quasar | 282d6f5ddc83351dab51e6decc1293b078638f0cfd0baca4673afc8246fd32bd

Analysis

max time kernel
98s
max time network
100s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
05-11-2024 19:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

kreo q zi.7z
Size

922KB
MD5

ec516db688f94e98d5141f4bade557e9
SHA1

198ffbae5eed415ac673f5e371774759f1a53de1
SHA256

282d6f5ddc83351dab51e6decc1293b078638f0cfd0baca4673afc8246fd32bd
SHA512

ecc34ad7d15fbedbbc4e62b469f5e6e5e71099e19831574da61dc9f751ed5b2faad1676b8b3dbf0911c4dac628c7a15e9d07d953692c5ab1b700ea07f6396985
SSDEEP

24576:yScP7qLl4iGQATiKL0aywxTodSrUF+nVZLLymvgDoSAWcNtMXqWOU:07qLl4KATiJUo0UEnLmmvqiWcNtMXDOU

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

hola435-24858.portmap.host:24858

Mutex

e51e2b65-e963-4051-9736-67d57ed46798

Attributes

encryption_key
AEA258EF65BF1786F0F767C0BE2497ECC304C46F
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x002800000004506f-2.dat	family_quasar
behavioral1/memory/3524-5-0x0000000000DF0000-0x0000000001114000-memory.dmp	family_quasar

Executes dropped EXE 2 IoCs

Processes:

kreo q zi.exeClient.exe

pid	Process
3524	kreo q zi.exe
3132	Client.exe

Drops file in Windows directory 1 IoCs

Processes:

chrome.exe

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133753086676365421"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-584106483-899802418-1877852863-1000\{80BE19D8-A3BC-42B5-8BD9-96FC24798769}	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exe

pid	Process
3592	schtasks.exe
1256	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid	Process
696	chrome.exe
696	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid	Process
2288	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

chrome.exe

pid	Process
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7zFM.exekreo q zi.exeClient.exechrome.exe

description	pid	Process
Token: SeRestorePrivilege	2288	7zFM.exe
Token: 35	2288	7zFM.exe
Token: SeSecurityPrivilege	2288	7zFM.exe
Token: SeSecurityPrivilege	2288	7zFM.exe
Token: SeDebugPrivilege	3524	kreo q zi.exe
Token: SeDebugPrivilege	3132	Client.exe
Token: SeShutdownPrivilege	696	chrome.exe
Token: SeCreatePagefilePrivilege	696	chrome.exe
Token: SeShutdownPrivilege	696	chrome.exe
Token: SeCreatePagefilePrivilege	696	chrome.exe
Token: SeShutdownPrivilege	696	chrome.exe
Token: SeCreatePagefilePrivilege	696	chrome.exe
Token: SeShutdownPrivilege	696	chrome.exe
Token: SeCreatePagefilePrivilege	696	chrome.exe
Token: SeShutdownPrivilege	696	chrome.exe
Token: SeCreatePagefilePrivilege	696	chrome.exe
Token: SeShutdownPrivilege	696	chrome.exe
Token: SeCreatePagefilePrivilege	696	chrome.exe
Token: SeShutdownPrivilege	696	chrome.exe
Token: SeCreatePagefilePrivilege	696	chrome.exe
Token: SeShutdownPrivilege	696	chrome.exe
Token: SeCreatePagefilePrivilege	696	chrome.exe
Token: SeShutdownPrivilege	696	chrome.exe
Token: SeCreatePagefilePrivilege	696	chrome.exe
Token: SeShutdownPrivilege	696	chrome.exe
Token: SeCreatePagefilePrivilege	696	chrome.exe
Token: SeShutdownPrivilege	696	chrome.exe
Token: SeCreatePagefilePrivilege	696	chrome.exe
Token: SeShutdownPrivilege	696	chrome.exe
Token: SeCreatePagefilePrivilege	696	chrome.exe
Token: SeShutdownPrivilege	696	chrome.exe
Token: SeCreatePagefilePrivilege	696	chrome.exe
Token: SeShutdownPrivilege	696	chrome.exe
Token: SeCreatePagefilePrivilege	696	chrome.exe
Token: SeShutdownPrivilege	696	chrome.exe
Token: SeCreatePagefilePrivilege	696	chrome.exe
Token: SeShutdownPrivilege	696	chrome.exe
Token: SeCreatePagefilePrivilege	696	chrome.exe
Token: SeShutdownPrivilege	696	chrome.exe
Token: SeCreatePagefilePrivilege	696	chrome.exe
Token: SeShutdownPrivilege	696	chrome.exe
Token: SeCreatePagefilePrivilege	696	chrome.exe
Token: SeShutdownPrivilege	696	chrome.exe
Token: SeCreatePagefilePrivilege	696	chrome.exe
Token: SeShutdownPrivilege	696	chrome.exe
Token: SeCreatePagefilePrivilege	696	chrome.exe
Token: SeShutdownPrivilege	696	chrome.exe
Token: SeCreatePagefilePrivilege	696	chrome.exe
Token: SeShutdownPrivilege	696	chrome.exe
Token: SeCreatePagefilePrivilege	696	chrome.exe
Token: SeShutdownPrivilege	696	chrome.exe
Token: SeCreatePagefilePrivilege	696	chrome.exe
Token: SeShutdownPrivilege	696	chrome.exe
Token: SeCreatePagefilePrivilege	696	chrome.exe
Token: SeShutdownPrivilege	696	chrome.exe
Token: SeCreatePagefilePrivilege	696	chrome.exe
Token: SeShutdownPrivilege	696	chrome.exe
Token: SeCreatePagefilePrivilege	696	chrome.exe
Token: SeShutdownPrivilege	696	chrome.exe
Token: SeCreatePagefilePrivilege	696	chrome.exe
Token: SeShutdownPrivilege	696	chrome.exe
Token: SeCreatePagefilePrivilege	696	chrome.exe
Token: SeShutdownPrivilege	696	chrome.exe
Token: SeCreatePagefilePrivilege	696	chrome.exe

Suspicious use of FindShellTrayWindow 29 IoCs

Processes:

7zFM.exechrome.exe

pid	Process
2288	7zFM.exe
2288	7zFM.exe
2288	7zFM.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	Process
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe
696	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Client.exe

pid	Process
3132	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

kreo q zi.exeClient.exechrome.exe

description	pid	Process	procid_target
PID 3524 wrote to memory of 3592	3524	kreo q zi.exe	94
PID 3524 wrote to memory of 3592	3524	kreo q zi.exe	94
PID 3524 wrote to memory of 3132	3524	kreo q zi.exe	96
PID 3524 wrote to memory of 3132	3524	kreo q zi.exe	96
PID 3132 wrote to memory of 1256	3132	Client.exe	97
PID 3132 wrote to memory of 1256	3132	Client.exe	97
PID 696 wrote to memory of 1568	696	chrome.exe	101
PID 696 wrote to memory of 1568	696	chrome.exe	101
PID 696 wrote to memory of 3484	696	chrome.exe	102
PID 696 wrote to memory of 3484	696	chrome.exe	102
PID 696 wrote to memory of 3484	696	chrome.exe	102
PID 696 wrote to memory of 3484	696	chrome.exe	102
PID 696 wrote to memory of 3484	696	chrome.exe	102
PID 696 wrote to memory of 3484	696	chrome.exe	102
PID 696 wrote to memory of 3484	696	chrome.exe	102
PID 696 wrote to memory of 3484	696	chrome.exe	102
PID 696 wrote to memory of 3484	696	chrome.exe	102
PID 696 wrote to memory of 3484	696	chrome.exe	102
PID 696 wrote to memory of 3484	696	chrome.exe	102
PID 696 wrote to memory of 3484	696	chrome.exe	102
PID 696 wrote to memory of 3484	696	chrome.exe	102
PID 696 wrote to memory of 3484	696	chrome.exe	102
PID 696 wrote to memory of 3484	696	chrome.exe	102
PID 696 wrote to memory of 3484	696	chrome.exe	102
PID 696 wrote to memory of 3484	696	chrome.exe	102
PID 696 wrote to memory of 3484	696	chrome.exe	102
PID 696 wrote to memory of 3484	696	chrome.exe	102
PID 696 wrote to memory of 3484	696	chrome.exe	102
PID 696 wrote to memory of 3484	696	chrome.exe	102
PID 696 wrote to memory of 3484	696	chrome.exe	102
PID 696 wrote to memory of 3484	696	chrome.exe	102
PID 696 wrote to memory of 3484	696	chrome.exe	102
PID 696 wrote to memory of 3484	696	chrome.exe	102
PID 696 wrote to memory of 3484	696	chrome.exe	102
PID 696 wrote to memory of 3484	696	chrome.exe	102
PID 696 wrote to memory of 3484	696	chrome.exe	102
PID 696 wrote to memory of 3484	696	chrome.exe	102
PID 696 wrote to memory of 3484	696	chrome.exe	102
PID 696 wrote to memory of 4924	696	chrome.exe	103
PID 696 wrote to memory of 4924	696	chrome.exe	103
PID 696 wrote to memory of 1208	696	chrome.exe	104
PID 696 wrote to memory of 1208	696	chrome.exe	104
PID 696 wrote to memory of 1208	696	chrome.exe	104
PID 696 wrote to memory of 1208	696	chrome.exe	104
PID 696 wrote to memory of 1208	696	chrome.exe	104
PID 696 wrote to memory of 1208	696	chrome.exe	104
PID 696 wrote to memory of 1208	696	chrome.exe	104
PID 696 wrote to memory of 1208	696	chrome.exe	104
PID 696 wrote to memory of 1208	696	chrome.exe	104
PID 696 wrote to memory of 1208	696	chrome.exe	104
PID 696 wrote to memory of 1208	696	chrome.exe	104
PID 696 wrote to memory of 1208	696	chrome.exe	104
PID 696 wrote to memory of 1208	696	chrome.exe	104
PID 696 wrote to memory of 1208	696	chrome.exe	104
PID 696 wrote to memory of 1208	696	chrome.exe	104
PID 696 wrote to memory of 1208	696	chrome.exe	104
PID 696 wrote to memory of 1208	696	chrome.exe	104
PID 696 wrote to memory of 1208	696	chrome.exe	104
PID 696 wrote to memory of 1208	696	chrome.exe	104
PID 696 wrote to memory of 1208	696	chrome.exe	104
PID 696 wrote to memory of 1208	696	chrome.exe	104
PID 696 wrote to memory of 1208	696	chrome.exe	104
PID 696 wrote to memory of 1208	696	chrome.exe	104
PID 696 wrote to memory of 1208	696	chrome.exe	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\kreo q zi.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2288

C:\Users\Admin\Desktop\kreo q zi.exe
"C:\Users\Admin\Desktop\kreo q zi.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3524
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3592
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3132
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ffedc49cc40,0x7ffedc49cc4c,0x7ffedc49cc58
  2⤵
  PID:1568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1836,i,10495278782615917772,12437503823299298718,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1848 /prefetch:2
  2⤵
  PID:3484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2116,i,10495278782615917772,12437503823299298718,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2216 /prefetch:3
  2⤵
  PID:4924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2300,i,10495278782615917772,12437503823299298718,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2268 /prefetch:8
  2⤵
  PID:1208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3144,i,10495278782615917772,12437503823299298718,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3164 /prefetch:1
  2⤵
  PID:3052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3172,i,10495278782615917772,12437503823299298718,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:4536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3712,i,10495278782615917772,12437503823299298718,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:4700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4692,i,10495278782615917772,12437503823299298718,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4568 /prefetch:8
  2⤵
  PID:2000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4696,i,10495278782615917772,12437503823299298718,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4820 /prefetch:8
  2⤵
  PID:1912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4828,i,10495278782615917772,12437503823299298718,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4540 /prefetch:8
  2⤵
  PID:4552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4764,i,10495278782615917772,12437503823299298718,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4716 /prefetch:8
  2⤵
  PID:2220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4868,i,10495278782615917772,12437503823299298718,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3788 /prefetch:1
  2⤵
  PID:2836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5316,i,10495278782615917772,12437503823299298718,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5260 /prefetch:1
  2⤵
  PID:1996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3424,i,10495278782615917772,12437503823299298718,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:2364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=3196,i,10495278782615917772,12437503823299298718,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4560 /prefetch:8
  2⤵
  PID:2672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4544,i,10495278782615917772,12437503823299298718,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4604 /prefetch:8
  2⤵
  - Modifies registry class
  PID:1512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=504,i,10495278782615917772,12437503823299298718,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4528 /prefetch:8
  2⤵
  PID:536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4604,i,10495278782615917772,12437503823299298718,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4620 /prefetch:8
  2⤵
  PID:3440

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
fe42b9fe85ede00687e7b6df14b92aa1

SHA1
e2f4a0ff511a482f07b0631f245a4eb3a9d0de88

SHA256
c912f7aeaad23e44aadf112f1050dccdbb740a643c229f04d5f62ce8ac0be073

SHA512
6d760fbaf837bb0ff6aa4e4c31c7c92505c71f20384bb4213fb8060192e6c8a61a36c4bfe393df7f354012376c933c024b7d40d5b59ab8a90ac321ba61b25318

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
f2f93663b12e4aeb993bac968c28b73d

SHA1
a2023e248006209ff8ce879b05a25f5f8ef5bd8c

SHA256
53e1ed9505e65ce0feb8cdbf4854f5b867f2ef626c344972f29cf76b616dbd93

SHA512
7189cec16dd7617d33aca7f35f55e65fb83c00c32f1d485e909b11d00c0dd2586e17bb7d7f92d9781bbb7780b9bfe826b5a7816e583d70c89ec51dab57cea234

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
de638f8c76beafeb9115f881c03af5ac

SHA1
8f068ba6a6bfa180c3e7ca92a59bc859ac1baa6a

SHA256
ecc1abf260c9899873a7637ae180127479cb6cabb70d39fe8b484256bc0a6538

SHA512
9f2dac950434e1ec7af052ec4993bee81ca99fbc0aee036b1bfdef5fcf6539fe467bf96a420edebee450db24b063a92916de9e6ea6e922c29c4bb9472b98b420

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cd7ef61fe5853984c65b2630d1f18b0c

SHA1
b2696b945a148966f2a1619f24f6938b16fc6bc9

SHA256
33f5f0d7be8046afa50b0436fb7c582d1db776785f28c5ba50b31a0a438dda92

SHA512
60e2b06f0d3692f75949bce5ae8845182f7e4e734a793a67ffaa94727ee7714ff063bbc7bf16f735905ededad9e7d862a8082d7c5b7c4b6315fcfaff16bb4ca0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
47274a25eb166fb22b1a5311b50940ea

SHA1
f12545ec0bc83273eb697efefa9c917674bf9e2e

SHA256
f76c1c7c8803c45d5993b1866c76e3ddb87c471e681cbac5268388a826e680db

SHA512
71cb68db9d0110d1eb1117ca9ee667fecd0c76b01965580abafc053e79498685bf43a7bd9fbabfa0ca96162886d23649868ca4ced48441efb83ffce6e2e2db13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
a0747060e48bc1ba28be9e58dcff0b81

SHA1
d336754cc890ac03a42af4b9ca4f6806c99f6801

SHA256
f7cc1d69a36467deca8c3ddad35dd21fa31c833039d5eb994ea0b47e7b53d4c1

SHA512
7de7a70130610c36b41e501b125587bac289e20f450496d236101024ce6fcb4a066519a941292eadd2a725a48ae70b5ceb596792291d8856e11851a8832f6f12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
235KB

MD5
48cd6b250440f6688c65d260b20f80dd

SHA1
6624ec1f0b1133c32dac81905448809ff901f935

SHA256
68276448e929401417b49b45e2f436a8a4d3c9cec4f3f438f280e22a22ba26fc

SHA512
72b5eaf3528601c09be73400e3f43eb83a1ac7ba1cb05ec5d512bdb44d797cb6804afd006f38b783f2cf0e20ccef13d70723ac8134e2525dfb4fafb2023aca63

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
120KB

MD5
6303bc3ddc12c19a8b0509b2b2b6654d

SHA1
2c8ee0d4d0dbae888c96cadc2bacd6bf688622e4

SHA256
7d563b3c4795de8fedaf36c7540e31562478bf86fe4ef765f8b1626eec8ebc49

SHA512
0d622cbede04001d70e851d16ce79b642c51715987d58c5ecc52c54f1a168f8e6358c006bd7148811d190ab705f11e052c923748d6ab45f4c59280e72c415d13

Download Submit
C:\Users\Admin\Desktop\kreo q zi.exe

Filesize
3.1MB

MD5
28ac02fc40c8f1c2a8989ee3c09a1372

SHA1
b182758b62a1482142c0fce4be78c786e08b7025

SHA256
0fe81f9a51cf0068408de3c3605ce2033a00bd7ec90cc9516c38f6069e06433b

SHA512
2cbf2f6af46e5fae8e67144e1ac70bc748036c7adb7f7810d7d7d9f255ccf5d163cce07f11fb6526f9ab61c39f28bdf2356cc315b19a61cd2115612882eab767

Download Submit
\??\pipe\crashpad_696_KGXJCNKMEDDBUARW

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3132-15-0x000000001D7D0000-0x000000001D80C000-memory.dmp

Filesize
240KB

Download
memory/3132-14-0x000000001CC60000-0x000000001CC72000-memory.dmp

Filesize
72KB

Download
memory/3132-11-0x000000001CCD0000-0x000000001CD82000-memory.dmp

Filesize
712KB

Download
memory/3132-10-0x000000001CBC0000-0x000000001CC10000-memory.dmp

Filesize
320KB

Download
memory/3524-9-0x00007FFEE2A40000-0x00007FFEE3502000-memory.dmp

Filesize
10.8MB

Download
memory/3524-6-0x00007FFEE2A40000-0x00007FFEE3502000-memory.dmp

Filesize
10.8MB

Download
memory/3524-5-0x0000000000DF0000-0x0000000001114000-memory.dmp

Filesize
3.1MB

Download
memory/3524-4-0x00007FFEE2A43000-0x00007FFEE2A45000-memory.dmp

Filesize
8KB

Download