quasar | ec1748bb524a5304d32d79ce0bde249c75d787812ad9a49bcd5d67a58c98859a

Analysis

max time kernel
223s
max time network
219s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
29-11-2024 00:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

e60175e496024c929635816438b40fe2
SHA1

56a7bc169835945de5ac601426e720301141b144
SHA256

ec1748bb524a5304d32d79ce0bde249c75d787812ad9a49bcd5d67a58c98859a
SHA512

96bea0aec6b4822bbfe4bbc61d7d70dc27b18ccda3f85c7e8c9f8157235fc57812ccc305869d20df0ffe7bf34f1ba757c837752aad1ae0f5eddea95acc13c119
SSDEEP

49152:rvnI22SsaNYfdPBldt698dBcjH1ImebRjLoGdATHHB72eh2NT:rvI22SsaNYfdPBldt6+dBcjH1Ims

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.68.64:4782

Mutex

aac51872-c353-4334-af00-fe48eb068661

Attributes

encryption_key
6808A7D4497331E0215E1BD4F8BAFC9D1A6A08F0
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/1352-1-0x00000000000D0000-0x00000000003F4000-memory.dmp	family_quasar
behavioral1/files/0x001d00000002ab30-6.dat	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
2876	Client.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133773139673829559"	chrome.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4376	schtasks.exe
4784	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
5104	chrome.exe
5104	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe
2236	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1352	Client-built.exe
Token: SeDebugPrivilege	2876	Client.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe
Token: SeShutdownPrivilege	5104	chrome.exe
Token: SeCreatePagefilePrivilege	5104	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
2876	Client.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe

Suspicious use of SendNotifyMessage 13 IoCs

pid	Process
2876	Client.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe
5104	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2876	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 4376	1352	Client-built.exe	77
PID 1352 wrote to memory of 4376	1352	Client-built.exe	77
PID 1352 wrote to memory of 2876	1352	Client-built.exe	79
PID 1352 wrote to memory of 2876	1352	Client-built.exe	79
PID 2876 wrote to memory of 4784	2876	Client.exe	80
PID 2876 wrote to memory of 4784	2876	Client.exe	80
PID 5104 wrote to memory of 3576	5104	chrome.exe	88
PID 5104 wrote to memory of 3576	5104	chrome.exe	88
PID 5104 wrote to memory of 632	5104	chrome.exe	89
PID 5104 wrote to memory of 632	5104	chrome.exe	89
PID 5104 wrote to memory of 632	5104	chrome.exe	89
PID 5104 wrote to memory of 632	5104	chrome.exe	89
PID 5104 wrote to memory of 632	5104	chrome.exe	89
PID 5104 wrote to memory of 632	5104	chrome.exe	89
PID 5104 wrote to memory of 632	5104	chrome.exe	89
PID 5104 wrote to memory of 632	5104	chrome.exe	89
PID 5104 wrote to memory of 632	5104	chrome.exe	89
PID 5104 wrote to memory of 632	5104	chrome.exe	89
PID 5104 wrote to memory of 632	5104	chrome.exe	89
PID 5104 wrote to memory of 632	5104	chrome.exe	89
PID 5104 wrote to memory of 632	5104	chrome.exe	89
PID 5104 wrote to memory of 632	5104	chrome.exe	89
PID 5104 wrote to memory of 632	5104	chrome.exe	89
PID 5104 wrote to memory of 632	5104	chrome.exe	89
PID 5104 wrote to memory of 632	5104	chrome.exe	89
PID 5104 wrote to memory of 632	5104	chrome.exe	89
PID 5104 wrote to memory of 632	5104	chrome.exe	89
PID 5104 wrote to memory of 632	5104	chrome.exe	89
PID 5104 wrote to memory of 632	5104	chrome.exe	89
PID 5104 wrote to memory of 632	5104	chrome.exe	89
PID 5104 wrote to memory of 632	5104	chrome.exe	89
PID 5104 wrote to memory of 632	5104	chrome.exe	89
PID 5104 wrote to memory of 632	5104	chrome.exe	89
PID 5104 wrote to memory of 632	5104	chrome.exe	89
PID 5104 wrote to memory of 632	5104	chrome.exe	89
PID 5104 wrote to memory of 632	5104	chrome.exe	89
PID 5104 wrote to memory of 632	5104	chrome.exe	89
PID 5104 wrote to memory of 632	5104	chrome.exe	89
PID 5104 wrote to memory of 2388	5104	chrome.exe	90
PID 5104 wrote to memory of 2388	5104	chrome.exe	90
PID 5104 wrote to memory of 2348	5104	chrome.exe	91
PID 5104 wrote to memory of 2348	5104	chrome.exe	91
PID 5104 wrote to memory of 2348	5104	chrome.exe	91
PID 5104 wrote to memory of 2348	5104	chrome.exe	91
PID 5104 wrote to memory of 2348	5104	chrome.exe	91
PID 5104 wrote to memory of 2348	5104	chrome.exe	91
PID 5104 wrote to memory of 2348	5104	chrome.exe	91
PID 5104 wrote to memory of 2348	5104	chrome.exe	91
PID 5104 wrote to memory of 2348	5104	chrome.exe	91
PID 5104 wrote to memory of 2348	5104	chrome.exe	91
PID 5104 wrote to memory of 2348	5104	chrome.exe	91
PID 5104 wrote to memory of 2348	5104	chrome.exe	91
PID 5104 wrote to memory of 2348	5104	chrome.exe	91
PID 5104 wrote to memory of 2348	5104	chrome.exe	91
PID 5104 wrote to memory of 2348	5104	chrome.exe	91
PID 5104 wrote to memory of 2348	5104	chrome.exe	91
PID 5104 wrote to memory of 2348	5104	chrome.exe	91
PID 5104 wrote to memory of 2348	5104	chrome.exe	91
PID 5104 wrote to memory of 2348	5104	chrome.exe	91
PID 5104 wrote to memory of 2348	5104	chrome.exe	91
PID 5104 wrote to memory of 2348	5104	chrome.exe	91
PID 5104 wrote to memory of 2348	5104	chrome.exe	91
PID 5104 wrote to memory of 2348	5104	chrome.exe	91
PID 5104 wrote to memory of 2348	5104	chrome.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4376
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4784

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffd316bcc40,0x7ffd316bcc4c,0x7ffd316bcc58
  2⤵
  PID:3576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1832,i,450827835867636575,16413924678629356453,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1828 /prefetch:2
  2⤵
  PID:632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2120,i,450827835867636575,16413924678629356453,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2140 /prefetch:3
  2⤵
  PID:2388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2240,i,450827835867636575,16413924678629356453,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2192 /prefetch:8
  2⤵
  PID:2348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3104,i,450827835867636575,16413924678629356453,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:1600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3164,i,450827835867636575,16413924678629356453,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:1516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4412,i,450827835867636575,16413924678629356453,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4472 /prefetch:1
  2⤵
  PID:5112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4608,i,450827835867636575,16413924678629356453,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4596 /prefetch:8
  2⤵
  PID:680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4780,i,450827835867636575,16413924678629356453,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4800 /prefetch:8
  2⤵
  PID:3500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3096,i,450827835867636575,16413924678629356453,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1236 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2236

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3276

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
2462545504341ea47b0915f416676422

SHA1
10fdc99daf254ceb542b56b90a05828f8c29eabb

SHA256
3b9ab6d90bb6fb8c418de4dd08cf0b136d43672c35ef9ac9719d5f2cc0cc4e0d

SHA512
9ee5b902940cf04d8b0c3a5823b35ef2dd20efed746a8e7abdb17951863c58493da29c6a3bf41f4e429ae0ce0a157c70074e725b7829b07ce29a382c9779f0b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
35eafc88ab31101e2085dd701d4fd143

SHA1
df5b86a5e4a8421a92b33653956f30d31c4c8ffa

SHA256
fcaaaa52ccde7a8a1bc471b1323bff05f623ed900f59522b0b184c9f2c38553c

SHA512
47394aa3af055afd1a42da2fe6b55e096f2a3334a172756f9193629fc53b7549945ab0eab632516ad3f23e9a14c27bdd022ec54c1c90d80cd9848a61f00a6e3c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
b14aac28c1c6c563c502ce11a018f7f8

SHA1
e310d8391eceb62cd1276a2906f693feb7d859e7

SHA256
a320e0d68676325cf2d26390557051c43f8aeeddbf037bc870bd2c206fa0e854

SHA512
69edb68c0aef13916e5c15657a22376194d42517312b7e267155ce8801fd9a94fa1adb7baab97e17770f9df1a6f1e358003531d5de4d9aaf42ced1884c8f6ba5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a1e5cd094db6da9d7bb12193d9701af5

SHA1
2ab0f03d87508b67e8ebe57686a3bbb2d1a6a6a7

SHA256
918eca4a3a6334550aaf00a1e158d8f2a6c66952b7bed565a9ca991466124c69

SHA512
c508d575928efd9cd9a83c0b0a18c7574a78d79de07e371606ef46c9e1b23c47f7bed64ecbf5c1493840d9e21d51bf80a7afe231a52b3a983e73282bf4d51408

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
026ea9a99ddcb7e5d89f909c0941a24a

SHA1
ec48068d587f539f6c9fc415b39ac8e4f4260db7

SHA256
9bf350749713d5af6e07f75cc41f37e807782d94c46e27b875dd83141604e2c8

SHA512
af8e4e1d2dda156140b7c7ff16f14f8c2240aa78896a80b1b43b9493d7670185449961e50bb4e7ccd2531cdfce7fe04f5e908355dc89ec2625892a9b0860d7ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d6b645931973c2dad4ac57d8cf4b632a

SHA1
731c1716e61ae18bb737e11a70c0f48af40190d8

SHA256
4daa9dabdd498b131c14509c2d961bb152784f4da1722f35bf16e8a9b85553e2

SHA512
da5798ead6439ddab99a31692fa32e39ffd30fa555978f218f1297ce64ed2efa936cc7a46b9dac04c4cec01cb06909a121cca10e8264f7040e4560c3c56acced

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
96777f461554a47d4911e607f2d8dc66

SHA1
b51c67171460173350ffa4def717c5c9dd0e8abc

SHA256
61079adce9a0f49551f4666b16b26b6f03a7637a45f425f0d81974765a39c57e

SHA512
36a0416f3062dab4104892452af3f74fe1ddf9f7dda6de717ed9e918819cb681c0d1be3b1ea50ce8f16ecb52ef0d7a49a803af51cc7013305d0d0d28ba09316e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e5b02360a6d4eb51e60ffbb5767f8f18

SHA1
323825610585e3c48539979ff8bae8d0c975193e

SHA256
28396e85a5e92c8658f94db4213f7fa0d0e4b456b878458506315610ee6a9cae

SHA512
f296a21f0e8e8640e9b0d13f1d7188ff2fdab4a36dc98227c469f6b2eddb85cef89f1f142093554ee01f2824a6477046fd34a369b7438461e1b16604cba4f5e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a9ad2f2e6b19f95bc83be567c5c8dfd8

SHA1
028f6beb29a61e30c1ed842016118420a4ffe0d1

SHA256
00c579941cc4b2289a041ed9e44b8a4d32ee5ed29f99c0772239578826259572

SHA512
06b662687e5e93e5c2999f189da75b46148a668f3d9392f85b34c93a9a885135d40c3f5889997e176777940ef500174c190a4bb92e985cce41e9052b6a12afce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1a0cbae61ba0b00eda4820a58217ccbc

SHA1
bac15cc9f93e18622e2524ed82eaaadbaff65a48

SHA256
445e4ab96d81381d1cf649fa4eff69700e7236e02bc319dbd36263f19e61bd2a

SHA512
02e82d873042103e171f4daea2493de87960fd21105788f032ed23c965341be6c1c358fd0da6e2ce2b69be628b2b1a977aa1cb4b42c768155f8af80f0e5283e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f511bd51ea3dfe9aad35b3e48122c501

SHA1
ff739c55659c1462f33162c04a57b93f547b8cdf

SHA256
92e28ef80a2a11b5774581738c35ea7ce68b61eafce647258a390e27ad095a93

SHA512
58954f2d330732a152f96c045e8d6b651495ae2f72b22645a850aebeabf5a268263ec215ab5baa6517afa19258a9f7c153aeb992779945c615e910f4ee19e8d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
b565d2f9a891f0a858c9551dbb51b1ee

SHA1
16b31cdbe7d86b2ec58ee1a327e308e35ad4a71f

SHA256
bcd877934278eb0f9639f0333386e4a3865eb8bbcc22db7ccebe5c015584d281

SHA512
6914a4074cc9df35a5bcb538525bf1e048525d83504ac69a564964c3f7985dab7ec3cf54de77b3f81c4ec4bff69db4d346dea6baf92ec2f9f33a14add1826668

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
d776624fe475131f478b7f3402b48ca8

SHA1
2289acb1f580aa5aea805d09ff1c90180fe2f095

SHA256
36d92790eed14f511d2e6b10adf0dca2adc955b07b40efdcbfb1a8b74789b0b4

SHA512
e5880de55fc95722da45e634deddc8dfa13cc7715c56f4244235d317e10e27b51adea109f34fc8eeb4b70c025a60c22ff580814e673bc0ac30a98f860ff0d59a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
b6045f5416dc6da91b647aae35b4a97c

SHA1
0dbfca0fe6098106ac9e9316bc04477685188d31

SHA256
0bf43a291a02f7a32307d352d44e681e3837b65da0a799708309dd2a5c29df91

SHA512
c765c22205623fc9843af849e5c3fe5c1da0a20449cae5d6954a5b24e06d09c580c4a862f7ea90adb1f0f011bdbeee497f5bb2ac2dbc6f6d52e986dd534fd73c

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\a36659ff-2438-45b2-8526-671192ce1f09.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
e60175e496024c929635816438b40fe2

SHA1
56a7bc169835945de5ac601426e720301141b144

SHA256
ec1748bb524a5304d32d79ce0bde249c75d787812ad9a49bcd5d67a58c98859a

SHA512
96bea0aec6b4822bbfe4bbc61d7d70dc27b18ccda3f85c7e8c9f8157235fc57812ccc305869d20df0ffe7bf34f1ba757c837752aad1ae0f5eddea95acc13c119

Download Submit
memory/1352-9-0x00007FFD38190000-0x00007FFD38C52000-memory.dmp

Filesize
10.8MB

Download
memory/1352-0-0x00007FFD38193000-0x00007FFD38195000-memory.dmp

Filesize
8KB

Download
memory/1352-2-0x00007FFD38190000-0x00007FFD38C52000-memory.dmp

Filesize
10.8MB

Download
memory/1352-1-0x00000000000D0000-0x00000000003F4000-memory.dmp

Filesize
3.1MB

Download
memory/2876-13-0x000000001C970000-0x000000001CA22000-memory.dmp

Filesize
712KB

Download
memory/2876-11-0x00007FFD38190000-0x00007FFD38C52000-memory.dmp

Filesize
10.8MB

Download
memory/2876-14-0x00007FFD38190000-0x00007FFD38C52000-memory.dmp

Filesize
10.8MB

Download
memory/2876-10-0x00007FFD38190000-0x00007FFD38C52000-memory.dmp

Filesize
10.8MB

Download
memory/2876-67-0x000000001D2B0000-0x000000001D7D8000-memory.dmp

Filesize
5.2MB

Download
memory/2876-12-0x000000001C860000-0x000000001C8B0000-memory.dmp

Filesize
320KB

Download