quasar | fcd5b843d50ec2f973aaa27e54b6bf045931cc3cb8d9bea4edaade352fe0f7d5

Analysis

max time kernel
156s
max time network
289s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
02-06-2024 06:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uni/Uni - Copy (20) - Copy.exe
Size

409KB
MD5

b70fdac25a99501e3cae11f1b775249e
SHA1

3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256

51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512

43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44
SSDEEP

12288:gpbJjGut6AoE3hVVdFaC/eZPTMTDlpgfJCKuMsVs:oVaurMLcDlpRKai

Score

10^/10

quasar seroxen spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

panel-slave.gl.at.ply.gg:57059

panel-slave.gl.at.ply.gg:27892

Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes

encryption_key
Lme7VBS3l58VwLM69PNM
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT 3 IoCs
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Processes:

schtasks.exe

pid process

2712 schtasks.exe
2 ip-api.com
6 api.ipify.org

pid	process
2712	schtasks.exe
2	ip-api.com
6	api.ipify.org

Quasar payload 3 IoCs

Processes:

resource	yara_rule
behavioral25/memory/2236-1-0x0000000000FD0000-0x000000000103C000-memory.dmp	family_quasar
\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar
behavioral25/memory/2564-10-0x0000000000DE0000-0x0000000000E4C000-memory.dmp	family_quasar

Executes dropped EXE 2 IoCs

Processes:

Client.exeLWtf8q4Jrz4j.exe

pid process

2564 Client.exe
1032 LWtf8q4Jrz4j.exe
Loads dropped DLL 2 IoCs

Processes:

Uni - Copy (20) - Copy.exeClient.exe

pid process

2236 Uni - Copy (20) - Copy.exe
2564 Client.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com
6 api.ipify.org
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeSCHTASKS.exeschtasks.exeSCHTASKS.exe

pid process

2712 schtasks.exe
2744 SCHTASKS.exe
1212 schtasks.exe
2624 SCHTASKS.exe

pid	process
2564	Client.exe
1032	LWtf8q4Jrz4j.exe

pid	process
2236	Uni - Copy (20) - Copy.exe
2564	Client.exe

flow	ioc
2	ip-api.com
6	api.ipify.org

pid	process
2712	schtasks.exe
2744	SCHTASKS.exe
1212	schtasks.exe
2624	SCHTASKS.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Opens file in notepad (likely ransom note) 2 IoCs
ransomware

Processes:

NOTEPAD.EXENOTEPAD.EXE

pid process

2848 NOTEPAD.EXE
2588 NOTEPAD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

1100 chrome.exe
1100 chrome.exe

pid	process
2848	NOTEPAD.EXE
2588	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 32 IoCs

Processes:

Uni - Copy (20) - Copy.exeClient.exeAUDIODG.EXEchrome.exe

description	pid	process
Token: SeDebugPrivilege	2236	Uni - Copy (20) - Copy.exe
Token: SeDebugPrivilege	2564	Client.exe
Token: 33	2528	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2528	AUDIODG.EXE
Token: 33	2528	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2528	AUDIODG.EXE
Token: SeShutdownPrivilege	1100	chrome.exe
Token: SeShutdownPrivilege	1100	chrome.exe
Token: SeShutdownPrivilege	1100	chrome.exe
Token: SeShutdownPrivilege	1100	chrome.exe
Token: SeShutdownPrivilege	1100	chrome.exe
Token: SeShutdownPrivilege	1100	chrome.exe
Token: SeShutdownPrivilege	1100	chrome.exe
Token: SeShutdownPrivilege	1100	chrome.exe
Token: SeShutdownPrivilege	1100	chrome.exe
Token: SeShutdownPrivilege	1100	chrome.exe
Token: SeShutdownPrivilege	1100	chrome.exe
Token: SeShutdownPrivilege	1100	chrome.exe
Token: SeShutdownPrivilege	1100	chrome.exe
Token: SeShutdownPrivilege	1100	chrome.exe
Token: SeShutdownPrivilege	1100	chrome.exe
Token: SeShutdownPrivilege	1100	chrome.exe
Token: SeShutdownPrivilege	1100	chrome.exe
Token: SeShutdownPrivilege	1100	chrome.exe
Token: SeShutdownPrivilege	1100	chrome.exe
Token: SeShutdownPrivilege	1100	chrome.exe
Token: SeShutdownPrivilege	1100	chrome.exe
Token: SeShutdownPrivilege	1100	chrome.exe
Token: SeShutdownPrivilege	1100	chrome.exe
Token: SeShutdownPrivilege	1100	chrome.exe
Token: SeShutdownPrivilege	1100	chrome.exe
Token: SeShutdownPrivilege	1100	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

chrome.exe

pid	process
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Client.exeLWtf8q4Jrz4j.exe

pid process

2564 Client.exe
1032 LWtf8q4Jrz4j.exe

pid	process
2564	Client.exe
1032	LWtf8q4Jrz4j.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Uni - Copy (20) - Copy.exeClient.exechrome.exe

description	pid	process	target process
PID 2236 wrote to memory of 2712	2236	Uni - Copy (20) - Copy.exe	schtasks.exe
PID 2236 wrote to memory of 2712	2236	Uni - Copy (20) - Copy.exe	schtasks.exe
PID 2236 wrote to memory of 2712	2236	Uni - Copy (20) - Copy.exe	schtasks.exe
PID 2236 wrote to memory of 2712	2236	Uni - Copy (20) - Copy.exe	schtasks.exe
PID 2236 wrote to memory of 2564	2236	Uni - Copy (20) - Copy.exe	Client.exe
PID 2236 wrote to memory of 2564	2236	Uni - Copy (20) - Copy.exe	Client.exe
PID 2236 wrote to memory of 2564	2236	Uni - Copy (20) - Copy.exe	Client.exe
PID 2236 wrote to memory of 2564	2236	Uni - Copy (20) - Copy.exe	Client.exe
PID 2236 wrote to memory of 2564	2236	Uni - Copy (20) - Copy.exe	Client.exe
PID 2236 wrote to memory of 2564	2236	Uni - Copy (20) - Copy.exe	Client.exe
PID 2236 wrote to memory of 2564	2236	Uni - Copy (20) - Copy.exe	Client.exe
PID 2236 wrote to memory of 2744	2236	Uni - Copy (20) - Copy.exe	SCHTASKS.exe
PID 2236 wrote to memory of 2744	2236	Uni - Copy (20) - Copy.exe	SCHTASKS.exe
PID 2236 wrote to memory of 2744	2236	Uni - Copy (20) - Copy.exe	SCHTASKS.exe
PID 2236 wrote to memory of 2744	2236	Uni - Copy (20) - Copy.exe	SCHTASKS.exe
PID 2564 wrote to memory of 1212	2564	Client.exe	schtasks.exe
PID 2564 wrote to memory of 1212	2564	Client.exe	schtasks.exe
PID 2564 wrote to memory of 1212	2564	Client.exe	schtasks.exe
PID 2564 wrote to memory of 1212	2564	Client.exe	schtasks.exe
PID 2564 wrote to memory of 1032	2564	Client.exe	LWtf8q4Jrz4j.exe
PID 2564 wrote to memory of 1032	2564	Client.exe	LWtf8q4Jrz4j.exe
PID 2564 wrote to memory of 1032	2564	Client.exe	LWtf8q4Jrz4j.exe
PID 2564 wrote to memory of 1032	2564	Client.exe	LWtf8q4Jrz4j.exe
PID 1100 wrote to memory of 928	1100	chrome.exe	chrome.exe
PID 1100 wrote to memory of 928	1100	chrome.exe	chrome.exe
PID 1100 wrote to memory of 928	1100	chrome.exe	chrome.exe
PID 1100 wrote to memory of 2312	1100	chrome.exe	chrome.exe
PID 1100 wrote to memory of 2312	1100	chrome.exe	chrome.exe
PID 1100 wrote to memory of 2312	1100	chrome.exe	chrome.exe
PID 1100 wrote to memory of 2312	1100	chrome.exe	chrome.exe
PID 1100 wrote to memory of 2312	1100	chrome.exe	chrome.exe
PID 1100 wrote to memory of 2312	1100	chrome.exe	chrome.exe
PID 1100 wrote to memory of 2312	1100	chrome.exe	chrome.exe
PID 1100 wrote to memory of 2312	1100	chrome.exe	chrome.exe
PID 1100 wrote to memory of 2312	1100	chrome.exe	chrome.exe
PID 1100 wrote to memory of 2312	1100	chrome.exe	chrome.exe
PID 1100 wrote to memory of 2312	1100	chrome.exe	chrome.exe
PID 1100 wrote to memory of 2312	1100	chrome.exe	chrome.exe
PID 1100 wrote to memory of 2312	1100	chrome.exe	chrome.exe
PID 1100 wrote to memory of 2312	1100	chrome.exe	chrome.exe
PID 1100 wrote to memory of 2312	1100	chrome.exe	chrome.exe
PID 1100 wrote to memory of 2312	1100	chrome.exe	chrome.exe
PID 1100 wrote to memory of 2312	1100	chrome.exe	chrome.exe
PID 1100 wrote to memory of 2312	1100	chrome.exe	chrome.exe
PID 1100 wrote to memory of 2312	1100	chrome.exe	chrome.exe
PID 1100 wrote to memory of 2312	1100	chrome.exe	chrome.exe
PID 1100 wrote to memory of 2312	1100	chrome.exe	chrome.exe
PID 1100 wrote to memory of 2312	1100	chrome.exe	chrome.exe
PID 1100 wrote to memory of 2312	1100	chrome.exe	chrome.exe
PID 1100 wrote to memory of 2312	1100	chrome.exe	chrome.exe
PID 1100 wrote to memory of 2312	1100	chrome.exe	chrome.exe
PID 1100 wrote to memory of 2312	1100	chrome.exe	chrome.exe
PID 1100 wrote to memory of 2312	1100	chrome.exe	chrome.exe
PID 1100 wrote to memory of 2312	1100	chrome.exe	chrome.exe
PID 1100 wrote to memory of 2312	1100	chrome.exe	chrome.exe
PID 1100 wrote to memory of 2312	1100	chrome.exe	chrome.exe
PID 1100 wrote to memory of 2312	1100	chrome.exe	chrome.exe
PID 1100 wrote to memory of 2312	1100	chrome.exe	chrome.exe
PID 1100 wrote to memory of 2312	1100	chrome.exe	chrome.exe
PID 1100 wrote to memory of 2312	1100	chrome.exe	chrome.exe
PID 1100 wrote to memory of 2312	1100	chrome.exe	chrome.exe
PID 1100 wrote to memory of 2312	1100	chrome.exe	chrome.exe
PID 1100 wrote to memory of 2312	1100	chrome.exe	chrome.exe
PID 1100 wrote to memory of 2312	1100	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (20) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (20) - Copy.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (20) - Copy.exe" /rl HIGHEST /f
2⤵
- Quasar RAT
- Creates scheduled task(s)
PID:2712

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2564

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:1212

C:\Users\Admin\AppData\Local\Temp\LWtf8q4Jrz4j.exe
"C:\Users\Admin\AppData\Local\Temp\LWtf8q4Jrz4j.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1032

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Client.exe" /tr "'C:\Users\Admin\AppData\Roaming\SubDir\Client.exe'" /sc onlogon /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:2624

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (20) - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (20) - Copy.exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:2744

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x1e8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6d39758,0x7fef6d39768,0x7fef6d39778
2⤵
PID:928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1100 --field-trial-handle=1336,i,16337827177852193262,8339199987631412964,131072 /prefetch:2
2⤵
PID:2312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1480 --field-trial-handle=1336,i,16337827177852193262,8339199987631412964,131072 /prefetch:8
2⤵
PID:1304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1604 --field-trial-handle=1336,i,16337827177852193262,8339199987631412964,131072 /prefetch:8
2⤵
PID:2220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2272 --field-trial-handle=1336,i,16337827177852193262,8339199987631412964,131072 /prefetch:1
2⤵
PID:2664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2280 --field-trial-handle=1336,i,16337827177852193262,8339199987631412964,131072 /prefetch:1
2⤵
PID:2684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1352 --field-trial-handle=1336,i,16337827177852193262,8339199987631412964,131072 /prefetch:2
2⤵
PID:1516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2216 --field-trial-handle=1336,i,16337827177852193262,8339199987631412964,131072 /prefetch:1
2⤵
PID:2488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3432 --field-trial-handle=1336,i,16337827177852193262,8339199987631412964,131072 /prefetch:8
2⤵
PID:2836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3460 --field-trial-handle=1336,i,16337827177852193262,8339199987631412964,131072 /prefetch:8
2⤵
PID:3044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3676 --field-trial-handle=1336,i,16337827177852193262,8339199987631412964,131072 /prefetch:8
2⤵
PID:2544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3792 --field-trial-handle=1336,i,16337827177852193262,8339199987631412964,131072 /prefetch:8
2⤵
PID:304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3516 --field-trial-handle=1336,i,16337827177852193262,8339199987631412964,131072 /prefetch:8
2⤵
PID:3004

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2584

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\GetRestore.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2848

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\GetRestore.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2588

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\54a19a7c-cfe0-4071-8db2-3c567aae9528.tmp
Filesize
5KB

MD5
36e240d6f44f6c75432ccb46804f4fdf

SHA1
88da7fd92ed755b28006c4113104e5c9554284f2

SHA256
4f39bc250ced3ef5273a5a303b0b84283e3e1adf7849bc988b288c635c0a12e2

SHA512
762020414ccbda9ecb0fde06f56a8525d126b1181d7c9b33db33d7662ac213e537d796efd9ffb1c1b61a99ed1390de5efb284fc92046a2f24434ec6b7fb5fe4c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\7e090b8c-5bfe-4b81-a926-f9d9e5c40bb7.tmp
Filesize
5KB

MD5
60488caed2e80fb38dba1179b175b4c0

SHA1
b39992062687fa75826f227b7950713b161f5d28

SHA256
4ad3f60ce7219b3b21f1285b9f99f8aac5cda46bc16ae6ec209bcc829ce3274e

SHA512
0de633d49501a589e738bd5721cf6286eb272386ac1afcf2e163289111bbce2c65956b04561b152b9b90a9c9d434eb4cff680d40d988581a1de9e009c1b155b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp
Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
362870a74cef8c93b197905c2d40c305

SHA1
4dd5c404f13438119c48931db4a4cc1ba7783b27

SHA256
6e08d8d2b2964a8268ba2b4a42cef62c5752c390b6da864c8adf21a1a2800b9c

SHA512
071d69d5d997fa4166501e71ce528332c24762954d74c1c5627a530802762699c0a691ee38a4b4d1d9ab8888bd9607613f33d129cc6de90dc84810ecc8d29d03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
69868ea6d91429f79566df34084c0cf5

SHA1
38c0446f062a697f4cf5bcf499c5d2713d5dbe88

SHA256
2a60f0d1d61d95c685614b330769ca23a7e2924da998848a27d6a7413b228d92

SHA512
63241a8f4149d730390a2cad377bbb1deaec6c9c5af44ae17eaf23bc725ec53d824a4da5f1d69a87cca11db26a2e6eb0750254c3cffcee2cb8f0286d125ddcbc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
11c7c29382aba1132cd563f982ba7bc8

SHA1
bd49ba8de6e7acfbd9f0d149e7b835a766bd0208

SHA256
48cde65eb7864ef56105afde0658bdc82c364fd2c8b5041d6f1037f8a9a0961a

SHA512
cfff1bfb1646a8027289308baa6b2957572d3403ed8d7c33e28b6d0f9e04a91137df775d2847c8036319b648c283706a050145c23431752249155a0da91ac035

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
f9d7749228927c286d1a2cdab3778529

SHA1
c5d16671b0f2d01e562d790640ac9ad0045fa63f

SHA256
bf63b2203b34221eed2fc32d432451df7608b6b65ee31de6ed23b4e9f27fd5ab

SHA512
26c87019ea528f8835938b85e7e08e3fdff733b160468dd5dd97f63c8363a411e13fd60d66ed9f861eb39d6c411520df2ec5a88440d6a5fa7cd0632caa7c3e83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp
Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
282KB

MD5
04099852f8088a0a1367546a73ffb1e2

SHA1
271187f4de1c10a5c326b419a17dc002df4ce82b

SHA256
ffb3dd47b755e21c7fb621328cadf9b2b1a70bfa392a5d7f609236460c889791

SHA512
6f5f5ecce7878a476826e38fe0269cbf62355de50a0c9b4eb5ef371fb81a5e968d3c389c82ce5857f76ef1c8d74a03f5e637998de271c659ee50b6eb54f9f368

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ba649aa0-3298-434e-9347-ea3af59d4961.tmp
Filesize
282KB

MD5
058ac3020c837d25230296e6761eedee

SHA1
c87a353ebe7b2effe6523f776881a97eee470601

SHA256
7bc5ee16d3c7e6246f2f399c4424b2a9c41e107e1575871cf0353c4e66c17741

SHA512
1224619f6e2773b03ec29ac3f2c4a97cf10557ce3dcb0e324fe478785fe537df4a6133041ad82de7f992e4251b135b16fe615954a1122b0d65acecdcd8e2f8d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\LWtf8q4Jrz4j.exe
Filesize
277KB

MD5
dac0c5b2380cbdd93b46763427c9f8df

SHA1
038089e1a0ac8375be797fc3ce7ae719abc72834

SHA256
d02538788fb57f568ece292f5fc20e9775c86d504de67f57e22534f84adc73c6

SHA512
05cc1f6bf25a6545a06c735ae7a4a7fc25489bdb9fbc8d5797be623982662c4a93cba2d20bfe14313ef1548eaaa691e55fabdd8e3d3e45de9ab42dc62f9a7023

Download Submit
\??\pipe\crashpad_1100_UPNQVCBQXVYKQXWZ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
409KB

MD5
b70fdac25a99501e3cae11f1b775249e

SHA1
3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71

SHA256
51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246

SHA512
43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

Download Submit
memory/2236-0-0x0000000074B1E000-0x0000000074B1F000-memory.dmp

Filesize
4KB

Download
memory/2236-13-0x0000000074B10000-0x00000000751FE000-memory.dmp

Filesize
6.9MB

Download
memory/2236-2-0x0000000074B10000-0x00000000751FE000-memory.dmp

Filesize
6.9MB

Download
memory/2236-1-0x0000000000FD0000-0x000000000103C000-memory.dmp

Filesize
432KB

Download
memory/2564-12-0x0000000074B10000-0x00000000751FE000-memory.dmp

Filesize
6.9MB

Download
memory/2564-10-0x0000000000DE0000-0x0000000000E4C000-memory.dmp

Filesize
432KB

Download
memory/2564-11-0x0000000074B10000-0x00000000751FE000-memory.dmp

Filesize
6.9MB

Download
memory/2564-166-0x0000000074B10000-0x00000000751FE000-memory.dmp

Filesize
6.9MB

Download
memory/2564-15-0x0000000074B10000-0x00000000751FE000-memory.dmp

Filesize
6.9MB

Download
memory/2564-16-0x0000000074B10000-0x00000000751FE000-memory.dmp

Filesize
6.9MB

Download