quasar | fcd5b843d50ec2f973aaa27e54b6bf045931cc3cb8d9bea4edaade352fe0f7d5

Analysis

max time kernel
300s
max time network
301s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
02-06-2024 06:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uni/Uni - Copy (17) - Copy.exe
Size

409KB
MD5

b70fdac25a99501e3cae11f1b775249e
SHA1

3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256

51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512

43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44
SSDEEP

12288:gpbJjGut6AoE3hVVdFaC/eZPTMTDlpgfJCKuMsVs:oVaurMLcDlpRKai

Score

10^/10

quasar seroxen spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

panel-slave.gl.at.ply.gg:57059

panel-slave.gl.at.ply.gg:27892

Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes

encryption_key
Lme7VBS3l58VwLM69PNM
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral16/memory/1472-1-0x0000000000FC0000-0x000000000102C000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Executes dropped EXE 2 IoCs

Processes:

Client.exea2StfJfbfh6z.exe

pid process

3408 Client.exe
3444 a2StfJfbfh6z.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

12 ip-api.com
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeSCHTASKS.exeschtasks.exeSCHTASKS.exe

pid process

5024 schtasks.exe
3380 SCHTASKS.exe
4604 schtasks.exe
2392 SCHTASKS.exe

pid	process
3408	Client.exe
3444	a2StfJfbfh6z.exe

flow	ioc
12	ip-api.com

pid	process
5024	schtasks.exe
3380	SCHTASKS.exe
4604	schtasks.exe
2392	SCHTASKS.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133617832047988003"	chrome.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

vlc.exe

pid process

4756 vlc.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

3108 chrome.exe
3108 chrome.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vlc.exe

pid process

4756 vlc.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

chrome.exe

pid process

3108 chrome.exe
3108 chrome.exe
3108 chrome.exe
3108 chrome.exe
3108 chrome.exe
3108 chrome.exe

pid	process
3108	chrome.exe
3108	chrome.exe

pid	process
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Uni - Copy (17) - Copy.exeClient.exeAUDIODG.EXEchrome.exe

description	pid	process
Token: SeDebugPrivilege	1472	Uni - Copy (17) - Copy.exe
Token: SeDebugPrivilege	3408	Client.exe
Token: 33	1152	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1152	AUDIODG.EXE
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe
Token: SeShutdownPrivilege	3108	chrome.exe
Token: SeCreatePagefilePrivilege	3108	chrome.exe

Suspicious use of FindShellTrayWindow 39 IoCs

Processes:

vlc.exechrome.exe

pid	process
4756	vlc.exe
4756	vlc.exe
4756	vlc.exe
4756	vlc.exe
4756	vlc.exe
4756	vlc.exe
4756	vlc.exe
4756	vlc.exe
4756	vlc.exe
4756	vlc.exe
4756	vlc.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe

Suspicious use of SendNotifyMessage 34 IoCs

Processes:

vlc.exechrome.exe

pid	process
4756	vlc.exe
4756	vlc.exe
4756	vlc.exe
4756	vlc.exe
4756	vlc.exe
4756	vlc.exe
4756	vlc.exe
4756	vlc.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe
3108	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

Client.exea2StfJfbfh6z.exevlc.exe

pid process

3408 Client.exe
3444 a2StfJfbfh6z.exe
4756 vlc.exe

pid	process
3408	Client.exe
3444	a2StfJfbfh6z.exe
4756	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Uni - Copy (17) - Copy.exeClient.exechrome.exe

description	pid	process	target process
PID 1472 wrote to memory of 4604	1472	Uni - Copy (17) - Copy.exe	schtasks.exe
PID 1472 wrote to memory of 4604	1472	Uni - Copy (17) - Copy.exe	schtasks.exe
PID 1472 wrote to memory of 4604	1472	Uni - Copy (17) - Copy.exe	schtasks.exe
PID 1472 wrote to memory of 3408	1472	Uni - Copy (17) - Copy.exe	Client.exe
PID 1472 wrote to memory of 3408	1472	Uni - Copy (17) - Copy.exe	Client.exe
PID 1472 wrote to memory of 3408	1472	Uni - Copy (17) - Copy.exe	Client.exe
PID 1472 wrote to memory of 2392	1472	Uni - Copy (17) - Copy.exe	SCHTASKS.exe
PID 1472 wrote to memory of 2392	1472	Uni - Copy (17) - Copy.exe	SCHTASKS.exe
PID 1472 wrote to memory of 2392	1472	Uni - Copy (17) - Copy.exe	SCHTASKS.exe
PID 3408 wrote to memory of 5024	3408	Client.exe	schtasks.exe
PID 3408 wrote to memory of 5024	3408	Client.exe	schtasks.exe
PID 3408 wrote to memory of 5024	3408	Client.exe	schtasks.exe
PID 3408 wrote to memory of 3444	3408	Client.exe	a2StfJfbfh6z.exe
PID 3408 wrote to memory of 3444	3408	Client.exe	a2StfJfbfh6z.exe
PID 3408 wrote to memory of 3444	3408	Client.exe	a2StfJfbfh6z.exe
PID 3108 wrote to memory of 3428	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 3428	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 1712	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 1712	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 1712	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 1712	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 1712	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 1712	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 1712	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 1712	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 1712	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 1712	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 1712	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 1712	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 1712	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 1712	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 1712	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 1712	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 1712	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 1712	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 1712	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 1712	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 1712	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 1712	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 1712	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 1712	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 1712	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 1712	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 1712	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 1712	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 1712	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 1712	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 1712	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 1368	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 1368	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 4928	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 4928	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 4928	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 4928	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 4928	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 4928	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 4928	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 4928	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 4928	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 4928	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 4928	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 4928	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 4928	3108	chrome.exe	chrome.exe
PID 3108 wrote to memory of 4928	3108	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (17) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (17) - Copy.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1472

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (17) - Copy.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:4604

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3408

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:5024

C:\Users\Admin\AppData\Local\Temp\a2StfJfbfh6z.exe
"C:\Users\Admin\AppData\Local\Temp\a2StfJfbfh6z.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3444

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Client.exe" /tr "'C:\Users\Admin\AppData\Roaming\SubDir\Client.exe'" /sc onlogon /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:3380

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (17) - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (17) - Copy.exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:2392

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4e0 0x508
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1152

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\CheckpointConvertTo.MTS"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ff8df78ab58,0x7ff8df78ab68,0x7ff8df78ab78
2⤵
PID:3428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1736 --field-trial-handle=2012,i,11905856369109533262,16882511278124252668,131072 /prefetch:2
2⤵
PID:1712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1880 --field-trial-handle=2012,i,11905856369109533262,16882511278124252668,131072 /prefetch:8
2⤵
PID:1368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2308 --field-trial-handle=2012,i,11905856369109533262,16882511278124252668,131072 /prefetch:8
2⤵
PID:4928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3084 --field-trial-handle=2012,i,11905856369109533262,16882511278124252668,131072 /prefetch:1
2⤵
PID:4244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3092 --field-trial-handle=2012,i,11905856369109533262,16882511278124252668,131072 /prefetch:1
2⤵
PID:4160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4412 --field-trial-handle=2012,i,11905856369109533262,16882511278124252668,131072 /prefetch:1
2⤵
PID:4988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4556 --field-trial-handle=2012,i,11905856369109533262,16882511278124252668,131072 /prefetch:8
2⤵
PID:2540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4672 --field-trial-handle=2012,i,11905856369109533262,16882511278124252668,131072 /prefetch:8
2⤵
PID:4788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4716 --field-trial-handle=2012,i,11905856369109533262,16882511278124252668,131072 /prefetch:8
2⤵
PID:4420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4972 --field-trial-handle=2012,i,11905856369109533262,16882511278124252668,131072 /prefetch:8
2⤵
PID:3792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4380 --field-trial-handle=2012,i,11905856369109533262,16882511278124252668,131072 /prefetch:8
2⤵
PID:5000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4972 --field-trial-handle=2012,i,11905856369109533262,16882511278124252668,131072 /prefetch:8
2⤵
PID:3664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4672 --field-trial-handle=2012,i,11905856369109533262,16882511278124252668,131072 /prefetch:8
2⤵
PID:4876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=2012,i,11905856369109533262,16882511278124252668,131072 /prefetch:8
2⤵
PID:4668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5240 --field-trial-handle=2012,i,11905856369109533262,16882511278124252668,131072 /prefetch:1
2⤵
PID:2952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=4620 --field-trial-handle=2012,i,11905856369109533262,16882511278124252668,131072 /prefetch:1
2⤵
PID:4520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3280 --field-trial-handle=2012,i,11905856369109533262,16882511278124252668,131072 /prefetch:8
2⤵
PID:3692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5156 --field-trial-handle=2012,i,11905856369109533262,16882511278124252668,131072 /prefetch:1
2⤵
PID:3996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3336 --field-trial-handle=2012,i,11905856369109533262,16882511278124252668,131072 /prefetch:8
2⤵
PID:668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3384 --field-trial-handle=2012,i,11905856369109533262,16882511278124252668,131072 /prefetch:8
2⤵
PID:344

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3664

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000031
Filesize
27KB

MD5
97f07e182259f3e5f7cf67865bb1d8f0

SHA1
78c49303cb2a9121087a45770389ca1da03cbcdf

SHA256
c3a70f23a2cf331852a818d3f2a0cf7f048753c9b47aa4e7f0fee234c46b226c

SHA512
10056ad3a71ee806a8d8aff04d513a079568bf11799016f76f27c4255be2141a4c2d99c1f46bbfde9c99ba0f8b44e780a92b59f514d3cc1c248ead915c31b5dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
2e78533dd9b85b6598f71d1243aeac6a

SHA1
e000d86a0a367f4d4786e89a01b3b0971d71be3a

SHA256
a6e9a24a334e52a90f0b04173f2bcae20a859b86a8cce794cad10fdf192d8ab1

SHA512
6236a15f065486a5d5abf092e5137cb22e972d023590a8a76357f41ee70a2894aa8aec6ac3e831ce5223159c24244ac0e9a39987ad9df885114840e6caa55da1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
e374d92650ee9d689f654795d41be270

SHA1
80682a12a3af062074277385dd43ca46c9021793

SHA256
ea728e6840417ed2b86496c061e22b74583a084a56ab2334934b1b5a05d7bdea

SHA512
a5907889a0d318d9523e61c584752b1f9fbd4a5eecd691b80f8a72a4306192d52b86f7cc8a8e669aec411f9c2965c53b4a9d8609c08fe8264f405b747cb24db5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
134b68d8b4bc04a959bba7818e5ed92a

SHA1
fb3c93f2484a03de5c0828d47a79b5355b6f2a75

SHA256
21d11f13819c455214a4621071039bd6f660a9d9faec271f0a942e95af4b6211

SHA512
142f66abf18b7b2ea8b30d2fe98934fcd189fc96cf1b8569de279f48785544f0db222bd13c093ff4d6134c3d68524be8cca1fa1c4e4f40b8a3bb6b40e45c95b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
1ff2a0b694156d94c923d4f88cbd14ef

SHA1
f1df31619f024351f9e0f04c4b14db93d03aae37

SHA256
6f25c2790eeacff81d09fb75677e18286167c463ab825a46ca43043b5f74abfd

SHA512
3b2efacce1ee909865beabfbf00a41621953679c08747959cefa05be92750c826ebfdc9d8d4731208ab4429bdc7a4e793e46fab3225ceb8d073ecc44064d6ffd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
083f4dbc68d1eedb83fa8920ea8ae64d

SHA1
5626bb1be9021cc22e2c2e0098cc95b4143f5e0c

SHA256
640187313f33583dc08df7e80b4504f71583e27bbb8a28d5b0a629a04c5f42b7

SHA512
b1ca3bc5a66ecbec6cead8c779d9223633e2d2dace5a4d5679b2181a47631ffea1460dee6cb530f7605e7eda23011aa1bf62ec3f6e9510c62ede7f435bb6e7be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
261KB

MD5
ccff431693001fbb08f79e0e69f77e17

SHA1
0e46f82ed7a94a29a1a1352d654cc4354bd6dc7a

SHA256
b92bcedc32068def59e756ace6f88b53e689cbb035ca8caba2a28c08fc00b934

SHA512
0b6e17a71a8f3ea8402792be68716c129aa1e17f6a76428b08996d0c6ccc0fd6dc542f69bfaf67df19edc0f41387a621ac137ec69f8e0af581dd270e6ee50d17

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
88KB

MD5
226c9eed387897c8cfc7fbe1ead35fc0

SHA1
ff67d89013dd06b095a6cb2b07a018e51ecb4b91

SHA256
9e45671c83a3d550c66315f79e406bd654c784c990d89e71ccc6574588cd5f63

SHA512
10f8bd6705e583101c584f7eec3f8291fd8a9ecadd0aca39fef2e9ed5565799804596930722974285964fbd890995006edd1415b7e410bb87c49d457dd874c16

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5b18c4.TMP
Filesize
88KB

MD5
b159366defad11dfabe32971b57afc9f

SHA1
86237711ed40e137f7acf62fff14d9ab7634261d

SHA256
f0d38322cb01d66435a1f335c7c70b0daffc5e7b4c139e72aa5c3f3242f5cdb1

SHA512
9233a1fc8f71a1638e861bc593b80e3388b74b4871fbb34f11d0028bbbeab4677bb07f58e6c9488ce3397ded05b8257360f0fbcf1fc4075e70a98e23b07b05f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a2StfJfbfh6z.exe
Filesize
277KB

MD5
dac0c5b2380cbdd93b46763427c9f8df

SHA1
038089e1a0ac8375be797fc3ce7ae719abc72834

SHA256
d02538788fb57f568ece292f5fc20e9775c86d504de67f57e22534f84adc73c6

SHA512
05cc1f6bf25a6545a06c735ae7a4a7fc25489bdb9fbc8d5797be623982662c4a93cba2d20bfe14313ef1548eaaa691e55fabdd8e3d3e45de9ab42dc62f9a7023

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
409KB

MD5
b70fdac25a99501e3cae11f1b775249e

SHA1
3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71

SHA256
51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246

SHA512
43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

Download Submit
\??\pipe\crashpad_3108_RTCNCRJNPBZXODKE
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1472-16-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/1472-0-0x000000007492E000-0x000000007492F000-memory.dmp

Filesize
4KB

Download
memory/1472-7-0x0000000006C50000-0x0000000006C8C000-memory.dmp

Filesize
240KB

Download
memory/1472-6-0x0000000006050000-0x0000000006062000-memory.dmp

Filesize
72KB

Download
memory/1472-5-0x0000000005AB0000-0x0000000005B16000-memory.dmp

Filesize
408KB

Download
memory/1472-4-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/1472-3-0x0000000005A10000-0x0000000005AA2000-memory.dmp

Filesize
584KB

Download
memory/1472-2-0x00000000060E0000-0x0000000006684000-memory.dmp

Filesize
5.6MB

Download
memory/1472-1-0x0000000000FC0000-0x000000000102C000-memory.dmp

Filesize
432KB

Download
memory/3408-18-0x0000000006F00000-0x0000000006F0A000-memory.dmp

Filesize
40KB

Download
memory/3408-167-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/3408-13-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/3408-14-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/3408-19-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/3408-20-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/4756-34-0x00007FF6BFE20000-0x00007FF6BFF18000-memory.dmp

Filesize
992KB

Download
memory/4756-48-0x00007FF8E68A0000-0x00007FF8E68B1000-memory.dmp

Filesize
68KB

Download
memory/4756-40-0x00007FF8F2B20000-0x00007FF8F2B37000-memory.dmp

Filesize
92KB

Download
memory/4756-39-0x00007FF8F3170000-0x00007FF8F3181000-memory.dmp

Filesize
68KB

Download
memory/4756-53-0x0000022ACB7C0000-0x0000022ACD02F000-memory.dmp

Filesize
24.4MB

Download
memory/4756-38-0x00007FF8F4960000-0x00007FF8F4977000-memory.dmp

Filesize
92KB

Download
memory/4756-37-0x00007FF8F4E00000-0x00007FF8F4E18000-memory.dmp

Filesize
96KB

Download
memory/4756-44-0x00007FF8E39F0000-0x00007FF8E3BFB000-memory.dmp

Filesize
2.0MB

Download
memory/4756-46-0x00007FF8E6B90000-0x00007FF8E6BB1000-memory.dmp

Filesize
132KB

Download
memory/4756-47-0x00007FF8EBE70000-0x00007FF8EBE88000-memory.dmp

Filesize
96KB

Download
memory/4756-117-0x00007FF8E2940000-0x00007FF8E39F0000-memory.dmp

Filesize
16.7MB

Download
memory/4756-41-0x00007FF8F2B00000-0x00007FF8F2B11000-memory.dmp

Filesize
68KB

Download
memory/4756-45-0x00007FF8EBE90000-0x00007FF8EBED1000-memory.dmp

Filesize
260KB

Download
memory/4756-36-0x00007FF8E40B0000-0x00007FF8E4366000-memory.dmp

Filesize
2.7MB

Download
memory/4756-43-0x00007FF8F03E0000-0x00007FF8F03F1000-memory.dmp

Filesize
68KB

Download
memory/4756-161-0x00007FF8E2940000-0x00007FF8E39F0000-memory.dmp

Filesize
16.7MB

Download
memory/4756-49-0x00007FF8E2940000-0x00007FF8E39F0000-memory.dmp

Filesize
16.7MB

Download
memory/4756-35-0x00007FF8F5C30000-0x00007FF8F5C64000-memory.dmp

Filesize
208KB

Download
memory/4756-50-0x00007FF8E5B30000-0x00007FF8E5B41000-memory.dmp

Filesize
68KB

Download
memory/4756-52-0x00007FF8E1ED0000-0x00007FF8E1EF5000-memory.dmp

Filesize
148KB

Download
memory/4756-51-0x00007FF8E5B10000-0x00007FF8E5B21000-memory.dmp

Filesize
68KB

Download
memory/4756-42-0x00007FF8F0400000-0x00007FF8F041D000-memory.dmp

Filesize
116KB

Download