131072 /prefetch:1
2⤵
PID:5004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3644 --field-trial-handle=1664,i,1327322760827374239,17337318274107148458,131072 /prefetch:1
2⤵
PID:5476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4564 --field-trial-handle=1664,i,1327322760827374239,17337318274107148458,131072 /prefetch:8
2⤵
PID:5508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4684 --field-trial-handle=1664,i,1327322760827374239,17337318274107148458,131072 /prefetch:8
2⤵
PID:5524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3640 --field-trial-handle=1664,i,1327322760827374239,17337318274107148458,131072 /prefetch:8
2⤵
PID:5572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4560 --field-trial-handle=1664,i,1327322760827374239,17337318274107148458,131072 /prefetch:8
2⤵
PID:5584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4696 --field-trial-handle=1664,i,1327322760827374239,17337318274107148458,131072 /prefetch:8
2⤵
PID:6016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 --field-trial-handle=1664,i,1327322760827374239,17337318274107148458,131072 /prefetch:8
2⤵
PID:1728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4308 --field-trial-handle=1664,i,1327322760827374239,17337318274107148458,131072 /prefetch:8
2⤵
PID:3528

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:5296

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
23e6ef5a90e33c22bae14f76f2684f3a

SHA1
77c72b67f257c2dde499789fd62a0dc0503f3f21

SHA256
62d7beeb501a1dcd8ce49a2f96b3346f4a7823c6f5c47dac0e6dc6e486801790

SHA512
23be0240146ba8d857fc8d37d77eb722066065877d1f698f0d3e185fcdae3daf9e1b2580a1db839c1356a45b599996d5acc83fda2af36840d3a8748684df5122

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
9b6ec61355f9a489f4175155181c7fab

SHA1
8276aa585854d8b628cd7a91e1f9edfa15367932

SHA256
98b8c83a36ebb19623c74085ada9f1ac1514333d0ba98516cb647baf1ad937a0

SHA512
a2188de8e6960550b73ae3a432d9ed728240bb691f0e2482818bcbdc7706625c6876e33aff37c118bf696655a1eb33a5307d1647824d3f3d943531b0436b527c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
19af6d84c4a875924cb8853712258a9b

SHA1
da10f916b548b9e4a6467ca19a9e6e6047acab13

SHA256
9f8ae344c390a336fdca35cd7120d32ec0d7c9d0698292487e4549a2af85b531

SHA512
048d6590c1455fb91f95f1af899ac3e0e10c9c7fa30d57a79ac988d8c21ca63b9340eb7ebe539a6d2f31abf95f7b6272e750922c4f0035976f8239aa4a49ce8e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
49cbc57e14cf6a613fc082b659ec6fbd

SHA1
440ced22c5984c6bebf8967f37b650769cc066cf

SHA256
987ba1e72ab2a9217df0ffa7ccecfc5b919b3a1fc3fad0cfe47e2385e10e842e

SHA512
9bd10fa1d25e450ef9259f9ceacbf50894c8d84bb5dbbaa68131c93ce826b7c7b3049437c6291be2c9b4bf838566f7a0af79bcdaf5335791ec17bcf572f47bc9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
055a44d31024e89c056c97882ded6df5

SHA1
d8d6f660107e73c02683171b1ccfeb90761c68c1

SHA256
a68945d13cddd746bead894e6eb4598e1301c33412052e86599f6bf6b2399baa

SHA512
fcc1c6d2ff31db1968151eac253cc72b801901e3cab9041eeaf38c539dd30af20b048d7634ebdd7b0ddf7e6463f037798c1dd7ef1802ec3a01c4aa8ee86b894c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
ddeeeecf76f191cb0a209381d2a54890

SHA1
ca70c31cad4ccfb056eca3d88ef3a47f7f73a00b

SHA256
61dc122b94e8194093c31fac32a80a1a2cb4740376a2890bc90fcfa1b976c433

SHA512
df3cc55f4440b0bc1096fa20b38498bb2686ad2f0257e6887cdf999e3141218e5e37b88e4b3f0474daa7b6f2b69e21926f903a7f58e72a3fd142e3b56ede4a4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
255KB

MD5
65bfaf998559cb76d5a3a404f0dee598

SHA1
95a131bb2c17001961530bd5d28dfd954aa4073c

SHA256
56dd4777d34fb410df4a701e44f2b6f3a0de8ee210fbf77eea6f0b9f0f56ec27

SHA512
97e1c6079bfaed6ada76b8c30354c291a3540f782be50cc402143b539cd7407ebe2b4df43c33fe39be017ff8eb713c78d13ee705825cc8ad1835125b3e2dbc69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
261KB

MD5
0d3fe2946879aa54108e6c354f01c63f

SHA1
41cd2d835980e27eeaba6e827ec6248ceb281a82

SHA256
71fe80012da0741eee606a7be988d0198b821e8502981f7fb71fe09126ff0c34

SHA512
ef542070f267708136f921e0ff2e3eaa042912022d15b8898e7a5d920b3ab0b9b696986a08f3fb5473eba445c83b45ff156210d1314e3d8edd978d905ef3c6d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
255KB

MD5
89e99c2834c6db2e00062b2766085762

SHA1
ee5a8a12f1d0612a6b72e0dd711a6d03a5006fe2

SHA256
7f5f34607a5b0439d860c09056b82f660179767dc3bb764771ee16e45e95f5fc

SHA512
c1565e2bd2843c941cf8b2492946ca8c0bfc0a2939dbf5a6ad5f90a3a5493b600e04a3b641c9df1b14fbeaa6b623404dfd3573fbc7dcba75a5ad34874bfdc824

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations
Filesize
86B

MD5
f732dbed9289177d15e236d0f8f2ddd3

SHA1
53f822af51b014bc3d4b575865d9c3ef0e4debde

SHA256
2741df9ee9e9d9883397078f94480e9bc1d9c76996eec5cfe4e77929337cbe93

SHA512
b64e5021f32e26c752fcba15a139815894309b25644e74ceca46a9aa97070bca3b77ded569a9bfd694193d035ba75b61a8d6262c8e6d5c4d76b452b38f5150a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XJKoOH7Ng70W.exe
Filesize
277KB

MD5
dac0c5b2380cbdd93b46763427c9f8df

SHA1
038089e1a0ac8375be797fc3ce7ae719abc72834

SHA256
d02538788fb57f568ece292f5fc20e9775c86d504de67f57e22534f84adc73c6

SHA512
05cc1f6bf25a6545a06c735ae7a4a7fc25489bdb9fbc8d5797be623982662c4a93cba2d20bfe14313ef1548eaaa691e55fabdd8e3d3e45de9ab42dc62f9a7023

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
409KB

MD5
b70fdac25a99501e3cae11f1b775249e

SHA1
3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71

SHA256
51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246

SHA512
43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

Download Submit
\??\pipe\crashpad_1076_BYIZJMCUEIPTMLQM
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/936-19-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/936-20-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/936-18-0x0000000006AF0000-0x0000000006AFA000-memory.dmp

Filesize
40KB

Download
memory/936-16-0x0000000006620000-0x000000000665C000-memory.dmp

Filesize
240KB

Download
memory/936-260-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/936-13-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/936-12-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/2072-6-0x0000000005800000-0x0000000005812000-memory.dmp

Filesize
72KB

Download
memory/2072-5-0x00000000053F0000-0x0000000005456000-memory.dmp

Filesize
408KB

Download
memory/2072-4-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/2072-0-0x000000007518E000-0x000000007518F000-memory.dmp

Filesize
4KB

Download
memory/2072-3-0x0000000005350000-0x00000000053E2000-memory.dmp

Filesize
584KB

Download
memory/2072-2-0x0000000005820000-0x0000000005DC4000-memory.dmp

Filesize
5.6MB

Download
memory/2072-15-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/2072-1-0x0000000000960000-0x00000000009CC000-memory.dmp

Filesize
432KB

Download
memory/3472-35-0x00007FF815E60000-0x00007FF815E77000-memory.dmp

Filesize
92KB

Download
memory/3472-43-0x00007FF813A80000-0x00007FF813A98000-memory.dmp

Filesize
96KB

Download
memory/3472-34-0x00007FF815E80000-0x00007FF815E91000-memory.dmp

Filesize
68KB

Download
memory/3472-33-0x00007FF816640000-0x00007FF816657000-memory.dmp

Filesize
92KB

Download
memory/3472-31-0x00007FF8157F0000-0x00007FF815AA6000-memory.dmp

Filesize
2.7MB

Download
memory/3472-32-0x00007FF81C2D0000-0x00007FF81C2E8000-memory.dmp

Filesize
96KB

Download
memory/3472-48-0x0000029354600000-0x0000029355E6F000-memory.dmp

Filesize
24.4MB

Download
memory/3472-62-0x00007FF813AA0000-0x00007FF814B50000-memory.dmp

Filesize
16.7MB

Download
memory/3472-44-0x00007FF813A60000-0x00007FF813A71000-memory.dmp

Filesize
68KB

Download
memory/3472-42-0x00007FF813AA0000-0x00007FF814B50000-memory.dmp

Filesize
16.7MB

Download
memory/3472-45-0x00007FF813A40000-0x00007FF813A51000-memory.dmp

Filesize
68KB

Download
memory/3472-46-0x00007FF813A20000-0x00007FF813A31000-memory.dmp

Filesize
68KB

Download
memory/3472-47-0x00007FF812D10000-0x00007FF812D21000-memory.dmp

Filesize
68KB

Download
memory/3472-155-0x00007FF813AA0000-0x00007FF814B50000-memory.dmp

Filesize
16.7MB

Download
memory/3472-36-0x00007FF814E20000-0x00007FF814E31000-memory.dmp

Filesize
68KB

Download
memory/3472-38-0x00007FF814DE0000-0x00007FF814DF1000-memory.dmp

Filesize
68KB

Download
memory/3472-40-0x00007FF814B80000-0x00007FF814BC1000-memory.dmp

Filesize
260KB

Download
memory/3472-41-0x00007FF814B50000-0x00007FF814B71000-memory.dmp

Filesize
132KB

Download
memory/3472-39-0x00007FF814BD0000-0x00007FF814DDB000-memory.dmp

Filesize
2.0MB

Download
memory/3472-37-0x00007FF814E00000-0x00007FF814E1D000-memory.dmp

Filesize
116KB

Download
memory/3472-29-0x00007FF74FC50000-0x00007FF74FD48000-memory.dmp

Filesize
992KB

Download
memory/3472-30-0x00007FF816BD0000-0x00007FF816C04000-memory.dmp

Filesize
208KB

Download