quasar | 282d6f5ddc83351dab51e6decc1293b078638f0cfd0baca4673afc8246fd32bd

Analysis

max time kernel
179s
max time network
181s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
06-11-2024 01:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

kreo q zi.7z
Size

922KB
MD5

ec516db688f94e98d5141f4bade557e9
SHA1

198ffbae5eed415ac673f5e371774759f1a53de1
SHA256

282d6f5ddc83351dab51e6decc1293b078638f0cfd0baca4673afc8246fd32bd
SHA512

ecc34ad7d15fbedbbc4e62b469f5e6e5e71099e19831574da61dc9f751ed5b2faad1676b8b3dbf0911c4dac628c7a15e9d07d953692c5ab1b700ea07f6396985
SSDEEP

24576:yScP7qLl4iGQATiKL0aywxTodSrUF+nVZLLymvgDoSAWcNtMXqWOU:07qLl4KATiJUo0UEnLmmvqiWcNtMXDOU

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

hola435-24858.portmap.host:24858

Mutex

e51e2b65-e963-4051-9736-67d57ed46798

Attributes

encryption_key
AEA258EF65BF1786F0F767C0BE2497ECC304C46F
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x002800000004505f-2.dat	family_quasar
behavioral1/memory/1172-5-0x0000000000710000-0x0000000000A34000-memory.dmp	family_quasar

Executes dropped EXE 2 IoCs

pid	Process
1172	kreo q zi.exe
408	Client.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133753298040579470"	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3112	schtasks.exe
1060	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3984	chrome.exe
3984	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	536	7zFM.exe
Token: 35	536	7zFM.exe
Token: SeSecurityPrivilege	536	7zFM.exe
Token: SeDebugPrivilege	1172	kreo q zi.exe
Token: SeDebugPrivilege	408	Client.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe
Token: SeCreatePagefilePrivilege	3984	chrome.exe
Token: SeShutdownPrivilege	3984	chrome.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
536	7zFM.exe
536	7zFM.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
408	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1172 wrote to memory of 1060	1172	kreo q zi.exe	91
PID 1172 wrote to memory of 1060	1172	kreo q zi.exe	91
PID 1172 wrote to memory of 408	1172	kreo q zi.exe	94
PID 1172 wrote to memory of 408	1172	kreo q zi.exe	94
PID 408 wrote to memory of 3112	408	Client.exe	95
PID 408 wrote to memory of 3112	408	Client.exe	95
PID 3984 wrote to memory of 1376	3984	chrome.exe	100
PID 3984 wrote to memory of 1376	3984	chrome.exe	100
PID 3984 wrote to memory of 4004	3984	chrome.exe	101
PID 3984 wrote to memory of 4004	3984	chrome.exe	101
PID 3984 wrote to memory of 4004	3984	chrome.exe	101
PID 3984 wrote to memory of 4004	3984	chrome.exe	101
PID 3984 wrote to memory of 4004	3984	chrome.exe	101
PID 3984 wrote to memory of 4004	3984	chrome.exe	101
PID 3984 wrote to memory of 4004	3984	chrome.exe	101
PID 3984 wrote to memory of 4004	3984	chrome.exe	101
PID 3984 wrote to memory of 4004	3984	chrome.exe	101
PID 3984 wrote to memory of 4004	3984	chrome.exe	101
PID 3984 wrote to memory of 4004	3984	chrome.exe	101
PID 3984 wrote to memory of 4004	3984	chrome.exe	101
PID 3984 wrote to memory of 4004	3984	chrome.exe	101
PID 3984 wrote to memory of 4004	3984	chrome.exe	101
PID 3984 wrote to memory of 4004	3984	chrome.exe	101
PID 3984 wrote to memory of 4004	3984	chrome.exe	101
PID 3984 wrote to memory of 4004	3984	chrome.exe	101
PID 3984 wrote to memory of 4004	3984	chrome.exe	101
PID 3984 wrote to memory of 4004	3984	chrome.exe	101
PID 3984 wrote to memory of 4004	3984	chrome.exe	101
PID 3984 wrote to memory of 4004	3984	chrome.exe	101
PID 3984 wrote to memory of 4004	3984	chrome.exe	101
PID 3984 wrote to memory of 4004	3984	chrome.exe	101
PID 3984 wrote to memory of 4004	3984	chrome.exe	101
PID 3984 wrote to memory of 4004	3984	chrome.exe	101
PID 3984 wrote to memory of 4004	3984	chrome.exe	101
PID 3984 wrote to memory of 4004	3984	chrome.exe	101
PID 3984 wrote to memory of 4004	3984	chrome.exe	101
PID 3984 wrote to memory of 4004	3984	chrome.exe	101
PID 3984 wrote to memory of 4004	3984	chrome.exe	101
PID 3984 wrote to memory of 2656	3984	chrome.exe	102
PID 3984 wrote to memory of 2656	3984	chrome.exe	102
PID 3984 wrote to memory of 3120	3984	chrome.exe	103
PID 3984 wrote to memory of 3120	3984	chrome.exe	103
PID 3984 wrote to memory of 3120	3984	chrome.exe	103
PID 3984 wrote to memory of 3120	3984	chrome.exe	103
PID 3984 wrote to memory of 3120	3984	chrome.exe	103
PID 3984 wrote to memory of 3120	3984	chrome.exe	103
PID 3984 wrote to memory of 3120	3984	chrome.exe	103
PID 3984 wrote to memory of 3120	3984	chrome.exe	103
PID 3984 wrote to memory of 3120	3984	chrome.exe	103
PID 3984 wrote to memory of 3120	3984	chrome.exe	103
PID 3984 wrote to memory of 3120	3984	chrome.exe	103
PID 3984 wrote to memory of 3120	3984	chrome.exe	103
PID 3984 wrote to memory of 3120	3984	chrome.exe	103
PID 3984 wrote to memory of 3120	3984	chrome.exe	103
PID 3984 wrote to memory of 3120	3984	chrome.exe	103
PID 3984 wrote to memory of 3120	3984	chrome.exe	103
PID 3984 wrote to memory of 3120	3984	chrome.exe	103
PID 3984 wrote to memory of 3120	3984	chrome.exe	103
PID 3984 wrote to memory of 3120	3984	chrome.exe	103
PID 3984 wrote to memory of 3120	3984	chrome.exe	103
PID 3984 wrote to memory of 3120	3984	chrome.exe	103
PID 3984 wrote to memory of 3120	3984	chrome.exe	103
PID 3984 wrote to memory of 3120	3984	chrome.exe	103
PID 3984 wrote to memory of 3120	3984	chrome.exe	103

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\kreo q zi.7z"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:536

C:\Users\Admin\Desktop\kreo q zi.exe
"C:\Users\Admin\Desktop\kreo q zi.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1060
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:408
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ffa592fcc40,0x7ffa592fcc4c,0x7ffa592fcc58
  2⤵
  PID:1376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1992,i,4584662655832206530,10370704024266420098,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1988 /prefetch:2
  2⤵
  PID:4004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1940,i,4584662655832206530,10370704024266420098,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2056 /prefetch:3
  2⤵
  PID:2656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2216,i,4584662655832206530,10370704024266420098,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2384 /prefetch:8
  2⤵
  PID:3120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,4584662655832206530,10370704024266420098,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3140 /prefetch:1
  2⤵
  PID:1744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3148,i,4584662655832206530,10370704024266420098,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:3528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3680,i,4584662655832206530,10370704024266420098,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4576 /prefetch:1
  2⤵
  PID:716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4752,i,4584662655832206530,10370704024266420098,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4744 /prefetch:8
  2⤵
  PID:924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4504,i,4584662655832206530,10370704024266420098,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4724 /prefetch:8
  2⤵
  PID:3696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4976,i,4584662655832206530,10370704024266420098,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4992 /prefetch:8
  2⤵
  PID:2628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4536,i,4584662655832206530,10370704024266420098,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4992 /prefetch:8
  2⤵
  PID:2568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4404,i,4584662655832206530,10370704024266420098,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5236 /prefetch:1
  2⤵
  PID:4444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5200,i,4584662655832206530,10370704024266420098,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5148 /prefetch:1
  2⤵
  PID:2416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4732,i,4584662655832206530,10370704024266420098,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4684 /prefetch:1
  2⤵
  PID:4904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5292,i,4584662655832206530,10370704024266420098,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4624 /prefetch:1
  2⤵
  PID:820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4652,i,4584662655832206530,10370704024266420098,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3156 /prefetch:1
  2⤵
  PID:756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5140,i,4584662655832206530,10370704024266420098,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5232 /prefetch:1
  2⤵
  PID:2752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=3468,i,4584662655832206530,10370704024266420098,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5196 /prefetch:1
  2⤵
  PID:1044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5220,i,4584662655832206530,10370704024266420098,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4956 /prefetch:1
  2⤵
  PID:4604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=3480,i,4584662655832206530,10370704024266420098,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5244 /prefetch:1
  2⤵
  PID:2208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=3324,i,4584662655832206530,10370704024266420098,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4684 /prefetch:1
  2⤵
  PID:3008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=4564,i,4584662655832206530,10370704024266420098,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:3160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=5320,i,4584662655832206530,10370704024266420098,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4616 /prefetch:1
  2⤵
  PID:3652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=5396,i,4584662655832206530,10370704024266420098,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5388 /prefetch:1
  2⤵
  PID:3560

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
82166db673fe0184778256f0bb860b19

SHA1
cfd881395fd7cb794173114623352dd5bd28f8e8

SHA256
ecd519287c628fbf22224834012b0025afe85349c261eed091236724d58654b4

SHA512
aa0ca6e7383b4b07309ff2d145e6492dc77ff3f655210e08bc4904f0ce49512160a301df4477081a6b5198d085840bb7a8185bf85094aae45169aba563d0c4a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
179b74a59e2b751a247ba175265400f4

SHA1
f981334e737d698afacbd6af772b27d4a6b5baa9

SHA256
8d2c04a182d5d467c5f14ef24ad67dc6e0187e02722870e2fe7308cc0c77f95c

SHA512
d82a6881a740a6e27fdbe675f03e76488f6fca62ae08e8e9886aaed1b65666b3df15817c0c3f19448948eb569417a3e7ba4231cbd333e43b3082ed93fe67ec52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
aa097fa38e48ba8cb865e2e2f27582e2

SHA1
4725dadcd1e5be2883624d51f163c21542d99ab2

SHA256
a9ae1e03bee5c23a223ec16044f488273bdbc590c8dbca4d100027162cd8f1bb

SHA512
f57407621a922637538df83624beed3fe62f5a56a53e39cd4fab73e8b17576257de75ab69f6161359c0fb67cdcd492f83304f9160d0dc999a84e5d39f5286fab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
4e9a3534de007e9031afe93f7a72f610

SHA1
077338b247e83dfade29ad664a06716b1b57781b

SHA256
f13bdf4ef38d7d120baee630bf4bf73ebdc7de43d0d7b454e410c825ee3c9d8e

SHA512
43a4ebf84e8b93efda7da71824ced9ce3b88534303ae54da7ebb2c8ccb3163b89c4e37459f5c46bd413f93865f38237235434240ba96eeebf8a4ee3bd8fdf002

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
520B

MD5
627c626bbca9418470e4bacf2941f51d

SHA1
c63665b8db4e6c7c30c5233a547b2f6ad5b968fb

SHA256
1bd7655a36519559e240c3ce0166c96e59e85b251507d6f00e65678338b47bf4

SHA512
65d24662967e138a4709caf5b1ee5d478136679d2d33541e0e55cd57eabf2b16fa9b4894bc3ce349d2ab18971a1672210bae20c8da10078236289c5e4edca214

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
522B

MD5
093eb730aea35d47b5bb31dbad61c4f3

SHA1
9898cff4afe74760384c9af6ee3fc38e5e429bac

SHA256
fffc6d125519efd0fd511482a1bb42dda3f8eb4079fcea589b27cf87c4da10b5

SHA512
e44c2181b0122d0ff21ab6b5c9f3f066fd7ff2b3ed5684de1bf9f7f6da6f0cf2bf1b2179b507e9db8329345e905a950ac55a7ec247eed4ff5030aab0d896c0e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
dc231af6c986b045b466908b9ef951cc

SHA1
d7e4400c51658f129d71b3cb4d9870ac1046c104

SHA256
a47318e8e500545956c23cf00ebb61c20577c809389492812cdcafd647a5d597

SHA512
a5b39cace0a3445141e6db1d2b8604ee925fb5df54d07ed027ff2bb1a21bdd798ef346bdc925934d4ab28aecb016cbcf06da9ac44af65f68e262a58a6fe9ff0b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8ec2dc6e9aa958aa8e72252c01f13193

SHA1
b0b16c1810f7c852c2b6cd521d11100382306542

SHA256
03251d412519bd29e7f7d6d4785ad5769b751db09c11fb0ea8aef3dad0dedea5

SHA512
2dbb2acf18f5d64bce2c533a0e5f14c0c152f3fe7d0e41a808ab28b1323cd53ff11378089ae460dc7143d18a03038785ed519833008c071844daa02e44694430

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
f36294fc7311a87154a18c936c926f54

SHA1
93bacf2848d2d1ad622c48ee567736a69b74331e

SHA256
f47decae5d3a3b0fe4cff52f7f27ea6e764da15f2877f3f57a53cdb72f6ddaab

SHA512
6fc6ddfca78a7625d57ca84ada3a71d90072aa0d9044a174e39443c45e722effbb37c2da6550b7bf31c1cc7a393f89cb16c983858d630f7852f011abcfe9d975

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
558f54b4bfe22b99b963b99410b9dba8

SHA1
836058986936e6740b2837ad8b34a53c4467ef64

SHA256
eca8174b8f0f02680c87395f9833fe11c85554539402ebba558b8f04504aae3c

SHA512
6508548001155a0ae396f34f2c8a6cdf07fd9fbc14981b1e85ce4fc9f1c50d63d3ec92c85ea8449e7ae4fbdcc903a49b8b462b16a0e3cf30f18fdf5a5ac78c80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
010b6baaff8e18d2345648dcf2dc4a9e

SHA1
705af6f19a366e6aa7865c6b062a3976e44f8a57

SHA256
4e5c87959f1edfc9fc8616be5cc016b0947154338e78574ce825aabff3ede7e4

SHA512
5f064d4bf837f743d2444e09bd0329bbb2b2f72be07c269319f014a64a5f01094657cde559862b18c62602574409cd834d9943c94d8046594d0bc794cef2a401

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3d2acc6614ade4618f19f82b03809679

SHA1
278c342496f040480777a7dff81a410d43a38bb1

SHA256
f4f70b34ddce4be99dbd17fadc9d22aeb261508180e7eff42e089c20c4c35adb

SHA512
3d953408811871b22d62fb5e925890071a37a4c7bf56f6f4d4d1452730249a4b524d31222c6b02e3e17e96e4b9db18020bc53c3089131c206d10ba620875736f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
757d23a314ccb1c4325d9788409bb690

SHA1
9158b60dad87d5a5499a0782ec7a07a2d587c0e0

SHA256
a8a45c323a6781d815d6e83792cd9c43c6244664728e406f4c6c61eb0b699b6e

SHA512
25f213f2e1a87b762fed262eb394d87941767e9c5a69d8b37c5bf5a35dccc44889a7d9cd34d6fc93f25360a989aa8936f82122308e67964daddb5de2e29af9ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1dba7af172ff765e1c56067cdaeec328

SHA1
aa153fda4745443621d29d3a12b4785f1cd9258c

SHA256
9ee2762f1c5a510000a1798ba2e36c95804273c57009e8e9656cfee3e04f5256

SHA512
77993dc1ce0c4596e7563be825a6f8910fc28e1b0ffdc981e474ff3fed10eeba50b932a36f456c5d5ca2c8df7e01f4af3027b88c482d1945e6d642d7dc735ec9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
186c82b3226e39697963f250235a830c

SHA1
62244ae51b9db3ac9dd60a7fd74c88e595f2e8a8

SHA256
4e49ee20867d2b12f7885760cd17e6262fe9f402b7b42ad3637ad31def477ab4

SHA512
c612e8466fcec629a9d83dcad83f56fe31a4cdaf75de39dc6252200509c04232c95a01e7101cfad952b7e3b7b4de2fe79669b03dfa8d49177b2bcf1123919806

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
cfd5ddb40ea05428ab654d2a93fc91b2

SHA1
c23c94b61076490ee76f2325c989440cbcfb3ecc

SHA256
056d20f0e46d8df60c54fd8a46341f6a101c4af71c9b1ded234368ae3a98bc20

SHA512
9b90252a432cfad2882502e05cc142908a05e382f1d55265865921a3cc794095a4b294066b2437b12418042d7f7bfb7f39ce01ae0be25de1185fc8e4a4f9c92f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
26adb0f761c45cd66ed01ef1a1fd1ef2

SHA1
8bb582fa1afee049d9bde045264d418ad63ce77e

SHA256
f966883472f967693671969deac5d5c06425bfe628ba12c47ef7050306d36ef6

SHA512
7628e7e21336fe7fbfcb608cd5b0544a563006aaff26f55afaa4e0b50ef396cf2ce7c27667013e16b7b6ff08f64b41a6efda66a0414e13e90d20f759c08a60a9

Download Submit
C:\Users\Admin\Desktop\kreo q zi.exe

Filesize
3.1MB

MD5
28ac02fc40c8f1c2a8989ee3c09a1372

SHA1
b182758b62a1482142c0fce4be78c786e08b7025

SHA256
0fe81f9a51cf0068408de3c3605ce2033a00bd7ec90cc9516c38f6069e06433b

SHA512
2cbf2f6af46e5fae8e67144e1ac70bc748036c7adb7f7810d7d7d9f255ccf5d163cce07f11fb6526f9ab61c39f28bdf2356cc315b19a61cd2115612882eab767

Download Submit
memory/408-113-0x000000001E290000-0x000000001E7B8000-memory.dmp

Filesize
5.2MB

Download
memory/408-11-0x000000001C560000-0x000000001C612000-memory.dmp

Filesize
712KB

Download
memory/408-10-0x000000001C450000-0x000000001C4A0000-memory.dmp

Filesize
320KB

Download
memory/408-15-0x000000001C4E0000-0x000000001C51C000-memory.dmp

Filesize
240KB

Download
memory/408-14-0x000000001C420000-0x000000001C432000-memory.dmp

Filesize
72KB

Download
memory/1172-6-0x00007FFA4C510000-0x00007FFA4CFD2000-memory.dmp

Filesize
10.8MB

Download
memory/1172-9-0x00007FFA4C510000-0x00007FFA4CFD2000-memory.dmp

Filesize
10.8MB

Download
memory/1172-5-0x0000000000710000-0x0000000000A34000-memory.dmp

Filesize
3.1MB

Download
memory/1172-4-0x00007FFA4C513000-0x00007FFA4C515000-memory.dmp

Filesize
8KB

Download