quasar | fcd5b843d50ec2f973aaa27e54b6bf045931cc3cb8d9bea4edaade352fe0f7d5

Analysis

max time kernel
147s
max time network
301s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
02-06-2024 06:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uni/Uni - Copy (19) - Copy.exe
Size

409KB
MD5

b70fdac25a99501e3cae11f1b775249e
SHA1

3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256

51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512

43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44
SSDEEP

12288:gpbJjGut6AoE3hVVdFaC/eZPTMTDlpgfJCKuMsVs:oVaurMLcDlpRKai

Score

10^/10

quasar seroxen spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

panel-slave.gl.at.ply.gg:57059

panel-slave.gl.at.ply.gg:27892

Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes

encryption_key
Lme7VBS3l58VwLM69PNM
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT 3 IoCs
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Processes:

schtasks.exe

flow ioc

2 ip-api.com
2680 schtasks.exe
11 api.ipify.org

flow	ioc
2	ip-api.com
2680	schtasks.exe
11	api.ipify.org

Quasar payload 3 IoCs

Processes:

resource	yara_rule
behavioral19/memory/2908-1-0x0000000000340000-0x00000000003AC000-memory.dmp	family_quasar
behavioral19/memory/2548-10-0x0000000000280000-0x00000000002EC000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Executes dropped EXE 2 IoCs

Processes:

Client.exeA8jTxoQcQG42.exe

pid process

2548 Client.exe
476 A8jTxoQcQG42.exe
Loads dropped DLL 2 IoCs

Processes:

Uni - Copy (19) - Copy.exeClient.exe

pid process

2908 Uni - Copy (19) - Copy.exe
2548 Client.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com
11 api.ipify.org
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeSCHTASKS.exeschtasks.exeSCHTASKS.exe

pid process

2680 schtasks.exe
2556 SCHTASKS.exe
2560 schtasks.exe
816 SCHTASKS.exe

pid	process
2548	Client.exe
476	A8jTxoQcQG42.exe

pid	process
2908	Uni - Copy (19) - Copy.exe
2548	Client.exe

flow	ioc
2	ip-api.com
11	api.ipify.org

pid	process
2680	schtasks.exe
2556	SCHTASKS.exe
2560	schtasks.exe
816	SCHTASKS.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

vlc.exe

pid process

1484 vlc.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

2192 chrome.exe
2192 chrome.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vlc.exe

pid process

1484 vlc.exe

pid	process
2192	chrome.exe
2192	chrome.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

Uni - Copy (19) - Copy.exeClient.exeAUDIODG.EXEchrome.exe

description	pid	process
Token: SeDebugPrivilege	2908	Uni - Copy (19) - Copy.exe
Token: SeDebugPrivilege	2548	Client.exe
Token: 33	2140	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2140	AUDIODG.EXE
Token: 33	2140	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2140	AUDIODG.EXE
Token: SeShutdownPrivilege	2192	chrome.exe
Token: SeShutdownPrivilege	2192	chrome.exe
Token: SeShutdownPrivilege	2192	chrome.exe
Token: SeShutdownPrivilege	2192	chrome.exe

Suspicious use of FindShellTrayWindow 37 IoCs

Processes:

vlc.exechrome.exe

pid	process
1484	vlc.exe
1484	vlc.exe
1484	vlc.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe

Suspicious use of SendNotifyMessage 34 IoCs

Processes:

vlc.exechrome.exe

pid	process
1484	vlc.exe
1484	vlc.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

Client.exeA8jTxoQcQG42.exevlc.exe

pid process

2548 Client.exe
476 A8jTxoQcQG42.exe
1484 vlc.exe

pid	process
2548	Client.exe
476	A8jTxoQcQG42.exe
1484	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Uni - Copy (19) - Copy.exeClient.exechrome.exe

description	pid	process	target process
PID 2908 wrote to memory of 2680	2908	Uni - Copy (19) - Copy.exe	schtasks.exe
PID 2908 wrote to memory of 2680	2908	Uni - Copy (19) - Copy.exe	schtasks.exe
PID 2908 wrote to memory of 2680	2908	Uni - Copy (19) - Copy.exe	schtasks.exe
PID 2908 wrote to memory of 2680	2908	Uni - Copy (19) - Copy.exe	schtasks.exe
PID 2908 wrote to memory of 2548	2908	Uni - Copy (19) - Copy.exe	Client.exe
PID 2908 wrote to memory of 2548	2908	Uni - Copy (19) - Copy.exe	Client.exe
PID 2908 wrote to memory of 2548	2908	Uni - Copy (19) - Copy.exe	Client.exe
PID 2908 wrote to memory of 2548	2908	Uni - Copy (19) - Copy.exe	Client.exe
PID 2908 wrote to memory of 2548	2908	Uni - Copy (19) - Copy.exe	Client.exe
PID 2908 wrote to memory of 2548	2908	Uni - Copy (19) - Copy.exe	Client.exe
PID 2908 wrote to memory of 2548	2908	Uni - Copy (19) - Copy.exe	Client.exe
PID 2908 wrote to memory of 2556	2908	Uni - Copy (19) - Copy.exe	SCHTASKS.exe
PID 2908 wrote to memory of 2556	2908	Uni - Copy (19) - Copy.exe	SCHTASKS.exe
PID 2908 wrote to memory of 2556	2908	Uni - Copy (19) - Copy.exe	SCHTASKS.exe
PID 2908 wrote to memory of 2556	2908	Uni - Copy (19) - Copy.exe	SCHTASKS.exe
PID 2548 wrote to memory of 2560	2548	Client.exe	schtasks.exe
PID 2548 wrote to memory of 2560	2548	Client.exe	schtasks.exe
PID 2548 wrote to memory of 2560	2548	Client.exe	schtasks.exe
PID 2548 wrote to memory of 2560	2548	Client.exe	schtasks.exe
PID 2548 wrote to memory of 476	2548	Client.exe	A8jTxoQcQG42.exe
PID 2548 wrote to memory of 476	2548	Client.exe	A8jTxoQcQG42.exe
PID 2548 wrote to memory of 476	2548	Client.exe	A8jTxoQcQG42.exe
PID 2548 wrote to memory of 476	2548	Client.exe	A8jTxoQcQG42.exe
PID 2192 wrote to memory of 1624	2192	chrome.exe	chrome.exe
PID 2192 wrote to memory of 1624	2192	chrome.exe	chrome.exe
PID 2192 wrote to memory of 1624	2192	chrome.exe	chrome.exe
PID 2192 wrote to memory of 2228	2192	chrome.exe	chrome.exe
PID 2192 wrote to memory of 2228	2192	chrome.exe	chrome.exe
PID 2192 wrote to memory of 2228	2192	chrome.exe	chrome.exe
PID 2192 wrote to memory of 2228	2192	chrome.exe	chrome.exe
PID 2192 wrote to memory of 2228	2192	chrome.exe	chrome.exe
PID 2192 wrote to memory of 2228	2192	chrome.exe	chrome.exe
PID 2192 wrote to memory of 2228	2192	chrome.exe	chrome.exe
PID 2192 wrote to memory of 2228	2192	chrome.exe	chrome.exe
PID 2192 wrote to memory of 2228	2192	chrome.exe	chrome.exe
PID 2192 wrote to memory of 2228	2192	chrome.exe	chrome.exe
PID 2192 wrote to memory of 2228	2192	chrome.exe	chrome.exe
PID 2192 wrote to memory of 2228	2192	chrome.exe	chrome.exe
PID 2192 wrote to memory of 2228	2192	chrome.exe	chrome.exe
PID 2192 wrote to memory of 2228	2192	chrome.exe	chrome.exe
PID 2192 wrote to memory of 2228	2192	chrome.exe	chrome.exe
PID 2192 wrote to memory of 2228	2192	chrome.exe	chrome.exe
PID 2192 wrote to memory of 2228	2192	chrome.exe	chrome.exe
PID 2192 wrote to memory of 2228	2192	chrome.exe	chrome.exe
PID 2192 wrote to memory of 2228	2192	chrome.exe	chrome.exe
PID 2192 wrote to memory of 2228	2192	chrome.exe	chrome.exe
PID 2192 wrote to memory of 2228	2192	chrome.exe	chrome.exe
PID 2192 wrote to memory of 2228	2192	chrome.exe	chrome.exe
PID 2192 wrote to memory of 2228	2192	chrome.exe	chrome.exe
PID 2192 wrote to memory of 2228	2192	chrome.exe	chrome.exe
PID 2192 wrote to memory of 2228	2192	chrome.exe	chrome.exe
PID 2192 wrote to memory of 2228	2192	chrome.exe	chrome.exe
PID 2192 wrote to memory of 2228	2192	chrome.exe	chrome.exe
PID 2192 wrote to memory of 2228	2192	chrome.exe	chrome.exe
PID 2192 wrote to memory of 2228	2192	chrome.exe	chrome.exe
PID 2192 wrote to memory of 2228	2192	chrome.exe	chrome.exe
PID 2192 wrote to memory of 2228	2192	chrome.exe	chrome.exe
PID 2192 wrote to memory of 2228	2192	chrome.exe	chrome.exe
PID 2192 wrote to memory of 2228	2192	chrome.exe	chrome.exe
PID 2192 wrote to memory of 2228	2192	chrome.exe	chrome.exe
PID 2192 wrote to memory of 2228	2192	chrome.exe	chrome.exe
PID 2192 wrote to memory of 2228	2192	chrome.exe	chrome.exe
PID 2192 wrote to memory of 2228	2192	chrome.exe	chrome.exe
PID 2192 wrote to memory of 2228	2192	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (19) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (19) - Copy.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2908

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (19) - Copy.exe" /rl HIGHEST /f
2⤵
- Quasar RAT
- Creates scheduled task(s)
PID:2680

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2548

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2560

C:\Users\Admin\AppData\Local\Temp\A8jTxoQcQG42.exe
"C:\Users\Admin\AppData\Local\Temp\A8jTxoQcQG42.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:476

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Client.exe" /tr "'C:\Users\Admin\AppData\Roaming\SubDir\Client.exe'" /sc onlogon /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:816

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (19) - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (19) - Copy.exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:2556

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x500
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2140

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\UnlockFormat.ADT"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7feefd49758,0x7feefd49768,0x7feefd49778
2⤵
PID:1624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1172 --field-trial-handle=1312,i,4281027842278726723,8733704228065444514,131072 /prefetch:2
2⤵
PID:2228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1420 --field-trial-handle=1312,i,4281027842278726723,8733704228065444514,131072 /prefetch:8
2⤵
PID:2664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1532 --field-trial-handle=1312,i,4281027842278726723,8733704228065444514,131072 /prefetch:8
2⤵
PID:2712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2244 --field-trial-handle=1312,i,4281027842278726723,8733704228065444514,131072 /prefetch:1
2⤵
PID:1628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2256 --field-trial-handle=1312,i,4281027842278726723,8733704228065444514,131072 /prefetch:1
2⤵
PID:2924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2796 --field-trial-handle=1312,i,4281027842278726723,8733704228065444514,131072 /prefetch:2
2⤵
PID:2180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3188 --field-trial-handle=1312,i,4281027842278726723,8733704228065444514,131072 /prefetch:1
2⤵
PID:1796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3404 --field-trial-handle=1312,i,4281027842278726723,8733704228065444514,131072 /prefetch:8
2⤵
PID:1416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3584 --field-trial-handle=1312,i,4281027842278726723,8733704228065444514,131072 /prefetch:8
2⤵
PID:2256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3692 --field-trial-handle=1312,i,4281027842278726723,8733704228065444514,131072 /prefetch:8
2⤵
PID:2196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3708 --field-trial-handle=1312,i,4281027842278726723,8733704228065444514,131072 /prefetch:8
2⤵
PID:2032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3604 --field-trial-handle=1312,i,4281027842278726723,8733704228065444514,131072 /prefetch:8
2⤵
PID:3056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1508 --field-trial-handle=1312,i,4281027842278726723,8733704228065444514,131072 /prefetch:8
2⤵
PID:2752

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2412

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\5fae75ce-21a3-4979-897c-d84f3a50b96d.tmp
Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp
Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
6aa333e12b73f2a07e45506df5ea3bb9

SHA1
ce45bea6542d1e7e64746d4a5d085d274df958f6

SHA256
cee0333c002bc47360f43754f04da7ebd143b748be70f27d7a3727beae3c4217

SHA512
63d78f4c583b4355f221f5c390ea7d97bb5a9b2d2e813dea84b95daab9156475508aeb1ee8e0a835b23dc8ed344ca004e2b60887d29f1446d963f8061080f396

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
357a4a22e9986e01606daf2e499d30b1

SHA1
913fdbdeee66648cb3ac1c5f3ef345041ad46730

SHA256
e9ed245d52a8fffad4404f0add541d2a96a0d959ed223de135362bb809a9ee68

SHA512
906e56a7acc2d437017ea9bdf9260fb530effae7ff4971acfceb7c8df8751b4eaef489b6b97393ad87763853186eb5cf9b81b9690c4412646d7f43b9586dd7fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp
Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\b2fc261f-d002-463c-afe5-186d33159793.tmp
Filesize
6KB

MD5
f383baf3fcc7896730d85ae4a52fe4d1

SHA1
cc0d8dfbd19caef89c6c8cb83375cdc39d9915dd

SHA256
b7d8bba3a51bdf68fbe93ef31f877222d481c82e9b5ad897b84d3002f9aed001

SHA512
1f75bebe05e5da756105f98ee47a3f532731af69ed5e90d22386a53a52ab89ae14419b179b0cc59ba2baaa4a02cd1bd9784900bf2996b07da6169d9ea466069e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\cd0e56cb-f661-47f6-9cc3-2471e003084b.tmp
Filesize
6KB

MD5
16312ebca2c8caf30863137909e423f1

SHA1
f23b5d37f76754eeaabf6a0fcf8ffad853d85b0d

SHA256
15e75e2b16dd5899c04afba9c609a97ec5ea28ecba3456bc907438f6c679084d

SHA512
e1babcefbca6ab2da90b39bc00823ee1a1ba036a7055ce54d6ec3099828ecf99db855e18b7e0413c9c5aae4dd77033fb8854084815f12e7a513f05e42822c5ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\ecf67cee-769f-40f8-b83f-af3dd1181e00.tmp
Filesize
5KB

MD5
e8dda8f1de2493b54cbce568387a0436

SHA1
46014af7849750775b5bdb6f046d116f2a27bcfa

SHA256
52afd59fcdac240d79562dd932f8c74d73b3d58ec78875cac4cf23d30b31c489

SHA512
427e68dbf324b096a4a2ec5334ac385b4b33901d1080dbc376ddcff5a8cb57fe29053921ca14a1c8705174f8dee90c30ec6ee991e985a2061a248e2260035241

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\f41750ab-c282-4efd-8cc0-9d38ccb6b56c.tmp
Filesize
5KB

MD5
7c97f4433772ff4b5a67a7feefd54244

SHA1
156d57390bc842b4326f8b743d8b5a4f8f340cf3

SHA256
b2760aa2ee031333678ac7c7386b0a1e9a4daa86e5e6a5ec4c2a799c16d75b24

SHA512
d6a9966ddaf9efbada173de772f6444f501c113eae04d8bbf300162c4be309753a2d3e6bfbcc654bd5a4ef82552a084e4834125825787d90505e4733e6898833

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
271KB

MD5
985bef6f5d5e1b39a840d76cc7262daf

SHA1
d9e5dc74d27ba221010758fa403c13048df9908b

SHA256
e6af9a38adf0754c52b82a18d511c7aeb6923cfd1f66f03375809caa9d60a597

SHA512
65894d5b84d7a4abfeb017f5b54faa00c67f7b88ee31e61c1cb5c31ebbb922b1eb377a3fc529d95faef5bd6bcf059485b1f38b202ea49a37f539bbb26364d25e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
271KB

MD5
c872953461b89779f9cd00ad9513c1d8

SHA1
82a1d8bae06a37fcf846a29c9ad9f1f958893659

SHA256
9410ca939a08c14f27da607a85e6693c2a8ceef9d3553f1db306e3d322a74d0d

SHA512
92fa895aee8d14a517128329aed9f40eefd695e55815b7c612a45482b3da91502fc76dd882c12b6854c8b622fbb4558e9048044129fa2657e1c02f32917b1552

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8jTxoQcQG42.exe
Filesize
277KB

MD5
dac0c5b2380cbdd93b46763427c9f8df

SHA1
038089e1a0ac8375be797fc3ce7ae719abc72834

SHA256
d02538788fb57f568ece292f5fc20e9775c86d504de67f57e22534f84adc73c6

SHA512
05cc1f6bf25a6545a06c735ae7a4a7fc25489bdb9fbc8d5797be623982662c4a93cba2d20bfe14313ef1548eaaa691e55fabdd8e3d3e45de9ab42dc62f9a7023

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
409KB

MD5
b70fdac25a99501e3cae11f1b775249e

SHA1
3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71

SHA256
51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246

SHA512
43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

Download Submit
\??\pipe\crashpad_2192_PLOOGVGFTNEZDBRN
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1484-124-0x000007FEF6160000-0x000007FEF6178000-memory.dmp

Filesize
96KB

Download
memory/1484-143-0x000007FEF3540000-0x000007FEF3551000-memory.dmp

Filesize
68KB

Download
memory/1484-106-0x000007FEF7B10000-0x000007FEF7B27000-memory.dmp

Filesize
92KB

Download
memory/1484-107-0x000007FEF6CE0000-0x000007FEF6CF1000-memory.dmp

Filesize
68KB

Download
memory/1484-108-0x000007FEF6910000-0x000007FEF6927000-memory.dmp

Filesize
92KB

Download
memory/1484-110-0x000007FEF68D0000-0x000007FEF68ED000-memory.dmp

Filesize
116KB

Download
memory/1484-111-0x000007FEF6310000-0x000007FEF6321000-memory.dmp

Filesize
68KB

Download
memory/1484-109-0x000007FEF68F0000-0x000007FEF6901000-memory.dmp

Filesize
68KB

Download
memory/1484-112-0x000007FEF46A0000-0x000007FEF574B000-memory.dmp

Filesize
16.7MB

Download
memory/1484-121-0x000007FEF44A0000-0x000007FEF46A0000-memory.dmp

Filesize
2.0MB

Download
memory/1484-122-0x000007FEF6180000-0x000007FEF61BF000-memory.dmp

Filesize
252KB

Download
memory/1484-123-0x000007FEF62E0000-0x000007FEF6301000-memory.dmp

Filesize
132KB

Download
memory/1484-125-0x000007FEF6140000-0x000007FEF6151000-memory.dmp

Filesize
68KB

Download
memory/1484-126-0x000007FEF6120000-0x000007FEF6131000-memory.dmp

Filesize
68KB

Download
memory/1484-127-0x000007FEF6100000-0x000007FEF6111000-memory.dmp

Filesize
68KB

Download
memory/1484-104-0x000007FEF5880000-0x000007FEF5B34000-memory.dmp

Filesize
2.7MB

Download
memory/1484-129-0x000007FEF60C0000-0x000007FEF60D1000-memory.dmp

Filesize
68KB

Download
memory/1484-132-0x000007FEF43E0000-0x000007FEF4447000-memory.dmp

Filesize
412KB

Download
memory/1484-133-0x000007FEF4370000-0x000007FEF43DF000-memory.dmp

Filesize
444KB

Download
memory/1484-136-0x000007FEF42C0000-0x000007FEF42E8000-memory.dmp

Filesize
160KB

Download
memory/1484-137-0x000007FEF4290000-0x000007FEF42B4000-memory.dmp

Filesize
144KB

Download
memory/1484-139-0x000007FEF4240000-0x000007FEF4263000-memory.dmp

Filesize
140KB

Download
memory/1484-140-0x000007FEF4220000-0x000007FEF4231000-memory.dmp

Filesize
68KB

Download
memory/1484-105-0x000007FEF7B50000-0x000007FEF7B68000-memory.dmp

Filesize
96KB

Download
memory/1484-142-0x000007FEF3560000-0x000007FEF3571000-memory.dmp

Filesize
68KB

Download
memory/1484-141-0x000007FEF4200000-0x000007FEF4212000-memory.dmp

Filesize
72KB

Download
memory/1484-138-0x000007FEF4270000-0x000007FEF4287000-memory.dmp

Filesize
92KB

Download
memory/1484-135-0x000007FEF42F0000-0x000007FEF4346000-memory.dmp

Filesize
344KB

Download
memory/1484-134-0x000007FEF4350000-0x000007FEF4361000-memory.dmp

Filesize
68KB

Download
memory/1484-131-0x000007FEF4450000-0x000007FEF4480000-memory.dmp

Filesize
192KB

Download
memory/1484-130-0x000007FEF4480000-0x000007FEF4498000-memory.dmp

Filesize
96KB

Download
memory/1484-128-0x000007FEF60E0000-0x000007FEF60FB000-memory.dmp

Filesize
108KB

Download
memory/1484-158-0x000007FEF46A0000-0x000007FEF574B000-memory.dmp

Filesize
16.7MB

Download
memory/1484-103-0x000007FEF6D00000-0x000007FEF6D34000-memory.dmp

Filesize
208KB

Download
memory/1484-102-0x000000013FA80000-0x000000013FB78000-memory.dmp

Filesize
992KB

Download
memory/2548-438-0x0000000074050000-0x000000007473E000-memory.dmp

Filesize
6.9MB

Download
memory/2548-16-0x0000000074050000-0x000000007473E000-memory.dmp

Filesize
6.9MB

Download
memory/2548-15-0x0000000074050000-0x000000007473E000-memory.dmp

Filesize
6.9MB

Download
memory/2548-11-0x0000000074050000-0x000000007473E000-memory.dmp

Filesize
6.9MB

Download
memory/2548-12-0x0000000074050000-0x000000007473E000-memory.dmp

Filesize
6.9MB

Download
memory/2548-10-0x0000000000280000-0x00000000002EC000-memory.dmp

Filesize
432KB

Download
memory/2908-1-0x0000000000340000-0x00000000003AC000-memory.dmp

Filesize
432KB

Download
memory/2908-0-0x000000007405E000-0x000000007405F000-memory.dmp

Filesize
4KB

Download
memory/2908-2-0x0000000074050000-0x000000007473E000-memory.dmp

Filesize
6.9MB

Download
memory/2908-13-0x0000000074050000-0x000000007473E000-memory.dmp

Filesize
6.9MB

Download