quasar | 0fe81f9a51cf0068408de3c3605ce2033a00bd7ec90cc9516c38f6069e06433b

Analysis

max time kernel
173s
max time network
176s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
04-11-2024 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

kreo q zi.exe
Size

3.1MB
MD5

28ac02fc40c8f1c2a8989ee3c09a1372
SHA1

b182758b62a1482142c0fce4be78c786e08b7025
SHA256

0fe81f9a51cf0068408de3c3605ce2033a00bd7ec90cc9516c38f6069e06433b
SHA512

2cbf2f6af46e5fae8e67144e1ac70bc748036c7adb7f7810d7d7d9f255ccf5d163cce07f11fb6526f9ab61c39f28bdf2356cc315b19a61cd2115612882eab767
SSDEEP

49152:7v+lL26AaNeWgPhlmVqvMQ7XSKsxRJ6wbR3LoGdGTHHB72eh2NT:7vuL26AaNeWgPhlmVqkQ7XSKsxRJ6K

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

hola435-24858.portmap.host:24858

Mutex

e51e2b65-e963-4051-9736-67d57ed46798

Attributes

encryption_key
AEA258EF65BF1786F0F767C0BE2497ECC304C46F
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2068-1-0x0000000000BE0000-0x0000000000F04000-memory.dmp	family_quasar
behavioral1/files/0x002800000004504e-3.dat	family_quasar

Executes dropped EXE 1 IoCs

Processes:

Client.exe

pid	Process
3152	Client.exe

Drops file in Windows directory 1 IoCs

Processes:

chrome.exe

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXE

pid	Process
5040	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133752203416120107"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
5040	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exe

pid	Process
2988	schtasks.exe
5020	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid	Process
2736	chrome.exe
2736	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Client.exe

pid	Process
3152	Client.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid	Process
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

kreo q zi.exeClient.exechrome.exe

description	pid	Process
Token: SeDebugPrivilege	2068	kreo q zi.exe
Token: SeDebugPrivilege	3152	Client.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	Process
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	Process
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Client.exe

pid	Process
3152	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

kreo q zi.exeClient.execmd.exechrome.exe

description	pid	Process	procid_target
PID 2068 wrote to memory of 2988	2068	kreo q zi.exe	85
PID 2068 wrote to memory of 2988	2068	kreo q zi.exe	85
PID 2068 wrote to memory of 3152	2068	kreo q zi.exe	87
PID 2068 wrote to memory of 3152	2068	kreo q zi.exe	87
PID 3152 wrote to memory of 5020	3152	Client.exe	88
PID 3152 wrote to memory of 5020	3152	Client.exe	88
PID 3152 wrote to memory of 2996	3152	Client.exe	97
PID 3152 wrote to memory of 2996	3152	Client.exe	97
PID 2996 wrote to memory of 2400	2996	cmd.exe	99
PID 2996 wrote to memory of 2400	2996	cmd.exe	99
PID 2996 wrote to memory of 5040	2996	cmd.exe	100
PID 2996 wrote to memory of 5040	2996	cmd.exe	100
PID 2736 wrote to memory of 3552	2736	chrome.exe	105
PID 2736 wrote to memory of 3552	2736	chrome.exe	105
PID 2736 wrote to memory of 3812	2736	chrome.exe	106
PID 2736 wrote to memory of 3812	2736	chrome.exe	106
PID 2736 wrote to memory of 3812	2736	chrome.exe	106
PID 2736 wrote to memory of 3812	2736	chrome.exe	106
PID 2736 wrote to memory of 3812	2736	chrome.exe	106
PID 2736 wrote to memory of 3812	2736	chrome.exe	106
PID 2736 wrote to memory of 3812	2736	chrome.exe	106
PID 2736 wrote to memory of 3812	2736	chrome.exe	106
PID 2736 wrote to memory of 3812	2736	chrome.exe	106
PID 2736 wrote to memory of 3812	2736	chrome.exe	106
PID 2736 wrote to memory of 3812	2736	chrome.exe	106
PID 2736 wrote to memory of 3812	2736	chrome.exe	106
PID 2736 wrote to memory of 3812	2736	chrome.exe	106
PID 2736 wrote to memory of 3812	2736	chrome.exe	106
PID 2736 wrote to memory of 3812	2736	chrome.exe	106
PID 2736 wrote to memory of 3812	2736	chrome.exe	106
PID 2736 wrote to memory of 3812	2736	chrome.exe	106
PID 2736 wrote to memory of 3812	2736	chrome.exe	106
PID 2736 wrote to memory of 3812	2736	chrome.exe	106
PID 2736 wrote to memory of 3812	2736	chrome.exe	106
PID 2736 wrote to memory of 3812	2736	chrome.exe	106
PID 2736 wrote to memory of 3812	2736	chrome.exe	106
PID 2736 wrote to memory of 3812	2736	chrome.exe	106
PID 2736 wrote to memory of 3812	2736	chrome.exe	106
PID 2736 wrote to memory of 3812	2736	chrome.exe	106
PID 2736 wrote to memory of 3812	2736	chrome.exe	106
PID 2736 wrote to memory of 3812	2736	chrome.exe	106
PID 2736 wrote to memory of 3812	2736	chrome.exe	106
PID 2736 wrote to memory of 3812	2736	chrome.exe	106
PID 2736 wrote to memory of 3812	2736	chrome.exe	106
PID 2736 wrote to memory of 4804	2736	chrome.exe	107
PID 2736 wrote to memory of 4804	2736	chrome.exe	107
PID 2736 wrote to memory of 4716	2736	chrome.exe	108
PID 2736 wrote to memory of 4716	2736	chrome.exe	108
PID 2736 wrote to memory of 4716	2736	chrome.exe	108
PID 2736 wrote to memory of 4716	2736	chrome.exe	108
PID 2736 wrote to memory of 4716	2736	chrome.exe	108
PID 2736 wrote to memory of 4716	2736	chrome.exe	108
PID 2736 wrote to memory of 4716	2736	chrome.exe	108
PID 2736 wrote to memory of 4716	2736	chrome.exe	108
PID 2736 wrote to memory of 4716	2736	chrome.exe	108
PID 2736 wrote to memory of 4716	2736	chrome.exe	108
PID 2736 wrote to memory of 4716	2736	chrome.exe	108
PID 2736 wrote to memory of 4716	2736	chrome.exe	108
PID 2736 wrote to memory of 4716	2736	chrome.exe	108
PID 2736 wrote to memory of 4716	2736	chrome.exe	108
PID 2736 wrote to memory of 4716	2736	chrome.exe	108
PID 2736 wrote to memory of 4716	2736	chrome.exe	108
PID 2736 wrote to memory of 4716	2736	chrome.exe	108
PID 2736 wrote to memory of 4716	2736	chrome.exe	108

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\kreo q zi.exe
"C:\Users\Admin\AppData\Local\Temp\kreo q zi.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2988
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3152
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5020
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /K CHCP 437
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Windows\system32\chcp.com
      CHCP 437
      4⤵
      PID:2400
  - - C:\Windows\system32\PING.EXE
      ping 8.8.8.8
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:5040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x224,0x228,0x22c,0x220,0x230,0x7fff5bd4cc40,0x7fff5bd4cc4c,0x7fff5bd4cc58
  2⤵
  PID:3552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1996,i,11467118554854596463,2659538861096216601,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1992 /prefetch:2
  2⤵
  PID:3812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1860,i,11467118554854596463,2659538861096216601,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2024 /prefetch:3
  2⤵
  PID:4804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2268,i,11467118554854596463,2659538861096216601,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2472 /prefetch:8
  2⤵
  PID:4716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,11467118554854596463,2659538861096216601,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:2200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3128,i,11467118554854596463,2659538861096216601,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:3016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3700,i,11467118554854596463,2659538861096216601,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4580 /prefetch:1
  2⤵
  PID:1112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3124,i,11467118554854596463,2659538861096216601,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4752 /prefetch:8
  2⤵
  PID:2824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4748,i,11467118554854596463,2659538861096216601,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4888 /prefetch:8
  2⤵
  PID:2096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4868,i,11467118554854596463,2659538861096216601,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4764 /prefetch:8
  2⤵
  PID:3772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5012,i,11467118554854596463,2659538861096216601,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5016 /prefetch:8
  2⤵
  PID:4104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4544,i,11467118554854596463,2659538861096216601,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4144 /prefetch:1
  2⤵
  PID:1852

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
a4df2e5e956fd5e7e9f2663ebcbb924c

SHA1
eaa218b6a06124d020dad964049f4016a82aaabd

SHA256
3ba6c829f506ffbb91dac64beabb19a4adea74d1b61c8e4fc955006b280947f4

SHA512
ac299d65b2fa4b88c6e58967cc332591b1a08b66302affd90d8b21ef50b0c3edd0a27caad0cc4293515168a33e3e35c08957db960cbf0c75334bd9110f0ddb49

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000009

Filesize
72KB

MD5
7c244372e149948244157e6586cc7f95

SHA1
a1b4448883c7242a9775cdf831f87343ec739be6

SHA256
06e6095a73968f93926a0a5f1e7af9d30ecca09c94c8933821ca0e45732161ed

SHA512
4ce4d73b785acde55a99f69ea808a56dec69df3bb44ac0d049c243fc85544db4c020412634da52a069b172e2484a6f2c36799e38adbfb988bcb5703fd45b3601

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000a

Filesize
409KB

MD5
9eb896400aeed1ae01e4ebcb275cae31

SHA1
eae8f954511ce1da15541719e9b707b3f76f1169

SHA256
c0e193d3bd4feae3ce56fe0e081acf8cbb19892589b3e6a5071ca7a3af7c8b8c

SHA512
94391e8812f9eabc140b6bfcdfe5a3fa41371178565044ca34d9bf05e44cdb8c99a4ea3d09e00030859a42fd677d4e5d260e4fd92d1df16f9edaf96554157d65

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000014

Filesize
182KB

MD5
fcb908820d6f84c3e604f3245790f0de

SHA1
b9f4b3df437f3a7aa654d4ff181d0fe1c3a79120

SHA256
5f8fa6cff780af26efe9cca16ee652f6840c81cb6f0b11f1a58183925347ff4c

SHA512
b68a894942491ecb9f4feb4162c0545dfa9610d8eb26244fa81d6c2f6fbd13aa52b7a3381269bf61d0b5dec3e89a7d4218b1ffc82af51c4beebfd3b9b558124e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
6d5d64734051978723668d3376f2336b

SHA1
8f65a1d74d371a14af88f94813aa5cade3cd9588

SHA256
dc37d98b4a4e80b7a0f3338fb9524b37e88fda89e0a97888730a54c7e5fa2be0

SHA512
ca70161fd2d228e659c6bd6369d2d95be4c1f023a52910c98b45f42e22467c6dd15119ff8016ac6b9ad9f74ab889786fabb82ae011f7be8a9255dfa4f44807af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
504B

MD5
18578aace84808fa55f5ced134e1c4fe

SHA1
d6eb0c17bc815075c214b1e24710d1a71ad60061

SHA256
59c9f9bf6f58524796282899651bfec57c52a98422d859dfa81e7a36171b5f64

SHA512
47cab6cd97ef44f93d6f90b6be653fb8f1c9e48f440caa890ae40593d6ff75fa64c62f3689d210db1581723f0b75b3fad27d11cc57a4078f9f5bc2e86aa2d68e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
504B

MD5
dd38598cabae299dd62e5c185b2296c0

SHA1
a16e99d9c0fb2c67de7f85f48105efca90cd2304

SHA256
d530834b501b334ec1422f1c457fa2f99c2e9cbf8d2050a5d2d13d1a0ec19195

SHA512
f89cd2d6c00d02dc787a9bc807110240caf5b83c7c408f24ab33651f5791012816b12ff374923f1867bcbc285542d9d838f2af7c7b24bcb56e6b69a963b1b104

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
63fe5d492db25420e526e2951f1351c3

SHA1
c1db0abb6cab2ed831ef38379b0aa5cedbdffdeb

SHA256
5c2751753e9d6bcbe9fbbda64f61b5959c8bfe973b8ca54859e209a790aae3be

SHA512
33172c940173a67b7922fb5336399144f2a4be3f3de63c8c9bd74606c6b9f426b9245f0acf0d623ead39249ae30316ae63918359ece5ff5e4e69ef06e4c56b0f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
653a097d1c903bb5b8607a5204d736e4

SHA1
b74cfbf6cca74567e3f085dfe4a6a25506673a7b

SHA256
1347a7eff12a55d2ef73f710fb2099c03b5d4024148b8f2a2eb22a211ec4bd22

SHA512
a76896384ce8f4e54d8a0b70fba2cbf7c428b26b19f8602a7dd8e3cb79e3438af814ac3765832fb3ec65e1260bd52a53fc6a7ed50f0cf7114d7eb678c24943b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
22d73325d0caf36e46e4e8c4a65869b9

SHA1
c5c2c40437f544a4407cbe2f5c45580a714fc20b

SHA256
bfa539d5efda33b889d79316f2613fda2f025ff925c5cca9ffd4f21ff853d4e5

SHA512
d4f206e82c0e29f499c82d9d2615cb474dbc3c0e835f5331e58c2eb1c0cf9d8e886d1839aecb7d25701fb8c19654082d95a67358d4ce0e9e9169249435cdedd1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
7b29bebb3648b08280b28a3f8760473b

SHA1
945c3236d8a5cba2e660fc22d89771365fe59b33

SHA256
3f11b583be2feba96d165c540452964a4329c2c9674c8df51e1a9a0d22f1af27

SHA512
2b0192aade8025b81ae78d0513eb437a39a01bc2ab97ea0e63bb951b3174c502b474d885cc0b57191aa10a19d8ef08ed8b54287441b700b397912b5e60584f22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
99e6fd286b8eb1f864d6addd26181e68

SHA1
62c96346f4ef519746467aa6c260e368ac794baa

SHA256
8c92991cdf666d95f155dbeb2e8d568091689c83e7ac828dbb2e12c19673bd92

SHA512
2db61a0e5323f928425c0eaae36fb119fe6918d7b5aced5185be27c055fda0d16d35ed18b0d294a5ceab5668569c9d6b4f1b9d5828495e5139ec9e085d9d3a8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
17680ed257105b8dbe10ec610f1c11d9

SHA1
7d7b597708fde22b2f322e0ce3c550fcde47a2e4

SHA256
876810986fb2a764d478d8a491ab6f8a0f114acdf3397df27271a6548f4be470

SHA512
25eb7580b988cd134744db5591eb2cc597efa0e4e3b18c2f99b878f0a7b85fe0765869c92a57ce5c9b5d02eda8b433657805d53b8790419c797acd41333d9d89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6deb51082fbf848ab656cc9455cc1d65

SHA1
72c239d33df1df9eac427e9940c0364e8b68f059

SHA256
a560d3946a9c26a4cb61d62b79bb1f48cd8119327cf6b08a366e32121d0ac4bb

SHA512
c97ba9b8c6fb5b5440d72f42c64fa30b2a66496b3f264208c9704d54eac9224e8cb2ba5db0c94c21a7e3cdfb37a35c9ee5898983a4b2ee87c6547eba67b1ca69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5da83b943114bd7c4b9ed0581d8d2e3c

SHA1
df25bc4ed4634f56cc8f89c95ecf0dd37d6e7a0d

SHA256
95475e623d0ac33c82da00e9112694b4961e4a5f39eaa775e11892527e0db659

SHA512
fcdb126387be459ba4fe90bd1b1fa559ddbd01c0d71a55a7a506e82363c733ff0c5ca435e352c70aaab81bc612dd5b88c72d94745d68f2b2355b53f15ceb0994

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d4579adb0fb3b86eb1a9a8c198d8266f

SHA1
af38c59d0019a2fdcb47f838e9c3a47491dce122

SHA256
aa2002856a51f9eb38296ba37df129f61557dc8b316180a68ffdecd084715e4f

SHA512
0e45bcf903e8344aebdcf8061d10174ebd5a359e59fcf7513b986ad6d3afdf8f8a03a01fae6ba80c248af8a92bf699fa7e8d9762fcff6b0c56d557954a7701f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9f24fef87b932f8a0dc38c9dcfae39f4

SHA1
e218cd8afaeaed31775f1aee4b6f8f4d7600c254

SHA256
96ffedc84238594f5e82b9ddae12e7eb2e063dc82b447fef4a827f8ca4d518b3

SHA512
62955774553cb5848ff0f5c1e3954242f256fee68c125df0a0bec23b64a42f0072890282f9bbeb578cd758deba11082498282537b1d04076cf1e4875748bda82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
408efad1db29f844ed95153aeaff9fbc

SHA1
2134f99196361fd9f671edd7b37da60db198eb6e

SHA256
210da99cea48a67b00033dbfe75e44de8db176803390aca5d58a0b1584a5c58b

SHA512
2c2bcd0e9853baa993f50ddb2dd2eb903c40438dad20ab1463f73ac61c1911b2026b7266f33618a41dd435c4e496ef937611aa67fff7cb32be592eb8e3129856

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
211969fe07bddda1e6cd7a899a91830b

SHA1
aab2783707f85303b4fa4c38963b8c984fb56f5b

SHA256
0e35535f69075ec5c37bca6a8270271f602deae9aec9fcdd1faf3a30bf6abbc6

SHA512
4de32cc3453ccb6bc8e04126d0cdf037024c0d1ea34d8b5d0809bb80add925941323cd24bb7a2000abbc7ec323075c6693c9c273bb0a2ed60836ea16fff89d8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
b1273e6cef8f926ec95fff11c374f578

SHA1
9c7096bd69d87ddf4bf1ae39a96a82f3a2609282

SHA256
e66c429e0aea2573f69e957798b4b903d66c49dbd14152247818160e0e024f60

SHA512
3c634a924e177f109166976b9390d38cc718db2d293b6a5b72698db675656b828b1dfbc223fca1e2b41bffeffbf5b20eadcae73dbd586fdad4fda6ed594bd3e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
9f57e0de55996041670df846d21c8dcf

SHA1
15b7cb4ed6d4628ca5e7231dadcae6792c59d003

SHA256
72c741418e5ea58f625d512c058fd08eb064e558645916155cfda35f2a28e9c1

SHA512
271568d8f8b7fa2cb6c7b61cbb2b5273d7f518c1f664a7d7b8369bd49c26f74addede58d3e88c3b55f50685997dbcb2467fb11dc6f2815cd742514c89de902e5

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
28ac02fc40c8f1c2a8989ee3c09a1372

SHA1
b182758b62a1482142c0fce4be78c786e08b7025

SHA256
0fe81f9a51cf0068408de3c3605ce2033a00bd7ec90cc9516c38f6069e06433b

SHA512
2cbf2f6af46e5fae8e67144e1ac70bc748036c7adb7f7810d7d7d9f255ccf5d163cce07f11fb6526f9ab61c39f28bdf2356cc315b19a61cd2115612882eab767

Download Submit
\??\pipe\crashpad_2736_ZMGMNTEQZFZCQDTZ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2068-2-0x00007FFF605C0000-0x00007FFF61082000-memory.dmp

Filesize
10.8MB

Download
memory/2068-1-0x0000000000BE0000-0x0000000000F04000-memory.dmp

Filesize
3.1MB

Download
memory/2068-0-0x00007FFF605C3000-0x00007FFF605C5000-memory.dmp

Filesize
8KB

Download
memory/2068-5-0x00007FFF605C0000-0x00007FFF61082000-memory.dmp

Filesize
10.8MB

Download
memory/3152-12-0x000000001BEF0000-0x000000001BF02000-memory.dmp

Filesize
72KB

Download
memory/3152-7-0x00007FFF605C0000-0x00007FFF61082000-memory.dmp

Filesize
10.8MB

Download
memory/3152-6-0x00007FFF605C0000-0x00007FFF61082000-memory.dmp

Filesize
10.8MB

Download
memory/3152-8-0x0000000003340000-0x0000000003390000-memory.dmp

Filesize
320KB

Download
memory/3152-9-0x000000001D3E0000-0x000000001D492000-memory.dmp

Filesize
712KB

Download
memory/3152-25-0x000000001EDA0000-0x000000001F2C8000-memory.dmp

Filesize
5.2MB

Download
memory/3152-13-0x000000001D360000-0x000000001D39C000-memory.dmp

Filesize
240KB

Download
memory/3152-14-0x00007FFF605C0000-0x00007FFF61082000-memory.dmp

Filesize
10.8MB

Download
memory/3152-15-0x00007FFF605C0000-0x00007FFF61082000-memory.dmp

Filesize
10.8MB

Download