Overview

overview

10

Static

static

10

QuasarModded.scr

windows10-1703-x64

10

QuasarModded.scr

windows10-2004-x64

10

QuasarModded.scr

windows11-21h2-x64

10

Analysis

  • max time kernel
    296s
  • max time network
    308s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240704-en
  • resource tags

    arch:x64arch:x86image:win11-20240704-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    07/07/2024, 15:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    QuasarModded.scr

  • Size

    1.2MB

  • MD5

    a4804946374d70da63b45d48c0de6188

  • SHA1

    a00c5b21387aa3b2fa9eafd8bd3d0159de32454f

  • SHA256

    e5f8616d5ed2e6e1538b238c2ef7d13ee680406899fa14cae2ad54bede356d4a

  • SHA512

    d3e9bff12b39e2d4602e947be84606ffbd7af2bc9b0785721d9caf679163749892b7fa2cc33c76def45b275ce2971fef1a27d0369f857c42dca2dfd666631f5c

  • SSDEEP

    24576:u2G/nvxW3WieCaZtNvoYU367xprsfVwkR4QuYN0wnxvjd:ubA3jGA+ruVwkz6wnxvx

Score
10/10
dcratevasioninfostealerpersistencerat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 42 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Disables Task Manager via registry modification
    evasion
  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 10 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 22 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 17 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 54 IoCs
  • Suspicious use of FindShellTrayWindow 57 IoCs
  • Suspicious use of SendNotifyMessage 38 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\QuasarModded.scr
    "C:\Users\Admin\AppData\Local\Temp\QuasarModded.scr" /S
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2920
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\bridgewebfontDriver\JPEKY7KdznoNKJ6HgkX9q4NreF.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4500
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\bridgewebfontDriver\Gg47yix3Ugv.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2684
        • C:\bridgewebfontDriver\surrogateBrowser.exe
          "C:\bridgewebfontDriver\surrogateBrowser.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1172
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\teE7LLSnwX.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:748
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:4104
              • C:\Program Files\Windows Photo Viewer\en-US\Registry.exe
                "C:\Program Files\Windows Photo Viewer\en-US\Registry.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                PID:3932
                • C:\Windows\explorer.exe
                  "explorer.exe"
                  7⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Enumerates connected drives
                  • Checks SCSI registry key(s)
                  • Modifies registry class
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  PID:3096
          • C:\Windows\SysWOW64\reg.exe
            reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
            4⤵
            • Modifies registry key
            PID:4596
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\bridgewebfontDriver\IJ5c76irDFq5p4JLIcG.bat" "
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2072
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c "echo Loading Windows...."
          3⤵
            PID:4648
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\wininit.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1572
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2720
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:672
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\en-US\Registry.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2644
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\en-US\Registry.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3980
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\en-US\Registry.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1476
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Pictures\unsecapp.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3416
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default\Pictures\unsecapp.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:796
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Pictures\unsecapp.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2004
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3360
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4732
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3496
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\winlogon.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3624
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4904
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1780
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\Fonts\csrss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4888
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Fonts\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1644
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\Fonts\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3820
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:5084
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4544
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2276
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Windows\Microsoft.NET\StartMenuExperienceHost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2896
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\StartMenuExperienceHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4324
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Windows\Microsoft.NET\StartMenuExperienceHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4876
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:660
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2532
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4960
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\bridgewebfontDriver\dllhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4724
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\bridgewebfontDriver\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2536
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\bridgewebfontDriver\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4128
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Default\SendTo\services.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:432
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\SendTo\services.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1976
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\Default\SendTo\services.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4572
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\bridgewebfontDriver\Registry.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3452
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\bridgewebfontDriver\Registry.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4112
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\bridgewebfontDriver\Registry.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1636
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3432
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2716
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:224
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4776
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2572
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4548
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe"
        1⤵
        • Enumerates system info in registry
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:2420
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffae9efab58,0x7ffae9efab68,0x7ffae9efab78
          2⤵
            PID:804
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1604 --field-trial-handle=1952,i,16182863075143643065,7789282471439078809,131072 /prefetch:2
            2⤵
              PID:3496
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1832 --field-trial-handle=1952,i,16182863075143643065,7789282471439078809,131072 /prefetch:8
              2⤵
                PID:3856
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2192 --field-trial-handle=1952,i,16182863075143643065,7789282471439078809,131072 /prefetch:8
                2⤵
                  PID:840
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3044 --field-trial-handle=1952,i,16182863075143643065,7789282471439078809,131072 /prefetch:1
                  2⤵
                    PID:2520
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3124 --field-trial-handle=1952,i,16182863075143643065,7789282471439078809,131072 /prefetch:1
                    2⤵
                      PID:4324
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4264 --field-trial-handle=1952,i,16182863075143643065,7789282471439078809,131072 /prefetch:1
                      2⤵
                        PID:1864
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4112 --field-trial-handle=1952,i,16182863075143643065,7789282471439078809,131072 /prefetch:8
                        2⤵
                          PID:988
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4672 --field-trial-handle=1952,i,16182863075143643065,7789282471439078809,131072 /prefetch:8
                          2⤵
                            PID:5048
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4676 --field-trial-handle=1952,i,16182863075143643065,7789282471439078809,131072 /prefetch:8
                            2⤵
                              PID:4256
                          • C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
                            "C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
                            1⤵
                              PID:3140
                            • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
                              "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
                              1⤵
                              • Modifies registry class
                              • Suspicious use of SetWindowsHookEx
                              PID:1964
                            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                              1⤵
                              • Modifies registry class
                              • Suspicious use of SetWindowsHookEx
                              PID:4520
                            • C:\bridgewebfontDriver\Registry.exe
                              C:\bridgewebfontDriver\Registry.exe
                              1⤵
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              PID:4832
                            • C:\Program Files\7-Zip\Lang\wininit.exe
                              "C:\Program Files\7-Zip\Lang\wininit.exe"
                              1⤵
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              PID:816

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
                              Filesize

                              1KB

                              MD5

                              b164d56b398e1a8ea1d3d6939cb5f83f

                              SHA1

                              402e597b0102c514adfc2de84410763cacc6a8bc

                              SHA256

                              88ee53138ff57c8831570a6450077ff9500b8d8ebe20839c04d1fae55e6a859d

                              SHA512

                              90e01b358444b628cc3db3369f78403b3a5179b25133ee05ad8bff3c9106935d9eac761446863dcdd2bb7a25de353724174729a5726959c636712ed4327743bc

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
                              Filesize

                              2B

                              MD5

                              d751713988987e9331980363e24189ce

                              SHA1

                              97d170e1550eee4afc0af065b78cda302a97674c

                              SHA256

                              4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                              SHA512

                              b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
                              Filesize

                              356B

                              MD5

                              226645678918fa1479414222278637e0

                              SHA1

                              1fe4ed99c4096322701de512644610a4fc95d46c

                              SHA256

                              e51391f1ddcf1e7fdbf43eb13bfa9810c275728ad093412d3a4486ff4f0e4929

                              SHA512

                              b6fe46e296747948cea9012f029475f77e52a1c126199352a78e7f3204a7f5b966abe3c9f7cbf62eba2a65b334315040748ac8d472840d70842336e7d0ebcfba

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                              Filesize

                              6KB

                              MD5

                              e5fe1a959ee3d60d96bd342005b610d1

                              SHA1

                              77f72681ecc68b37f74dcf10fea01f1a4a1a06fc

                              SHA256

                              c6bd4ed71f7b375a942dbd3919531658f41506f5f41640472446a61c5364f1b5

                              SHA512

                              cc6c1f5b196c726e1d1be36f6800a1e640261daefbf0c7e350de260c54ea6cf1c6032179ee71e520c24875a3d5a1ebce466edff6c003396f8f34d265122fb242

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
                              Filesize

                              16KB

                              MD5

                              c878807065e48ff343b7e4fedae322da

                              SHA1

                              842f7542e704cddc4d9c57de3f8f003a9c968dcf

                              SHA256

                              c312824df72bd9900f6392da4fb5d20ac1aba48b8a5e305a80c53e293f350f14

                              SHA512

                              9c2440aefa75b15ba2fa6ae244722ad025f701664f484143df207dc725a22836047b7dc3c1bbd316c5f4d061a8475bd4239843dcb53c31ad52252ac210a256a3

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                              Filesize

                              285KB

                              MD5

                              0bf9b071465392d3ac19d7f396e710d7

                              SHA1

                              44fe95b1691a63e4fc1aee9a4354750fd269914d

                              SHA256

                              61151faf2bf28bc7ee254e7f89a854b029a246147c8798b2e6782dcbb2557431

                              SHA512

                              fdb1b4bd6cc17630a3736810966d9a97d17d5dfcbdd5b9d1801f1b5828762d19ab1b47c11ef0822a5bd2e8340255a5fc83faa105e0ce86f8492eb2923f35d276

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                              Filesize

                              285KB

                              MD5

                              1f8fb691eaeeef9b35561d689d505847

                              SHA1

                              eb56d4edc03fcb0d6ee59c2b18ea12dae3e88a74

                              SHA256

                              e59d9758758c6ccfd196b29512ebcb8b35ddbb87be9d76e262e979ba89bdddaa

                              SHA512

                              b996a122a3123de0e8e89fc42a735822f5cd35e21d3cc76ce36353fe536e9052632cf233189b33df58fdbe37a04ef97a8fa9b099e3c9c35669da3f4869c0e21b

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
                              Filesize

                              264KB

                              MD5

                              f50f89a0a91564d0b8a211f8921aa7de

                              SHA1

                              112403a17dd69d5b9018b8cede023cb3b54eab7d

                              SHA256

                              b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                              SHA512

                              bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\teE7LLSnwX.bat
                              Filesize

                              221B

                              MD5

                              fbc76f95eeebe326665d3471ccbc92fd

                              SHA1

                              b5f424d123cfe53aab873375d666c622cdd308aa

                              SHA256

                              67770d0979b1c4bfc55f1bd34f97be1139370bb81d4258fbf3bc7ea8ce1a9f08

                              SHA512

                              2922e1fee8b577c781016be529f75804147fa5356a8fb94c890bfc2fd3ea59e48df967f21530a2dabcbbc6e120825b5fe47571c7f127869ef8a476a522dcf14c

                              Download Submit

                            • C:\bridgewebfontDriver\Gg47yix3Ugv.bat
                              Filesize

                              157B

                              MD5

                              2145812a655fcd7fd26f377cca64e5ac

                              SHA1

                              12610088154f68594f5416c48cb0542a9d1b7b8d

                              SHA256

                              fb23c678fc163f761224473afc361013c1fd9d3297a5a99a252d7770b7b46be6

                              SHA512

                              a93fee719fbc9186c8ad706c05b7abddf40d8ba48aa34d8989c35a6660a4bf8d02273336c96e770bedeefe992041167e7abca2eff21a87da11fe98ff9dc268d0

                              Download Submit

                            • C:\bridgewebfontDriver\IJ5c76irDFq5p4JLIcG.bat
                              Filesize

                              37B

                              MD5

                              6cd2aafebcf7db23c74ca6c73a041342

                              SHA1

                              600fc446485bfd277e415b768766bb9137fbe302

                              SHA256

                              af30295b156854859a392ca6afcdf01edb5e2df21b31c0787ab9396ddf44cb0e

                              SHA512

                              eb43e65b3f9296afd5907a95e23a86c2776da0cb7d8bdedb6c3bc30bfd37ec2a78227606d7bf4a3e05bf50248558835c9b2e77a9376b26ae36170a398a8087fa

                              Download Submit

                            • C:\bridgewebfontDriver\JPEKY7KdznoNKJ6HgkX9q4NreF.vbe
                              Filesize

                              207B

                              MD5

                              abf61c238f6dd4ecb89a49801a52ce82

                              SHA1

                              1e61ebb43d17005a986cf3d7d5c93d1ccd9dc0fd

                              SHA256

                              d4955e52bc64f7bf143f0930a12f45710769c06323cc6ab1742a798b2a4362f3

                              SHA512

                              142c94171c559b936bd3f880183c7607ed4a9614b84dd6d844b692a4dd36d85a206bc780cd6c5158bc579c1cac75d57289b801b6bd4afe7c8cffb3436585b0d1

                              Download Submit

                            • C:\bridgewebfontDriver\surrogateBrowser.exe
                              Filesize

                              897KB

                              MD5

                              9ec0bd3db90819b061753ad50f77741c

                              SHA1

                              b693c923ccc22944bbc1e8501e05fcc93e88b369

                              SHA256

                              80fdef187d476f0966a2565f2da801f45772c816f9c6350078a4010c87a26ef5

                              SHA512

                              93f04bbeeb4df2cca62ca5e1d2888650734e7fc54385a16537c11811085bd9520f770a38984aeeb512f65a8ec48b2285d896072b8400a5624c9c212d02f1bbad

                              Download Submit

                            • memory/1172-18-0x0000000001540000-0x000000000154E000-memory.dmp

                              Filesize

                              56KB

                              Download

                            • memory/1172-17-0x0000000000AD0000-0x0000000000BB8000-memory.dmp

                              Filesize

                              928KB

                              Download

                            • memory/3932-57-0x000000001BC30000-0x000000001BC39000-memory.dmp

                              Filesize

                              36KB

                              Download

                            • memory/3932-59-0x000000001CAD0000-0x000000001CAEE000-memory.dmp

                              Filesize

                              120KB

                              Download

                            • memory/3932-60-0x000000001CAF0000-0x000000001CAFB000-memory.dmp

                              Filesize

                              44KB

                              Download

                            • memory/3932-58-0x000000001CAC0000-0x000000001CACD000-memory.dmp

                              Filesize

                              52KB

                              Download

                            • memory/3932-56-0x000000001BBD0000-0x000000001BC16000-memory.dmp

                              Filesize

                              280KB

                              Download

                            • memory/3932-244-0x0000000001790000-0x00000000017A0000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/3932-310-0x000000001C3A0000-0x000000001C3B6000-memory.dmp

                              Filesize

                              88KB

                              Download