quasar | a4b343420149aabd8ef8af687bcb7b252af476c4c8fdad177c3cf5d65ccf912e

Analysis

max time kernel
151s
max time network
153s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
06-11-2024 20:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Lo último.exe
Size

3.1MB
MD5

afb2e5dad453db7cf42339f806f37532
SHA1

90fa9e8b4ed9d086d67b9f86dc57151db1637ca9
SHA256

a4b343420149aabd8ef8af687bcb7b252af476c4c8fdad177c3cf5d65ccf912e
SHA512

72c3474f11a90bd904957030d019611c460dfa66524e0113b40b18a4ae0f3d81d56ae125fa2f247b266e71a11fcaad5884987036563e9464dc2e973877f79f3f
SSDEEP

49152:Hv+lL26AaNeWgPhlmVqvMQ7XSKwkamEoXdl3THHB72eh2NT:HvuL26AaNeWgPhlmVqkQ7XSK9af8

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

Ingrid78-20703.portmap.host:20703

Mutex

e51e2b65-e963-4051-9736-67d57ed46798

Attributes

encryption_key
AEA258EF65BF1786F0F767C0BE2497ECC304C46F
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/3192-1-0x0000000000E30000-0x0000000001154000-memory.dmp	family_quasar
behavioral1/files/0x002800000004513f-3.dat	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
4212	Client.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133754000185296566"	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4628	schtasks.exe
4088	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3260	chrome.exe
3260	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3192	Lo último.exe
Token: SeDebugPrivilege	4212	Client.exe
Token: SeShutdownPrivilege	3260	chrome.exe
Token: SeCreatePagefilePrivilege	3260	chrome.exe
Token: SeShutdownPrivilege	3260	chrome.exe
Token: SeCreatePagefilePrivilege	3260	chrome.exe
Token: SeShutdownPrivilege	3260	chrome.exe
Token: SeCreatePagefilePrivilege	3260	chrome.exe
Token: SeShutdownPrivilege	3260	chrome.exe
Token: SeCreatePagefilePrivilege	3260	chrome.exe
Token: SeShutdownPrivilege	3260	chrome.exe
Token: SeCreatePagefilePrivilege	3260	chrome.exe
Token: SeShutdownPrivilege	3260	chrome.exe
Token: SeCreatePagefilePrivilege	3260	chrome.exe
Token: SeShutdownPrivilege	3260	chrome.exe
Token: SeCreatePagefilePrivilege	3260	chrome.exe
Token: SeShutdownPrivilege	3260	chrome.exe
Token: SeCreatePagefilePrivilege	3260	chrome.exe
Token: SeShutdownPrivilege	3260	chrome.exe
Token: SeCreatePagefilePrivilege	3260	chrome.exe
Token: SeShutdownPrivilege	3260	chrome.exe
Token: SeCreatePagefilePrivilege	3260	chrome.exe
Token: SeShutdownPrivilege	3260	chrome.exe
Token: SeCreatePagefilePrivilege	3260	chrome.exe
Token: SeShutdownPrivilege	3260	chrome.exe
Token: SeCreatePagefilePrivilege	3260	chrome.exe
Token: SeShutdownPrivilege	3260	chrome.exe
Token: SeCreatePagefilePrivilege	3260	chrome.exe
Token: SeShutdownPrivilege	3260	chrome.exe
Token: SeCreatePagefilePrivilege	3260	chrome.exe
Token: SeShutdownPrivilege	3260	chrome.exe
Token: SeCreatePagefilePrivilege	3260	chrome.exe
Token: SeShutdownPrivilege	3260	chrome.exe
Token: SeCreatePagefilePrivilege	3260	chrome.exe
Token: SeShutdownPrivilege	3260	chrome.exe
Token: SeCreatePagefilePrivilege	3260	chrome.exe
Token: SeShutdownPrivilege	3260	chrome.exe
Token: SeCreatePagefilePrivilege	3260	chrome.exe
Token: SeShutdownPrivilege	3260	chrome.exe
Token: SeCreatePagefilePrivilege	3260	chrome.exe
Token: SeShutdownPrivilege	3260	chrome.exe
Token: SeCreatePagefilePrivilege	3260	chrome.exe
Token: SeShutdownPrivilege	3260	chrome.exe
Token: SeCreatePagefilePrivilege	3260	chrome.exe
Token: SeShutdownPrivilege	3260	chrome.exe
Token: SeCreatePagefilePrivilege	3260	chrome.exe
Token: SeShutdownPrivilege	3260	chrome.exe
Token: SeCreatePagefilePrivilege	3260	chrome.exe
Token: SeShutdownPrivilege	3260	chrome.exe
Token: SeCreatePagefilePrivilege	3260	chrome.exe
Token: SeShutdownPrivilege	3260	chrome.exe
Token: SeCreatePagefilePrivilege	3260	chrome.exe
Token: SeShutdownPrivilege	3260	chrome.exe
Token: SeCreatePagefilePrivilege	3260	chrome.exe
Token: SeShutdownPrivilege	3260	chrome.exe
Token: SeCreatePagefilePrivilege	3260	chrome.exe
Token: SeShutdownPrivilege	3260	chrome.exe
Token: SeCreatePagefilePrivilege	3260	chrome.exe
Token: SeShutdownPrivilege	3260	chrome.exe
Token: SeCreatePagefilePrivilege	3260	chrome.exe
Token: SeShutdownPrivilege	3260	chrome.exe
Token: SeCreatePagefilePrivilege	3260	chrome.exe
Token: SeShutdownPrivilege	3260	chrome.exe
Token: SeCreatePagefilePrivilege	3260	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe
3260	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4212	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3192 wrote to memory of 4628	3192	Lo último.exe	84
PID 3192 wrote to memory of 4628	3192	Lo último.exe	84
PID 3192 wrote to memory of 4212	3192	Lo último.exe	86
PID 3192 wrote to memory of 4212	3192	Lo último.exe	86
PID 4212 wrote to memory of 4088	4212	Client.exe	87
PID 4212 wrote to memory of 4088	4212	Client.exe	87
PID 3260 wrote to memory of 4780	3260	chrome.exe	100
PID 3260 wrote to memory of 4780	3260	chrome.exe	100
PID 3260 wrote to memory of 3628	3260	chrome.exe	101
PID 3260 wrote to memory of 3628	3260	chrome.exe	101
PID 3260 wrote to memory of 3628	3260	chrome.exe	101
PID 3260 wrote to memory of 3628	3260	chrome.exe	101
PID 3260 wrote to memory of 3628	3260	chrome.exe	101
PID 3260 wrote to memory of 3628	3260	chrome.exe	101
PID 3260 wrote to memory of 3628	3260	chrome.exe	101
PID 3260 wrote to memory of 3628	3260	chrome.exe	101
PID 3260 wrote to memory of 3628	3260	chrome.exe	101
PID 3260 wrote to memory of 3628	3260	chrome.exe	101
PID 3260 wrote to memory of 3628	3260	chrome.exe	101
PID 3260 wrote to memory of 3628	3260	chrome.exe	101
PID 3260 wrote to memory of 3628	3260	chrome.exe	101
PID 3260 wrote to memory of 3628	3260	chrome.exe	101
PID 3260 wrote to memory of 3628	3260	chrome.exe	101
PID 3260 wrote to memory of 3628	3260	chrome.exe	101
PID 3260 wrote to memory of 3628	3260	chrome.exe	101
PID 3260 wrote to memory of 3628	3260	chrome.exe	101
PID 3260 wrote to memory of 3628	3260	chrome.exe	101
PID 3260 wrote to memory of 3628	3260	chrome.exe	101
PID 3260 wrote to memory of 3628	3260	chrome.exe	101
PID 3260 wrote to memory of 3628	3260	chrome.exe	101
PID 3260 wrote to memory of 3628	3260	chrome.exe	101
PID 3260 wrote to memory of 3628	3260	chrome.exe	101
PID 3260 wrote to memory of 3628	3260	chrome.exe	101
PID 3260 wrote to memory of 3628	3260	chrome.exe	101
PID 3260 wrote to memory of 3628	3260	chrome.exe	101
PID 3260 wrote to memory of 3628	3260	chrome.exe	101
PID 3260 wrote to memory of 3628	3260	chrome.exe	101
PID 3260 wrote to memory of 3628	3260	chrome.exe	101
PID 3260 wrote to memory of 4872	3260	chrome.exe	102
PID 3260 wrote to memory of 4872	3260	chrome.exe	102
PID 3260 wrote to memory of 1944	3260	chrome.exe	103
PID 3260 wrote to memory of 1944	3260	chrome.exe	103
PID 3260 wrote to memory of 1944	3260	chrome.exe	103
PID 3260 wrote to memory of 1944	3260	chrome.exe	103
PID 3260 wrote to memory of 1944	3260	chrome.exe	103
PID 3260 wrote to memory of 1944	3260	chrome.exe	103
PID 3260 wrote to memory of 1944	3260	chrome.exe	103
PID 3260 wrote to memory of 1944	3260	chrome.exe	103
PID 3260 wrote to memory of 1944	3260	chrome.exe	103
PID 3260 wrote to memory of 1944	3260	chrome.exe	103
PID 3260 wrote to memory of 1944	3260	chrome.exe	103
PID 3260 wrote to memory of 1944	3260	chrome.exe	103
PID 3260 wrote to memory of 1944	3260	chrome.exe	103
PID 3260 wrote to memory of 1944	3260	chrome.exe	103
PID 3260 wrote to memory of 1944	3260	chrome.exe	103
PID 3260 wrote to memory of 1944	3260	chrome.exe	103
PID 3260 wrote to memory of 1944	3260	chrome.exe	103
PID 3260 wrote to memory of 1944	3260	chrome.exe	103
PID 3260 wrote to memory of 1944	3260	chrome.exe	103
PID 3260 wrote to memory of 1944	3260	chrome.exe	103
PID 3260 wrote to memory of 1944	3260	chrome.exe	103
PID 3260 wrote to memory of 1944	3260	chrome.exe	103
PID 3260 wrote to memory of 1944	3260	chrome.exe	103
PID 3260 wrote to memory of 1944	3260	chrome.exe	103

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Lo último.exe
"C:\Users\Admin\AppData\Local\Temp\Lo último.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4628
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4212
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ffef9afcc40,0x7ffef9afcc4c,0x7ffef9afcc58
  2⤵
  PID:4780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2036,i,11170566379451767651,5151165840822110086,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2032 /prefetch:2
  2⤵
  PID:3628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1900,i,11170566379451767651,5151165840822110086,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2084 /prefetch:3
  2⤵
  PID:4872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2280,i,11170566379451767651,5151165840822110086,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2488 /prefetch:8
  2⤵
  PID:1944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3152,i,11170566379451767651,5151165840822110086,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3180,i,11170566379451767651,5151165840822110086,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:4816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4532,i,11170566379451767651,5151165840822110086,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4520 /prefetch:1
  2⤵
  PID:552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4744,i,11170566379451767651,5151165840822110086,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4708 /prefetch:8
  2⤵
  PID:1876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4816,i,11170566379451767651,5151165840822110086,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4828 /prefetch:8
  2⤵
  PID:1084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4936,i,11170566379451767651,5151165840822110086,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5032 /prefetch:8
  2⤵
  PID:4672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5036,i,11170566379451767651,5151165840822110086,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5056 /prefetch:8
  2⤵
  PID:3304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4932,i,11170566379451767651,5151165840822110086,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5228 /prefetch:1
  2⤵
  PID:2936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3280,i,11170566379451767651,5151165840822110086,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:2340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5280,i,11170566379451767651,5151165840822110086,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:3696

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
7fe8d59c52cb234b0398eeb83168e00c

SHA1
cd15591ab70dd209cb5f6ed303e94db62e4f7cf7

SHA256
39bdb75b905f782e9a01bc4b91a503a3ff98693edf7a6387f88431b058184e08

SHA512
8a268a19bc72219f189452353008fda9fda08a6c03c137b08b11f3cdecbaa891e7c905b84cde82167d42f458b2fbd0f86ce4827583fc845db24d62e947f2c42a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
696B

MD5
2517b3f33d18354f784f1afd1085d959

SHA1
5fa7ab7d93f48b7d53748ac2eb3d359f7fc50f91

SHA256
bc1e13046ea9b935302561428e560b4cd32430f3ae5b5fbc99d07809625afd83

SHA512
eafc4dbfe4227aa722ecdc108b531cf20badde21c6a67856d677ce4e80cb42846849029211724302902a46e8bd862f2abea7025c985dd51aa8a9d45c8f4e07b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
1ba36355b6246ae44dc555f05117b146

SHA1
52eb9f91cd426135d066ae763394f6d7804928c6

SHA256
34ebf1b397baceec66b434381b094a7cdb8ecd7d9b15d54ddb7aba5867d71265

SHA512
dd07702acd64a3f5a58eead505a7f8c328a45a67c48549611a2f5e0aae9b17e328e0170f7970f0d9a0d536a4c8f17ee4efaaa2af4dedbb79139bf5efb29a5629

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
7d181ea2ea52a502c4d13c2a09f02acf

SHA1
01f01f67e684dc7387a8edf508812b10539e0cd8

SHA256
1d624d2e42ee6023ca2e9357c24bd9b5d4afb7bbfa6bb80909f3a377b4a593b9

SHA512
049d82c237548ded243969719f629ab0e913296e45034d36f85e30388afcceea4c7ea4ecba55c0f0be31b0285ae316246a2b93090cac7e244aa8a0df0d8c8e10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
4dd71a272287eb045d2d04136ade3db6

SHA1
62088b6c744aed55dbd177f9517a87d8ddd5ecae

SHA256
aaf4f974ed924f932afcf72b3fdc77ad17d20eff1725dc4f33620c23382bff6b

SHA512
1eab94b83c399ca81d564bfb4ac0755cac922ddc31bddf977ca0ccd5071ad72d440f73c62f6e701ab54be7a66c4fef3a82d9be9b3cf313f3a464ed13c0b55c07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
6931d7996913f29974b92dbf1cbe0a78

SHA1
2a0be993056e8865f0a1f36804f27e6e15a79bda

SHA256
68d2e22be661dd252d04ddc0b7555e9a8696cd1df0b679150548250fa41ca111

SHA512
c22e3e03c2bbfd335a8a56fc0a20197acbf991e3da3da86d3ed41e66d4691582f35e656d72557700c1662fbeba254d8a19ae3e4d9471528db8a08b8fa377b451

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
4cf5d50e1e491daed694a60e3cb89ac2

SHA1
803435c66322807801b5cef79e7e745db87de212

SHA256
4a137ddb035b5cc920dbb53013548d8508af67762f71023e0cc0dacfc54be559

SHA512
b432c137fdcc7f9b97b29826a17dfa3c837dcea3b4601eade88bc1d8ab6d99941a99c1ac3e5502c87879ea10f42d58a0d9b97486dfa0f4d5a6d19ae4b32089db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
691B

MD5
c5c08f9d99f823c04336caa976256af6

SHA1
8f71f441c8cb6a61fc7b81e9b80d97e7a7aa98e0

SHA256
61643dd849bc814d9fc6ce04b4f12b82cbe4b106dc96a083d87baa9a4922911e

SHA512
9431d8ae29f0ec5c624ebef7a9ba43e4ec205d8dc8385550b51c165192fc1c0089c4ab4407dd459473d0a2a998e8555fade1868371255310bb7accb8510598a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
691B

MD5
0b286e293d4ed649a33f8c29dc66312f

SHA1
179286ba2641da0c5376bb859673d3e045bc1aea

SHA256
c472a3f11e48ce7212270ec1a53edbf8e6b3002e8a030dc9e2fe03d96fc2dfbc

SHA512
0101c206830946a7c4a87bbe121e111704de966791caa8e98ac30e5f6bb0605a312b8fb62e9e1be010331bfcf6f8c137526656bb41e2747ca3d3caf4970d4f82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
691B

MD5
33e86485aab6aacf0a5a179e4eb2bab7

SHA1
39b127ea641c3f6a027763cfb55cd61886648d36

SHA256
394a0ad5f63c84cf3399ec3fdf932ac0fa81518bac8d23632ec081fcf7d8800e

SHA512
03ca4dcbe897d5d53428dbca7c5c3f90db250194e52bd90f852620302448faedef8c25f9d88d6f88dcf0a378641c296a5b55b906f1cf819449bdfbc2b7da5a51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
691B

MD5
395f1ce0e71ead809508fad3e262e26b

SHA1
bb13234dcb46706306d038c5be6f4602bdb59646

SHA256
f6900916520b940f3b53b6c41fb510fb4a5ed1a1bde11aca08665ffdf43667e9

SHA512
d8b10d7dc51cb49238d9b267aaf4c9bc4feff2ab13e065cc0f3727e4095e5cf294877a7dda911854324753e2cfc28e4309f5c1afd0768f768f03df7a9d30278b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
8cacf0eef41f711f8b563f57685c608a

SHA1
81a47129fd63713a18411c6025210bb718e2aa5b

SHA256
7daaa6dfe8eef22ca0711c92daec69d4aad0c18d9561ddde872b37370365dc0a

SHA512
3321f03a761109cdc787548bb6efd88bac99ced1aad7f874684d027f8cfe5b062e86762d23dce31454f47fa47f7178a3e674c41b8167bfad1b155bc480536517

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
f8689efeb9b10b84b24b3666b6cfc7d9

SHA1
e93b6c4bd12780b0216d2d9ce224b62cba4a982b

SHA256
6218e47eb4f9a0670fd85797dce557863b400bdf9e68e6b9e62ce43cd5cae34b

SHA512
4e53e14c96ac84dfe5492f3f578ff305cc38b9815972c0cee921b669a1611a5e887d89ac9c9277ede321b872872486320126e142c0f4bcf442656e38df9b6e48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
2ce9da91abbf1c050dab8008ccfdca64

SHA1
3e260ecb35fdd34743ed24b74ac686ab5315c48f

SHA256
facba8e1adadda36565197e13711f2e03f6653bb0a3a33712522401d206784d3

SHA512
e9e6579d668fb824f11fb112fa8c75cc19dc5301bf745038901cc92892efa8565b5a2c57d5f7580f6158edd7d31f9279e55337d521744f4cbe59258a76df261c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f7ea29a3f4bdcbd0bfdb178044f4f59e

SHA1
d3acb4ce6cebbacece8834ded2a4ac5e8c2ceb6a

SHA256
7c73cd46ee464a59b8cf720af6034cd559739eb383bdd683f3c9c4b6c4abc8d4

SHA512
c5f83a9b5ebf29d6144fe2631e6b4126d3c6e3417294207890ba213e434c681cedb534dd005a20c80638bdb6c27ea66bddaedc789d30079f275bb4e5266a0800

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
72e541d8831977300d3f5ad96a9f7192

SHA1
5cabc83c3cd73c32be0977210c0ce496cc60ee03

SHA256
9d11bcef299b1e6b2b230fa8a67ab9e3c0214a84270f80658484cef933afb338

SHA512
84b690f9e04e2a9e4342a1e639a16b2f601b88f0e73d8ac6da4ce344273a7e881128eb893f1a041ff979a72015daf741d217f4a07c909811158ed5c9e1d04a84

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
7fcc7656877eaff5d3d9c20c860006b3

SHA1
fd26ff6ed345944eecb54e6f80cd22db5909e023

SHA256
315966961ab04599e29df107d7ec801db87e9c53502b049b55d5e3a062f1e16f

SHA512
ab7f639c163fd5c47cda1c338bd907968634394f2995971475c4f6c868e5724d9256950242447df189e3b522c651e97e45906f4eb8bb17abf8b519a48d80d44a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
3d50e9d0181015277c2a5c20c369a6a6

SHA1
4468c3590804483f2169cf77a2dcc9482f2e790e

SHA256
0705c5d012322ae610e3f5a8325b7e999081502ac01f439525960045763117c5

SHA512
eee116f820da288b128354d69be586325eabfd77a0e2599f02c296dab26948b7f5bd51eca78e1e0b56d21349e7436e172f1415c5988ba34e12d765d695b85765

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
d577942a7369eb60b9d6816dc01833b6

SHA1
ca9eafe5e54efd0484e81d6cb69a21624d05cd76

SHA256
aebb752e851c32e4f5f8a7a16286c22b5cf850ddcb30ac0d724948d9832ce485

SHA512
931d7d4e2b0eeb84e57be8e8c2c57db4dc996aa54e9f066b964f0a1d84b18acec7e977d81cb51cba15c01081d2fbb70ae5a94a5696d764d1d97edd5ceade0955

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
1851273031667315d576840574960578

SHA1
27ead61391ce9183e56b9d127f828fd0971d6286

SHA256
48a1533c71511b6a9dc019ec069be4792baa870539cf31ebd72c69ca7cc3ad2d

SHA512
111707b195faf5e4a2c2c3e9b24f675ba55fac53574ec57322c4ace484bb7aef7261ba6cef3a8cee43b20ee6051feb30ecc885360eae5ab24c23b9741b636fc8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
0685139cea00fb3be3f440e2f2b1bd8c

SHA1
e397409f632b950e4edd559363ee3316bc15bb20

SHA256
a747342721567896646df4df72b6f43da59945d4819532d9b7a1d7b81c53d4e7

SHA512
7970379ee758c94975ed744e405ee1e992025d16454b5241b8c8ce728cba237a7f20cea008e42c478cfd67620954a6bcb801f796533730c508dc4b31b596e2c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
dcffe7d9a3800c54d183ab40eeaefd87

SHA1
6abb9e31c576757b56c60bdaaf54c8abaa1d735d

SHA256
8097d286022ef43ee0ef855a4f80d35f479b54a94674e851f0e25680a46ad478

SHA512
18944092f744b8033835d752c3741e57726016c8f730e5040c94c6ab984411e2bb90b0873aa06fb56714aff2a5e7707c6f39e50b0e11cc36b93c36394051032a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
9d177d8f3cada130cade8a603ea400e6

SHA1
2d110bb639acb36bd78693c5ba1cc0af84b6f135

SHA256
545e9b327d529106326cd237c1aed150fc4ce80ae63c1b1461e7ddfc1c9ff47e

SHA512
1ac83c16e3b7f50151be14aedcd9be2893a344ad305ed64be70ccd6b38a819f9b87ac511ba204396ec377495a56a842905e744afdb3fc667b7b7f4af2f7b79e0

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
afb2e5dad453db7cf42339f806f37532

SHA1
90fa9e8b4ed9d086d67b9f86dc57151db1637ca9

SHA256
a4b343420149aabd8ef8af687bcb7b252af476c4c8fdad177c3cf5d65ccf912e

SHA512
72c3474f11a90bd904957030d019611c460dfa66524e0113b40b18a4ae0f3d81d56ae125fa2f247b266e71a11fcaad5884987036563e9464dc2e973877f79f3f

Download Submit
memory/3192-6-0x00007FFF02130000-0x00007FFF02BF2000-memory.dmp

Filesize
10.8MB

Download
memory/3192-0-0x00007FFF02133000-0x00007FFF02135000-memory.dmp

Filesize
8KB

Download
memory/3192-2-0x00007FFF02130000-0x00007FFF02BF2000-memory.dmp

Filesize
10.8MB

Download
memory/3192-1-0x0000000000E30000-0x0000000001154000-memory.dmp

Filesize
3.1MB

Download
memory/4212-13-0x000000001D200000-0x000000001D23C000-memory.dmp

Filesize
240KB

Download
memory/4212-12-0x000000001D1A0000-0x000000001D1B2000-memory.dmp

Filesize
72KB

Download
memory/4212-9-0x000000001D260000-0x000000001D312000-memory.dmp

Filesize
712KB

Download
memory/4212-8-0x000000001D150000-0x000000001D1A0000-memory.dmp

Filesize
320KB

Download
memory/4212-7-0x00007FFF02130000-0x00007FFF02BF2000-memory.dmp

Filesize
10.8MB

Download
memory/4212-5-0x00007FFF02130000-0x00007FFF02BF2000-memory.dmp

Filesize
10.8MB

Download
memory/4212-14-0x00007FFF02130000-0x00007FFF02BF2000-memory.dmp

Filesize
10.8MB

Download
memory/4212-83-0x000000001EA80000-0x000000001EFA8000-memory.dmp

Filesize
5.2MB

Download