quasar | hxxps://cdn[.]discordapp[.]com/attachments/1235717850421788722/1235733432848617472/ArgonCracked[.]rar?ex=676c93f1&is=676b4271&hm=6203d75403f7faae67d6ed0ddefff01f7a2b92a1a6bbbdae121637e8094bb4c9&

Analysis

max time kernel
143s
max time network
139s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
25-12-2024 05:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1235717850421788722/1235733432848617472/ArgonCracked.rar?ex=676c93f1&is=676b4271&hm=6203d75403f7faae67d6ed0ddefff01f7a2b92a1a6bbbdae121637e8094bb4c9&

Score

10^/10

quasar slave discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

Slave

even-lemon.gl.at.ply.gg:33587

Mutex

$Sxr-3vDee7FzoJnhqjuE3n

Attributes

encryption_key
BfQu2aop09VkjugTkmuc
install_name
$sxr-powershell.exe
log_directory
Logs
reconnect_delay
1000
startup_key
$sxr-powershell
subdirectory
Windows

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001c00000002aaf3-151.dat	family_quasar
behavioral1/memory/4968-153-0x00000000006B0000-0x000000000071C000-memory.dmp	family_quasar

Executes dropped EXE 5 IoCs

pid	Process
4968	ArgonOSINT.exe
2912	$sxr-powershell.exe
1052	ArgonOSINT.exe
4736	ArgonOSINT.exe
3980	ArgonOSINT.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ArgonOSINT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SCHTASKS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SCHTASKS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ArgonOSINT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	$sxr-powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SCHTASKS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ArgonOSINT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SCHTASKS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ArgonOSINT.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133795786156380414"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\ArgonCracked.rar:Zone.Identifier	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2192	NOTEPAD.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4604	schtasks.exe
4088	SCHTASKS.exe
4628	schtasks.exe
4904	SCHTASKS.exe
2076	SCHTASKS.exe
1608	SCHTASKS.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4296	chrome.exe
4296	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1052	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4296	chrome.exe
4296	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeRestorePrivilege	4004	7zG.exe
Token: 35	4004	7zG.exe
Token: SeSecurityPrivilege	4004	7zG.exe
Token: SeSecurityPrivilege	4004	7zG.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4004	7zG.exe
1052	7zFM.exe
4832	7zG.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4296 wrote to memory of 3404	4296	chrome.exe	78
PID 4296 wrote to memory of 3404	4296	chrome.exe	78
PID 4296 wrote to memory of 4472	4296	chrome.exe	79
PID 4296 wrote to memory of 4472	4296	chrome.exe	79
PID 4296 wrote to memory of 4472	4296	chrome.exe	79
PID 4296 wrote to memory of 4472	4296	chrome.exe	79
PID 4296 wrote to memory of 4472	4296	chrome.exe	79
PID 4296 wrote to memory of 4472	4296	chrome.exe	79
PID 4296 wrote to memory of 4472	4296	chrome.exe	79
PID 4296 wrote to memory of 4472	4296	chrome.exe	79
PID 4296 wrote to memory of 4472	4296	chrome.exe	79
PID 4296 wrote to memory of 4472	4296	chrome.exe	79
PID 4296 wrote to memory of 4472	4296	chrome.exe	79
PID 4296 wrote to memory of 4472	4296	chrome.exe	79
PID 4296 wrote to memory of 4472	4296	chrome.exe	79
PID 4296 wrote to memory of 4472	4296	chrome.exe	79
PID 4296 wrote to memory of 4472	4296	chrome.exe	79
PID 4296 wrote to memory of 4472	4296	chrome.exe	79
PID 4296 wrote to memory of 4472	4296	chrome.exe	79
PID 4296 wrote to memory of 4472	4296	chrome.exe	79
PID 4296 wrote to memory of 4472	4296	chrome.exe	79
PID 4296 wrote to memory of 4472	4296	chrome.exe	79
PID 4296 wrote to memory of 4472	4296	chrome.exe	79
PID 4296 wrote to memory of 4472	4296	chrome.exe	79
PID 4296 wrote to memory of 4472	4296	chrome.exe	79
PID 4296 wrote to memory of 4472	4296	chrome.exe	79
PID 4296 wrote to memory of 4472	4296	chrome.exe	79
PID 4296 wrote to memory of 4472	4296	chrome.exe	79
PID 4296 wrote to memory of 4472	4296	chrome.exe	79
PID 4296 wrote to memory of 4472	4296	chrome.exe	79
PID 4296 wrote to memory of 4472	4296	chrome.exe	79
PID 4296 wrote to memory of 4472	4296	chrome.exe	79
PID 4296 wrote to memory of 3396	4296	chrome.exe	80
PID 4296 wrote to memory of 3396	4296	chrome.exe	80
PID 4296 wrote to memory of 72	4296	chrome.exe	81
PID 4296 wrote to memory of 72	4296	chrome.exe	81
PID 4296 wrote to memory of 72	4296	chrome.exe	81
PID 4296 wrote to memory of 72	4296	chrome.exe	81
PID 4296 wrote to memory of 72	4296	chrome.exe	81
PID 4296 wrote to memory of 72	4296	chrome.exe	81
PID 4296 wrote to memory of 72	4296	chrome.exe	81
PID 4296 wrote to memory of 72	4296	chrome.exe	81
PID 4296 wrote to memory of 72	4296	chrome.exe	81
PID 4296 wrote to memory of 72	4296	chrome.exe	81
PID 4296 wrote to memory of 72	4296	chrome.exe	81
PID 4296 wrote to memory of 72	4296	chrome.exe	81
PID 4296 wrote to memory of 72	4296	chrome.exe	81
PID 4296 wrote to memory of 72	4296	chrome.exe	81
PID 4296 wrote to memory of 72	4296	chrome.exe	81
PID 4296 wrote to memory of 72	4296	chrome.exe	81
PID 4296 wrote to memory of 72	4296	chrome.exe	81
PID 4296 wrote to memory of 72	4296	chrome.exe	81
PID 4296 wrote to memory of 72	4296	chrome.exe	81
PID 4296 wrote to memory of 72	4296	chrome.exe	81
PID 4296 wrote to memory of 72	4296	chrome.exe	81
PID 4296 wrote to memory of 72	4296	chrome.exe	81
PID 4296 wrote to memory of 72	4296	chrome.exe	81
PID 4296 wrote to memory of 72	4296	chrome.exe	81
PID 4296 wrote to memory of 72	4296	chrome.exe	81
PID 4296 wrote to memory of 72	4296	chrome.exe	81
PID 4296 wrote to memory of 72	4296	chrome.exe	81
PID 4296 wrote to memory of 72	4296	chrome.exe	81
PID 4296 wrote to memory of 72	4296	chrome.exe	81
PID 4296 wrote to memory of 72	4296	chrome.exe	81

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cdn.discordapp.com/attachments/1235717850421788722/1235733432848617472/ArgonCracked.rar?ex=676c93f1&is=676b4271&hm=6203d75403f7faae67d6ed0ddefff01f7a2b92a1a6bbbdae121637e8094bb4c9&
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd9fe5cc40,0x7ffd9fe5cc4c,0x7ffd9fe5cc58
  2⤵
  PID:3404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1896,i,1124449964228018552,8676330790087207364,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1888 /prefetch:2
  2⤵
  PID:4472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1948,i,1124449964228018552,8676330790087207364,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1936 /prefetch:3
  2⤵
  PID:3396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2172,i,1124449964228018552,8676330790087207364,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2360 /prefetch:8
  2⤵
  PID:72
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,1124449964228018552,8676330790087207364,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3104 /prefetch:1
  2⤵
  PID:3388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3092,i,1124449964228018552,8676330790087207364,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:1108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4760,i,1124449964228018552,8676330790087207364,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4772 /prefetch:8
  2⤵
  PID:700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2188,i,1124449964228018552,8676330790087207364,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4472 /prefetch:8
  2⤵
  - NTFS ADS
  PID:4716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4936,i,1124449964228018552,8676330790087207364,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=740 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1512

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4464

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:968

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap26337:86:7zEvent10876
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4004

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\ArgonCracked\ArgonCracked.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:1052

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\ArgonCracked\ArgonCracked\" -spe -an -ai#7zMap22042:112:7zEvent15821
1⤵
- Suspicious use of FindShellTrayWindow
PID:4832

C:\Users\Admin\Downloads\ArgonCracked\ArgonCracked\ArgonOSINT.exe
"C:\Users\Admin\Downloads\ArgonCracked\ArgonCracked\ArgonOSINT.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4968
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "$sxr-powershell" /sc ONLOGON /tr "C:\Users\Admin\Downloads\ArgonCracked\ArgonCracked\ArgonOSINT.exe" /rl HIGHEST /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:4604
- C:\Users\Admin\AppData\Roaming\Windows\$sxr-powershell.exe
  "C:\Users\Admin\AppData\Roaming\Windows\$sxr-powershell.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2912
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "$sxr-powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\$sxr-powershell.exe" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4628
- C:\Windows\SysWOW64\SCHTASKS.exe
  "SCHTASKS.exe" /create /tn "$77ArgonOSINT.exe" /tr "'C:\Users\Admin\Downloads\ArgonCracked\ArgonCracked\ArgonOSINT.exe'" /sc onlogon /rl HIGHEST
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:4088

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\ArgonCracked\ArgonCracked\KeyToUse.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2192

C:\Users\Admin\Downloads\ArgonCracked\ArgonCracked\ArgonOSINT.exe
"C:\Users\Admin\Downloads\ArgonCracked\ArgonCracked\ArgonOSINT.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1052
- C:\Windows\SysWOW64\SCHTASKS.exe
  "SCHTASKS.exe" /create /tn "$77ArgonOSINT.exe" /tr "'C:\Users\Admin\Downloads\ArgonCracked\ArgonCracked\ArgonOSINT.exe'" /sc onlogon /rl HIGHEST
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:4904

C:\Users\Admin\Downloads\ArgonCracked\ArgonCracked\ArgonOSINT.exe
"C:\Users\Admin\Downloads\ArgonCracked\ArgonCracked\ArgonOSINT.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4736
- C:\Windows\SysWOW64\SCHTASKS.exe
  "SCHTASKS.exe" /create /tn "$77ArgonOSINT.exe" /tr "'C:\Users\Admin\Downloads\ArgonCracked\ArgonCracked\ArgonOSINT.exe'" /sc onlogon /rl HIGHEST
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2076

C:\Users\Admin\Downloads\ArgonCracked\ArgonCracked\ArgonOSINT.exe
"C:\Users\Admin\Downloads\ArgonCracked\ArgonCracked\ArgonOSINT.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3980
- C:\Windows\SysWOW64\SCHTASKS.exe
  "SCHTASKS.exe" /create /tn "$77ArgonOSINT.exe" /tr "'C:\Users\Admin\Downloads\ArgonCracked\ArgonCracked\ArgonOSINT.exe'" /sc onlogon /rl HIGHEST
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:1608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\079bc058-8217-4019-8558-e65331db8b99.tmp

Filesize
228KB

MD5
9ddec916ba945ab287d476f0e8ef6336

SHA1
18378a84184b0d6cd28751397008e658537f3a62

SHA256
4d9846814561be6d013a4d89efacd55e64c897641da071016d614b3976ef8e4e

SHA512
8c02fb99f6d804f100df5df3acf562b05bb6f424b625eb3af0cdb8b54d390066bfdde01ceda1f8bdd47cc9738e82b026257d06dd3aec3047ea01b3f9e9cbeb6a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
fa56d26001f240ecf75fd0e2fc03c1e1

SHA1
bb6429cb48505b8197b050f2eec380695b6eb1d8

SHA256
c4569abedd75b72a38e6a73c45e2eb2017227ed3a67b2ce28a5796f4160caf0c

SHA512
2d405bebd44e88b73919a90065a6f2fb34adc8aa6858fae83f5dfa509e7ab2ab2386c20a5a2f8c75b286fbc05e96a093316a90686f75cf36063f9d872c8ee6dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
4c521655e4501eccda052c4895b1ce7d

SHA1
707bbb34480116443459ec0b83fa2939fb9344b3

SHA256
6b73061265dc5acf461484922306d94fd488f6c9e99db8e14beb7f3ae9af4036

SHA512
78add45df550120b79ac0b0bd5983f6ebd15bdc6a959a3fc0ec88bf141fff12feabc525bb14d65cb67a8f2f04567e9d256ed8eace148a4a28bb1d13d37166e77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
3c8663e19af16c920d97160b59e379cf

SHA1
0f3d740f3c4d3ff6aae1df4db756bda295c68a6e

SHA256
c338d11edc07f6b456a0c0dfe0d7ab6893b70be9c27838e050a28b1d55011a3c

SHA512
795e2c77a4b7daa35c73b31ca33e6e2ca395979cf3cb7375e1bf021650852544e0fb5017e5786c5b8f36f840cc86dcb376b8fa12b7cc71ca478270dc7bcda012

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
33595306a5abaabb941825fcb8d5c711

SHA1
828ae1dc25b822c0642f1bbf7f82b23808c52c4c

SHA256
ac880996a65add269bf9034e11e9131d4a199cf4b1c1017eafbf150df84aff32

SHA512
90f41c169b221605e7659d2106fa84113e1d705c804f92a374361996f3582b628dad10996bee0f8e984c50d2b6e5511730bee2abf447b070491449b3d1801804

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
668e186b007c3649c82ff6bb67ac59ab

SHA1
f3eb1d6e922598cbdbee3926d60dc80879e37bbf

SHA256
268f68938d11431196be82d33cc38667907e9f39f4fc4f812e96520f973f3fc5

SHA512
a7f531e798173f83e8d24125b14c94052f15d9b98b0a3bb7ae5d7e71cccd99d0e657e33e1f39f22ea860f84279c677827d948a22a767ea98a9307a40e057d665

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3b33f5472084e087bde8b5ea9fabffee

SHA1
4d17d63ee525ec0425dfe8bfc2a8aa117638bd8c

SHA256
35e1f46d09f00a63de42bc7afb4b10c2caf93b1ebd265928900e47e6d05f2826

SHA512
9459c1eac7e9c08d0b3cb300fad20becdb498dc48ffa0cc0cf1bf8ac97b2331f137462578b1153d09019e510c67ad23a23e8f8486c359076a4b29fc6b71dbe95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
694a46dd16091a8c1bc8fd221a4985db

SHA1
67f8a49fee6ae685f8e67f366e3c7d6d51bdc080

SHA256
2303482e62244835c3bc1d802281ce14d2f52e12aebf3760bac570b098b7d472

SHA512
ebd60f51f970c2fdb8d6bbc5c40c6b6443664129d273d080c64fc59ad88f03aa81ed928797ca056ef3e492e840ff6a3410275d39d9717d88169406e0e0e860b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
25093b7b737dc07c04a5152247e8ce3b

SHA1
e85e650951ea2703536323fab5182ba7e25a7cbf

SHA256
ea275c7d48894351a295a8786f9c15bc70c02b429d856172dcc7f39a1b6e47e4

SHA512
fd2910f902850432210141367cccf2405cc85131d69907fd3ce994e0ca61ee40d003c6d40bf6ab3a0d923e7526c2d75205adf19ee0e07dbeeed848e42c2eebfc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b38c25bccdbc2b6a6c03859a25b1a3c6

SHA1
6f7ab7577404ea537396df25ae8ef41e38ddc0fa

SHA256
6a254e34ab29943b840805b3acef2aefa1b6bc91eff547f234df98c463a1acc9

SHA512
1be253822b2657222be7462e1a4ad0959e4fd40485e5718462b30ce4801a34b9eaf2d5295c1197f711a56ecd4a5348279994ee9fb3b0be74365b71b8a5b80efb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6193ee8ea63898346b9d5e059468e57e

SHA1
c743e8e37c649810d46da8fb79b083a50be59355

SHA256
86378097b16a6b61c6c845826f44758530a0063b16ae12e497a26faeacc026d6

SHA512
db6539d320624e02633662e322ed451587fe6312b5a7caa34601243cdd3f6024e2a77646420053c568bed63fc50d1b79223cd026bf785deb2b69fe55a9eb9a75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
55123ccc65383d38863ebb0c5c6d30ed

SHA1
ace3a3f952c8b991613778e9096fd29427f2c031

SHA256
801c120bd7c5660cd12ad080d8b27dff41369887a69a66d271a6dcb01f582a2d

SHA512
9d30c04aaa570989063c0f29856f31bc2ecd59b7d0c16cff19954971d7f98f99c1254cd2e8f11722f593e7676ec5a414274e2a75bc885b9691915fcbae05e0a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
812d962f9d69d4ba89eb8a505ed2be15

SHA1
7ba28cd5b8932c490034f16baef384a25cb6fc60

SHA256
553891504555d233c3bb651ad7da76f70d56df8b0a6dd6400cc2c9b4f2d30221

SHA512
28d88706518487f708c56db68b8f55b9307ab6810900c468c4848364247254b7ba354091961771f0c01ff8640f07aef4d932666c745ff9b9c1621e5f607c1d83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4e1b32aa77bcec193bcfbafaab25df3c

SHA1
cf58e7b5db5c58e0204c527b3b455cdee778c050

SHA256
3509bb9702955b375d76e502994f4af6d6731c86d503407ec84c357cdfb7ee86

SHA512
2fb5b61d24b2a757c54d8e229911678d5cb2ae0c0b032589f543d921761cd330c46d6037bc3e441d67ae3c34ae615b49ff9240b75df41c619f429ab22475ffed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0642a2a841a07e192e1ad8c75c68ec2e

SHA1
354b86b7a44695732d8fc0092c531964e2519d26

SHA256
399a9793da40810fa44d2ba900a60d65749164c15d416d3483c9489f8bfc5eb9

SHA512
ae1053547149552970fa6860e3fbcc8e3eff3fc4e69b1d770efc5c911e62d5c12770f713acff8aeb08abfe8df7901ffebdbaf259b82713bf1576b6f6e00826a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
924b026f449db401ac5bdb979084d9a7

SHA1
cfb9bf79b16a298b1e521cd052689bff05e040f6

SHA256
f6a8cf33dd410228b31d86a701954bd713a313d9e25fbb720cd3dafc5370ddf5

SHA512
41dd475b1a588a652f6a629be294a57d359bd16389838e02802247ffe350aea73cfb57864f8c3d3429b946cd318188ff66dc2b7e561c4906790c8f3dd79685a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ArgonOSINT.exe.log

Filesize
1KB

MD5
0d57fc33826cdd8ab7f1fd188829748d

SHA1
40fab51cd74493d07e0c37af6bfee896e9d0cef6

SHA256
4ff6a3eca1a0964fa036fcc54b2fa2137de9ade61e8140cee7e3136352445c41

SHA512
dd02119b787943e580156d89ea75ad38eff863bf560d4ec33fa4e52202f0b6252e928322f73e3a3e11685fb0cff204af4d67c6818bdf9812d7b458c362965aaa

Download Submit
C:\Users\Admin\Downloads\ArgonCracked.rar.crdownload

Filesize
2.5MB

MD5
4c92c1bc251fbd67d51fd27ca07adc21

SHA1
dfbea4ecb99ad1bb08478fa8f7514f16a4922233

SHA256
b79efa37c50e931d5edf741a3fba3fb3390abfd8df93f9d9ca5db023ad36c770

SHA512
35f376328ba821e61d280bb07351ca1a8b885a8cb5091e3df0a49b6126f0971bed97998aff7f957ef046b1cccafd1d59a293a6d350f35ea328f1337013b7eb8a

Download Submit
C:\Users\Admin\Downloads\ArgonCracked.rar:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\ArgonCracked\ArgonCracked\ArgonOSINT.exe

Filesize
409KB

MD5
c4f70954d48c8653fde31fc63c619fc8

SHA1
c2fe0bc4eab66f6cbf19ab3a80817eba8084982e

SHA256
dbc30b002dad39a45fdd36c509d854dc931662235886f01ec149cd8cf904ddb5

SHA512
1a0db425192d25f1e96ac43a5ae18ff530ef11e2f1526fd6677f4b82b04e212679c347f5647be0d72665e2f587c2824b19d2104c48546eb049ae27fb7470defc

Download Submit
C:\Users\Admin\Downloads\ArgonCracked\ArgonCracked\KeyToUse.txt

Filesize
22B

MD5
cdcae438deed8e32513e848676807bbf

SHA1
2ce41f670953995521d56fd1724e92e8187d0562

SHA256
e6b698000a51f4883e1f461239791262a254ae0dcc8ba60c9097abd41d2d69b3

SHA512
10caf560b530e75e612012c41d01c0d39747a3f892fca36b608954096cae1539caa554004e8fdcf18b95649fea26879e1ab5f149d1a99a499460bd60aa10eedc

Download Submit
memory/2912-203-0x0000000006D10000-0x0000000006D1A000-memory.dmp

Filesize
40KB

Download
memory/4968-153-0x00000000006B0000-0x000000000071C000-memory.dmp

Filesize
432KB

Download
memory/4968-158-0x0000000006580000-0x00000000065BC000-memory.dmp

Filesize
240KB

Download
memory/4968-157-0x0000000005780000-0x0000000005792000-memory.dmp

Filesize
72KB

Download
memory/4968-156-0x00000000052B0000-0x0000000005316000-memory.dmp

Filesize
408KB

Download
memory/4968-155-0x0000000005210000-0x00000000052A2000-memory.dmp

Filesize
584KB

Download
memory/4968-154-0x00000000057C0000-0x0000000005D66000-memory.dmp

Filesize
5.6MB

Download