quasar | hxxps://www[.]dosya[.]tc/server/ahlbm7/ASEvDCnMjfY8fqfkdCK[.]exe[.]html

Analysis

max time kernel
117s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-10-2024 17:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.dosya.tc/server/ahlbm7/ASEvDCnMjfY8fqfkdCK.exe.html

Score

10^/10

quasar venomrat mîcrosoft discovery rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Mîcrosoft

84.32.231.214:9548

Mutex

VNM_MUTEX_EK29o1D9hJEsUw2hN0

Attributes

encryption_key
Y7gS0QOWklh1tATK3qYy
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup
subdirectory
SubDir

Signatures

Contains code to disable Windows Defender 7 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/2176-220-0x0000000140000000-0x00000001409E2000-memory.dmp	disable_win_def
behavioral1/memory/2176-222-0x0000000140000000-0x00000001409E2000-memory.dmp	disable_win_def
behavioral1/memory/2176-225-0x0000000140000000-0x00000001409E2000-memory.dmp	disable_win_def
behavioral1/files/0x0009000000023c55-235.dat	disable_win_def
behavioral1/memory/3048-237-0x00000000004A0000-0x000000000052C000-memory.dmp	disable_win_def
behavioral1/memory/2176-375-0x0000000140000000-0x00000001409E2000-memory.dmp	disable_win_def
behavioral1/memory/2176-380-0x0000000140000000-0x00000001409E2000-memory.dmp	disable_win_def

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 7 IoCs

resource	yara_rule
behavioral1/memory/2176-220-0x0000000140000000-0x00000001409E2000-memory.dmp	family_quasar
behavioral1/memory/2176-222-0x0000000140000000-0x00000001409E2000-memory.dmp	family_quasar
behavioral1/memory/2176-225-0x0000000140000000-0x00000001409E2000-memory.dmp	family_quasar
behavioral1/files/0x0009000000023c55-235.dat	family_quasar
behavioral1/memory/3048-237-0x00000000004A0000-0x000000000052C000-memory.dmp	family_quasar
behavioral1/memory/2176-375-0x0000000140000000-0x00000001409E2000-memory.dmp	family_quasar
behavioral1/memory/2176-380-0x0000000140000000-0x00000001409E2000-memory.dmp	family_quasar

VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat
Venomrat family
venomrat
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2176	ASEvDCnMjfY8fqfkdCK.exe
3048	Mîcrosoft.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
157	ip-api.com
163	ipinfo.io

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2176	ASEvDCnMjfY8fqfkdCK.exe
2176	ASEvDCnMjfY8fqfkdCK.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mîcrosoft.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133745233118174106"	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3460	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2176	ASEvDCnMjfY8fqfkdCK.exe
2176	ASEvDCnMjfY8fqfkdCK.exe
2176	ASEvDCnMjfY8fqfkdCK.exe
2176	ASEvDCnMjfY8fqfkdCK.exe
2176	ASEvDCnMjfY8fqfkdCK.exe
2176	ASEvDCnMjfY8fqfkdCK.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe

Suspicious use of FindShellTrayWindow 39 IoCs

pid	Process
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2176	ASEvDCnMjfY8fqfkdCK.exe
3048	Mîcrosoft.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 1692	2952	chrome.exe	84
PID 2952 wrote to memory of 1692	2952	chrome.exe	84
PID 2952 wrote to memory of 2920	2952	chrome.exe	85
PID 2952 wrote to memory of 2920	2952	chrome.exe	85
PID 2952 wrote to memory of 2920	2952	chrome.exe	85
PID 2952 wrote to memory of 2920	2952	chrome.exe	85
PID 2952 wrote to memory of 2920	2952	chrome.exe	85
PID 2952 wrote to memory of 2920	2952	chrome.exe	85
PID 2952 wrote to memory of 2920	2952	chrome.exe	85
PID 2952 wrote to memory of 2920	2952	chrome.exe	85
PID 2952 wrote to memory of 2920	2952	chrome.exe	85
PID 2952 wrote to memory of 2920	2952	chrome.exe	85
PID 2952 wrote to memory of 2920	2952	chrome.exe	85
PID 2952 wrote to memory of 2920	2952	chrome.exe	85
PID 2952 wrote to memory of 2920	2952	chrome.exe	85
PID 2952 wrote to memory of 2920	2952	chrome.exe	85
PID 2952 wrote to memory of 2920	2952	chrome.exe	85
PID 2952 wrote to memory of 2920	2952	chrome.exe	85
PID 2952 wrote to memory of 2920	2952	chrome.exe	85
PID 2952 wrote to memory of 2920	2952	chrome.exe	85
PID 2952 wrote to memory of 2920	2952	chrome.exe	85
PID 2952 wrote to memory of 2920	2952	chrome.exe	85
PID 2952 wrote to memory of 2920	2952	chrome.exe	85
PID 2952 wrote to memory of 2920	2952	chrome.exe	85
PID 2952 wrote to memory of 2920	2952	chrome.exe	85
PID 2952 wrote to memory of 2920	2952	chrome.exe	85
PID 2952 wrote to memory of 2920	2952	chrome.exe	85
PID 2952 wrote to memory of 2920	2952	chrome.exe	85
PID 2952 wrote to memory of 2920	2952	chrome.exe	85
PID 2952 wrote to memory of 2920	2952	chrome.exe	85
PID 2952 wrote to memory of 2920	2952	chrome.exe	85
PID 2952 wrote to memory of 2920	2952	chrome.exe	85
PID 2952 wrote to memory of 3728	2952	chrome.exe	86
PID 2952 wrote to memory of 3728	2952	chrome.exe	86
PID 2952 wrote to memory of 2060	2952	chrome.exe	87
PID 2952 wrote to memory of 2060	2952	chrome.exe	87
PID 2952 wrote to memory of 2060	2952	chrome.exe	87
PID 2952 wrote to memory of 2060	2952	chrome.exe	87
PID 2952 wrote to memory of 2060	2952	chrome.exe	87
PID 2952 wrote to memory of 2060	2952	chrome.exe	87
PID 2952 wrote to memory of 2060	2952	chrome.exe	87
PID 2952 wrote to memory of 2060	2952	chrome.exe	87
PID 2952 wrote to memory of 2060	2952	chrome.exe	87
PID 2952 wrote to memory of 2060	2952	chrome.exe	87
PID 2952 wrote to memory of 2060	2952	chrome.exe	87
PID 2952 wrote to memory of 2060	2952	chrome.exe	87
PID 2952 wrote to memory of 2060	2952	chrome.exe	87
PID 2952 wrote to memory of 2060	2952	chrome.exe	87
PID 2952 wrote to memory of 2060	2952	chrome.exe	87
PID 2952 wrote to memory of 2060	2952	chrome.exe	87
PID 2952 wrote to memory of 2060	2952	chrome.exe	87
PID 2952 wrote to memory of 2060	2952	chrome.exe	87
PID 2952 wrote to memory of 2060	2952	chrome.exe	87
PID 2952 wrote to memory of 2060	2952	chrome.exe	87
PID 2952 wrote to memory of 2060	2952	chrome.exe	87
PID 2952 wrote to memory of 2060	2952	chrome.exe	87
PID 2952 wrote to memory of 2060	2952	chrome.exe	87
PID 2952 wrote to memory of 2060	2952	chrome.exe	87
PID 2952 wrote to memory of 2060	2952	chrome.exe	87
PID 2952 wrote to memory of 2060	2952	chrome.exe	87
PID 2952 wrote to memory of 2060	2952	chrome.exe	87
PID 2952 wrote to memory of 2060	2952	chrome.exe	87
PID 2952 wrote to memory of 2060	2952	chrome.exe	87
PID 2952 wrote to memory of 2060	2952	chrome.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.dosya.tc/server/ahlbm7/ASEvDCnMjfY8fqfkdCK.exe.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd8,0x104,0x7ffc0a86cc40,0x7ffc0a86cc4c,0x7ffc0a86cc58
  2⤵
  PID:1692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1848,i,2554016183783065216,16428974827557472189,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1840 /prefetch:2
  2⤵
  PID:2920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2148,i,2554016183783065216,16428974827557472189,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2180 /prefetch:3
  2⤵
  PID:3728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2220,i,2554016183783065216,16428974827557472189,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2300 /prefetch:8
  2⤵
  PID:2060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,2554016183783065216,16428974827557472189,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3136 /prefetch:1
  2⤵
  PID:1220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,2554016183783065216,16428974827557472189,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:2236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4624,i,2554016183783065216,16428974827557472189,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4636 /prefetch:8
  2⤵
  PID:1084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4356,i,2554016183783065216,16428974827557472189,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4852 /prefetch:1
  2⤵
  PID:640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4828,i,2554016183783065216,16428974827557472189,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4636 /prefetch:1
  2⤵
  PID:2944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5016,i,2554016183783065216,16428974827557472189,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5108 /prefetch:1
  2⤵
  PID:4544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4984,i,2554016183783065216,16428974827557472189,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=724 /prefetch:1
  2⤵
  PID:4732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5364,i,2554016183783065216,16428974827557472189,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5808 /prefetch:8
  2⤵
  PID:4896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5488,i,2554016183783065216,16428974827557472189,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5440 /prefetch:8
  2⤵
  PID:2536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5772,i,2554016183783065216,16428974827557472189,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5448 /prefetch:1
  2⤵
  PID:4436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5944,i,2554016183783065216,16428974827557472189,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5404 /prefetch:8
  2⤵
  PID:4876
- C:\Users\Admin\Downloads\ASEvDCnMjfY8fqfkdCK.exe
  "C:\Users\Admin\Downloads\ASEvDCnMjfY8fqfkdCK.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks /create /tn "Mîcrosoft" /tr "C:\Users\Admin\AppData\Local\Temp\Mîcrosoft.exe" /sc onlogon /rl highest /f
    3⤵
    PID:4288
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /tn "Mîcrosoft" /tr "C:\Users\Admin\AppData\Local\Temp\Mîcrosoft.exe" /sc onlogon /rl highest /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:1112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks /run /tn "Mîcrosoft"
    3⤵
    PID:624
  - - C:\Windows\system32\schtasks.exe
      schtasks /run /tn "Mîcrosoft"
      4⤵
      PID:1196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:1048

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2256

C:\Users\Admin\AppData\Local\Temp\Mîcrosoft.exe
C:\Users\Admin\AppData\Local\Temp\Mîcrosoft.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
15d131703d54efcee9c7e42f13bdc8d8

SHA1
f4400c75df952431a320287fddef70126dbedb9c

SHA256
259883170cef8f2b86ba442fdd7e07c333510b184ad7f570a4ffea281acf5a73

SHA512
9cc5d7bcd0af1e9a4aee18aae3a542c5ce6519c08a10734e2d55e92d1d5085ad47f1108384f77afdf1a64ba961a31b503ff5b88568c86cdab942c3627673bf30

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
624B

MD5
e5cd3637d6f3f1b0b3f2e386d1d646ea

SHA1
fdc5ca5d1a8ad955769a0df976ea9e639fc063ab

SHA256
e665e8e430ac6ae9062f32c73f105af1fb1597bec6349a0fb5a94a4b1bddd547

SHA512
55163200708839bfde46ba65b6d2696409e7760c9c5a01c576da807f0eb9e924fa748d3c43bfd8098bae06605a2bd2bce363d67527385d5073917b7f2cce6cd7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
648B

MD5
3e513802f9d146d6a8de097ddea66e5e

SHA1
2df25f870215e41aa749d53d71dcaee94eb1d82e

SHA256
98a22ae3f0d66d79041e1c6eb567c1669c59ef82a545e6f1923143727ff347ef

SHA512
0dc55ee45c3bb32ffbd0b8d670650a8b4dae55e9755449da3875f70e6a0987b0e5bb254bcc993477ca0ff94fa7eb4e96a2f6d342d7f273295d674e013feecc8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
87cb4aff2a6a62f1602a6002b7a026fd

SHA1
9505e0853f05da9e0d60ad803c1fc4bd85574b06

SHA256
88415dfd99e913944dd66dad4ce09066f178806b1adeaa6ad1f6f31345c38b1a

SHA512
04c00269e110a4acdbbd69dea831d1f4f6104c1af323f2516b0bb2017cd7871a8fc4a082a0c813f28afd5d64131e730171308e6a0adf6b91bc0b75a262d5609a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
f92ce21b24cefb1be31658f9aef79bba

SHA1
46bcd1419c81c1cbba4c9a1be521769e404e939d

SHA256
16521784e3ade51bd20dbb0a73ba7b915e74d3bbb6efaf7a844136be84ad21c3

SHA512
db823d7b8e04da0b79479f017227cda6129b7ff2298e801d187426c0a6a5414bf6517f21072479d76a4d4c40b3d6e02477fd99c5188db5d9311b4613596c6ffd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
691B

MD5
8740944b4b86fb37103d37fde4eb2644

SHA1
200b3b699b1ef9da2abb11b0eb1947b38502894e

SHA256
875c6e84e8d9a049f56b3bd11f51ccf197cf64de9c6d685ccb32271802a48bfe

SHA512
736ea611d928b3a2fefa2d59d9dbd508f2245a72debd8212c1740a945fdeaf708c46451da68de17f6e223c1d4ecdb26e9a889e8e0614f5db3a873ca81b2395a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
859B

MD5
6c9b98b2cad112e4658552837240f3c8

SHA1
707de13b920a022c8c502336154626778c2268b6

SHA256
dcfce2b90bdc55467508a935785eefcd2258329a075de1dbf8fcbc9a7adbf719

SHA512
a246c8af8c4705285639d56f6b194a48a4604e4980a0f642645a8fe669ed7e30d2d46edcd335ab2c9883644d6c7ae216ea955c67c0d5217f8f49e47c894c17b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
dd05dcedeb6e12c264798068be1e917a

SHA1
28cd9c6d8dda75da1b5e079c6bfb7176bf113e54

SHA256
92d4e94407fe6b2c58b6fba8eb9277ff3a002f0cf5fb968e2d9e4abd44b78556

SHA512
1a14ee25b9a5c58aace5a65121ae8d5c3108b5daa138967f5ce5f910b9d99924ef3842d8d23eacbec5cf15e633b2058c27f6c3f5cb83b5fac680b00ffc80ed6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
275230f0fab8beabad46d9d3abfff6c7

SHA1
53bcff57e77cb3ab6a88ce42e55528fedd8bb204

SHA256
d9720006be05efc3c92669bab781a27a0532afffa3523148b869f3fee0f26912

SHA512
58378c5266a7f7e5921436258799d3dd0819e05c796c985e200857986df1338960f19b1bc83231d79ab196dce586bd5710e56299e2e163f3b3b1ed0ccad93a00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b928ea985bd4e5ecc11ecad56f62a6ae

SHA1
f3d99c7c850fb795b679e448711d3022222cd289

SHA256
60455eacc2e0881e7483ef335a2106484122619ee145cfb3f8a5bbfa9476fddb

SHA512
cab7296ce11b028f936e1773c7fb2227600ff3565221fc86c25a2362415e037c53a0511249a0a5279b57cb0acbfcf74f7b5260ca9e2a28d3b16d96b32beef4ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b15e688fb9f3944a715b9abc63b57d61

SHA1
cd31fab89e53b150ec207d8f0326275b92bc2cef

SHA256
26ade6ff742fbd47ef5cff1fd07348efe3c5523b23c6ddc24c7d596aba614d11

SHA512
ab28678416d948e358120f15ff3fcb7ba99149716a06b94e0ebf1a80b809c604527f97c31466765e0b21d76095ce48e711bbce3bcbadd4307e99150f291a5345

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a3e0ebc29bc58ebcd52d7ec7e41aecc0

SHA1
6378ff7ec04943c65f473adc1c9588859481a2ec

SHA256
c95d1bb9e2d2142e8f6709a3046057d22d811d58fb1a2b247531ed55b965f9f3

SHA512
6619aa85e6a625ccfa7b5f40139dc4414a8df7f69e96a99a76352cd3949b13d113ddbc53ed01182ef5fcdc7cacd7cc9579f2842198dd505c3b6a2f9ee076f1d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
95cc48e6a561507e56c78cd9b25e4d36

SHA1
02f68a05f07d061af0ca3121a2d104a61f35cff0

SHA256
d4f98966076b263eecf1da41ea9627f0955d690ad346c7a73642c661a6ffce55

SHA512
ff5776f672975fce7e13dff3f341d310b447c8fba0fd96000e6960bf5c450d5d21a839c6faafcc99b599f61090ce4e2daa27e6d03b053c276deeb946b50dadeb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f09f011b2fea49f2b0a5388225777a90

SHA1
11ee7f31ff600521871b38446e6f58c4cfc8e065

SHA256
24b5e04a3b3935a049e0a83416133ccdeb3a87b1cd4373f2e9efafdaf8f37082

SHA512
f6844c256b66564329671194d6b170dc7d5f73617f053e4d475cf54d1b8b780e409f19924cd570e4728b6bbf1e237bbcfee44ba4e0107811e99b4dd5f3eefa66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
742d39249d52b16b59a94e2188157fa7

SHA1
24b526567f8a8e9005f6b631e56b45f020592d48

SHA256
1d7cc552fc93a77c6e451b051c48abbbeab36bd5f79bc8cc291e2128f2248079

SHA512
13862842d302e1d3e6b06cd1e0fcc126b92071a56b1ce2ad2fe4e3968149cbc02851725b729e57b7e1930a9b0f4ecaba76a4d51d385971fa8080843307648c20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
ff9500f2776c5aa359c909e713ed8a32

SHA1
60975c800159dbc070c508213ece3178a863d910

SHA256
c7d59f67b688aaa57c348e5e5074872caa1c1fc24b4fa9659444a9dea98a464e

SHA512
f375d1b31155b77190457067219336cfe8e93cf97c16213e293160928cd00a38fbcced0fc0bcc34b7ed6be104367f793e5a55e9087971320bf8200854166ee54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
b879996c7d756fa5c374dcbd135645af

SHA1
2bf983152300af410f80a32044c585a4ed4cf7cd

SHA256
7f38eb7f5649d2db9ff3e1197795bb41f60ddd549d4c943c7e8c0afc8501b91c

SHA512
47485d9cd9bae5283e13f507f9af87f7bcbae8680a2bb8331147673733113133d2f67efc61a947d02038e148c47c273209fb1e46aa732c26848bed4c7e272d76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
7540e116e71a59821965c4b4c72736f8

SHA1
308976e76bd5aa81788d8d455dac6beca0b5692b

SHA256
41c7bb0b8f27511dc731a7c896b7aaeb7e9b4dab61c473a6a825799a2d45ae91

SHA512
24fe3a607426508dfbcc8db5aa16b1f31f3ce0546006d3a3c7ef397676bf087f94a8bb2bab60f81a8c045c667dbe688203c8f44dd7445fcdde3f31bb2f152e65

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
5523586b7548bb4d63c67e1e062a472c

SHA1
7ca80810bc1e99fe64526d4aad7779d5cf2b5a38

SHA256
fec8e3c2deed4aece4b4b812dedad9e7289d8f7e01061a8c25895087b357b737

SHA512
3f0af7bf4971916c629921fc4aa47fe5bbb53ae85c845762d7884f7e4e384d7e6eb38fd5de612eee8f150f883caf03334513b3bbee70a7043eb316b9597550ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mîcrosoft.exe

Filesize
534KB

MD5
1557fa3eb0df3c79c2ad656d6bcdc64c

SHA1
e96b7b9065558d10fe2c2e378ee77ac8919290bb

SHA256
d044937f38d847e33400a96b9ee34ae1f10edca0fc9d6f3b98ecb14286844955

SHA512
cd63a3655ff6705115e40973bbb5698aa2728ee995404148d091d4da456f38798aff4785a6ce5448a01d6a7fcf5b277a9555753310431387196a38ecfbb251db

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 143435.crdownload

Filesize
5.8MB

MD5
f9ee61f32f6ba5a0afabd7b4a98da695

SHA1
68ca1ec6b9ef2f3cc17bf80903a4055455cae3ef

SHA256
5ffdda2c1dccee0398563e0059a3dbd8c3b255721cfd26526702c510c688d5c9

SHA512
d5693eb89b042de54517760ee33038ba4e0296517cd83b81b31ec58f37f863723eafda1e8acd690a71258b70ee73e6121a55450bf95c01de3e5765e30791b7e7

Download Submit
memory/2176-379-0x00000001400AB000-0x000000014040A000-memory.dmp

Filesize
3.4MB

Download
memory/2176-225-0x0000000140000000-0x00000001409E2000-memory.dmp

Filesize
9.9MB

Download
memory/2176-380-0x0000000140000000-0x00000001409E2000-memory.dmp

Filesize
9.9MB

Download
memory/2176-375-0x0000000140000000-0x00000001409E2000-memory.dmp

Filesize
9.9MB

Download
memory/2176-222-0x0000000140000000-0x00000001409E2000-memory.dmp

Filesize
9.9MB

Download
memory/2176-217-0x00000001400AB000-0x000000014040A000-memory.dmp

Filesize
3.4MB

Download
memory/2176-374-0x00000001400AB000-0x000000014040A000-memory.dmp

Filesize
3.4MB

Download
memory/2176-220-0x0000000140000000-0x00000001409E2000-memory.dmp

Filesize
9.9MB

Download
memory/2176-218-0x00007FFC191F0000-0x00007FFC191F2000-memory.dmp

Filesize
8KB

Download
memory/2176-219-0x00007FFC19200000-0x00007FFC19202000-memory.dmp

Filesize
8KB

Download
memory/3048-249-0x0000000004EF0000-0x0000000004F56000-memory.dmp

Filesize
408KB

Download
memory/3048-369-0x0000000006140000-0x000000000617C000-memory.dmp

Filesize
240KB

Download
memory/3048-373-0x00000000064D0000-0x00000000064DA000-memory.dmp

Filesize
40KB

Download
memory/3048-250-0x0000000005C00000-0x0000000005C12000-memory.dmp

Filesize
72KB

Download
memory/3048-239-0x0000000004F80000-0x0000000005012000-memory.dmp

Filesize
584KB

Download
memory/3048-238-0x0000000005430000-0x00000000059D4000-memory.dmp

Filesize
5.6MB

Download
memory/3048-237-0x00000000004A0000-0x000000000052C000-memory.dmp

Filesize
560KB

Download