quasar | cf69d61f1cba5ad3feb85ba91931d37ae5862eb2a7d5d9f5ab10b8817139cdcc

Analysis

max time kernel
116s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-01-2025 15:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Updater.exe
Size

3.2MB
MD5

bde27400071e8114a50e49c7a7d5aca3
SHA1

e8ba2d9c033467c5b9bc68f3646da6d24ab18bec
SHA256

cf69d61f1cba5ad3feb85ba91931d37ae5862eb2a7d5d9f5ab10b8817139cdcc
SHA512

13be08ea18cc1859f5bcc2f8346d1772e232ab9380a80e20116183f880fc21999b520e91c1206faffbbd60111b12567e99ed4807d219d409f9848cd7c5596cbf
SSDEEP

49152:zvTI22SsaNYfdPBldt698dBcjH01xY1v4LoG2Y8THHB72eh2NT:zvs22SsaNYfdPBldt6+dBcjH01xj

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

nukedrust-59850.portmap.host:59850

Mutex

e18b24bb-41a4-4371-91a7-7a5c163c4d80

Attributes

encryption_key
D1BE981B0A025276CA1B60203BDCB46D48C43278
install_name
svchost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Update.exe
subdirectory
modules

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral1/memory/1964-1-0x0000000000CD0000-0x0000000001010000-memory.dmp	family_quasar
behavioral1/files/0x000700000001868b-6.dat	family_quasar
behavioral1/memory/2676-8-0x00000000001C0000-0x0000000000500000-memory.dmp	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
2676	svchost.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\system32\modules\svchost.exe	Updater.exe
File opened for modification	C:\Windows\system32\modules\svchost.exe	Updater.exe
File opened for modification	C:\Windows\system32\modules	Updater.exe
File opened for modification	C:\Windows\system32\modules\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system32\modules	svchost.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 26 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9D310CD1-CF66-11EF-8F1B-EAF933E40231} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2732	schtasks.exe
2780	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1036	chrome.exe
1036	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1964	Updater.exe
Token: SeDebugPrivilege	2676	svchost.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe
Token: SeShutdownPrivilege	1036	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
1660	iexplore.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe
1036	chrome.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2676	svchost.exe
1660	iexplore.exe
1660	iexplore.exe
2508	IEXPLORE.EXE
2508	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 2732	1964	Updater.exe	30
PID 1964 wrote to memory of 2732	1964	Updater.exe	30
PID 1964 wrote to memory of 2732	1964	Updater.exe	30
PID 1964 wrote to memory of 2676	1964	Updater.exe	32
PID 1964 wrote to memory of 2676	1964	Updater.exe	32
PID 1964 wrote to memory of 2676	1964	Updater.exe	32
PID 2676 wrote to memory of 2780	2676	svchost.exe	33
PID 2676 wrote to memory of 2780	2676	svchost.exe	33
PID 2676 wrote to memory of 2780	2676	svchost.exe	33
PID 1660 wrote to memory of 2508	1660	iexplore.exe	37
PID 1660 wrote to memory of 2508	1660	iexplore.exe	37
PID 1660 wrote to memory of 2508	1660	iexplore.exe	37
PID 1660 wrote to memory of 2508	1660	iexplore.exe	37
PID 1036 wrote to memory of 1168	1036	chrome.exe	39
PID 1036 wrote to memory of 1168	1036	chrome.exe	39
PID 1036 wrote to memory of 1168	1036	chrome.exe	39
PID 1036 wrote to memory of 1060	1036	chrome.exe	41
PID 1036 wrote to memory of 1060	1036	chrome.exe	41
PID 1036 wrote to memory of 1060	1036	chrome.exe	41
PID 1036 wrote to memory of 1060	1036	chrome.exe	41
PID 1036 wrote to memory of 1060	1036	chrome.exe	41
PID 1036 wrote to memory of 1060	1036	chrome.exe	41
PID 1036 wrote to memory of 1060	1036	chrome.exe	41
PID 1036 wrote to memory of 1060	1036	chrome.exe	41
PID 1036 wrote to memory of 1060	1036	chrome.exe	41
PID 1036 wrote to memory of 1060	1036	chrome.exe	41
PID 1036 wrote to memory of 1060	1036	chrome.exe	41
PID 1036 wrote to memory of 1060	1036	chrome.exe	41
PID 1036 wrote to memory of 1060	1036	chrome.exe	41
PID 1036 wrote to memory of 1060	1036	chrome.exe	41
PID 1036 wrote to memory of 1060	1036	chrome.exe	41
PID 1036 wrote to memory of 1060	1036	chrome.exe	41
PID 1036 wrote to memory of 1060	1036	chrome.exe	41
PID 1036 wrote to memory of 1060	1036	chrome.exe	41
PID 1036 wrote to memory of 1060	1036	chrome.exe	41
PID 1036 wrote to memory of 1060	1036	chrome.exe	41
PID 1036 wrote to memory of 1060	1036	chrome.exe	41
PID 1036 wrote to memory of 1060	1036	chrome.exe	41
PID 1036 wrote to memory of 1060	1036	chrome.exe	41
PID 1036 wrote to memory of 1060	1036	chrome.exe	41
PID 1036 wrote to memory of 1060	1036	chrome.exe	41
PID 1036 wrote to memory of 1060	1036	chrome.exe	41
PID 1036 wrote to memory of 1060	1036	chrome.exe	41
PID 1036 wrote to memory of 1060	1036	chrome.exe	41
PID 1036 wrote to memory of 1060	1036	chrome.exe	41
PID 1036 wrote to memory of 1060	1036	chrome.exe	41
PID 1036 wrote to memory of 1060	1036	chrome.exe	41
PID 1036 wrote to memory of 1060	1036	chrome.exe	41
PID 1036 wrote to memory of 1060	1036	chrome.exe	41
PID 1036 wrote to memory of 1060	1036	chrome.exe	41
PID 1036 wrote to memory of 1060	1036	chrome.exe	41
PID 1036 wrote to memory of 1060	1036	chrome.exe	41
PID 1036 wrote to memory of 1060	1036	chrome.exe	41
PID 1036 wrote to memory of 1060	1036	chrome.exe	41
PID 1036 wrote to memory of 1060	1036	chrome.exe	41
PID 1036 wrote to memory of 2372	1036	chrome.exe	42
PID 1036 wrote to memory of 2372	1036	chrome.exe	42
PID 1036 wrote to memory of 2372	1036	chrome.exe	42
PID 1036 wrote to memory of 2204	1036	chrome.exe	43
PID 1036 wrote to memory of 2204	1036	chrome.exe	43
PID 1036 wrote to memory of 2204	1036	chrome.exe	43
PID 1036 wrote to memory of 2204	1036	chrome.exe	43
PID 1036 wrote to memory of 2204	1036	chrome.exe	43
PID 1036 wrote to memory of 2204	1036	chrome.exe	43

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Updater.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Windows\system32\modules\svchost.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2732
- C:\Windows\system32\modules\svchost.exe
  "C:\Windows\system32\modules\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Windows\system32\modules\svchost.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2780

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1660 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7feef3c9758,0x7feef3c9768,0x7feef3c9778
  2⤵
  PID:1168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1152 --field-trial-handle=1384,i,9653790745236030322,4535353834674164229,131072 /prefetch:2
  2⤵
  PID:1060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1504 --field-trial-handle=1384,i,9653790745236030322,4535353834674164229,131072 /prefetch:8
  2⤵
  PID:2372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1612 --field-trial-handle=1384,i,9653790745236030322,4535353834674164229,131072 /prefetch:8
  2⤵
  PID:2204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2236 --field-trial-handle=1384,i,9653790745236030322,4535353834674164229,131072 /prefetch:1
  2⤵
  PID:1376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2244 --field-trial-handle=1384,i,9653790745236030322,4535353834674164229,131072 /prefetch:1
  2⤵
  PID:1548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1532 --field-trial-handle=1384,i,9653790745236030322,4535353834674164229,131072 /prefetch:2
  2⤵
  PID:2724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1312 --field-trial-handle=1384,i,9653790745236030322,4535353834674164229,131072 /prefetch:1
  2⤵
  PID:2776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3672 --field-trial-handle=1384,i,9653790745236030322,4535353834674164229,131072 /prefetch:8
  2⤵
  PID:2580

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
97a8e1cef12d304c831354d44ad7609e

SHA1
0303bbaee394c2bc293e053c7ae6b4b5be1bcd25

SHA256
14b1601b389f10ab697814ff9258627cc41a301651d2706e9bd7bfebba4c3f00

SHA512
bee12d86e872ca883e0d521d94dad628f998fc3ad66531dd39bafe4210d6a1b32b4f73cad80aafb7ae6615ed40df4f6b26e405a80a8ae5603aa148a800fe63a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f1d9debfb5be9296f13eef8f4f815cca

SHA1
322b3beefab4d4f4db362ff61bf205970e5d948e

SHA256
0665613d9ca70f9ed13ed8ee0e7effceb5455059b9e4f5a934a8d8ecdde40112

SHA512
0f6aec353784fa82f53ac8c2fb906fcd2a0fc789173cd0e6bf95c4a27770c4abd905691cb7b745aae6ddb8d9ed167f6f26d6b72001cb64641e4a8a8665b26063

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f4077ebea33cd0697751804db25ac235

SHA1
41626237e861985e52b8de2475f3e6c2032e2887

SHA256
028e7e8b3cc2c555a730b9627d1c077dc49157e3b55bb90867ad4c773a99178a

SHA512
998d985b53040c6f928f0b4fca6c651fe61764e01470fb4790e370141c97051de5bc6403568310416fa57e8d61a93f9210314ad2c40b58df4c4d45b70a005a55

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2ce38d023021050b21e6b524dee13e42

SHA1
395e0427f15b720c1427d52fa0638219806ef5d3

SHA256
65c686ac356c77acfa5741543a5138db4e95d52627d85508a3683f6050a2e338

SHA512
9e70d4a5d18ff7cfc1a8c4ebd9439d94ff16cd8279ed04520c7933654e494914f93943ecd5a98b998dbcde38838662537e4cb7cbc107e0e06565f1680569706c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1f8ec47460790652392f70b7da5547ca

SHA1
7db3ca488df5081e7ecf4a25317562f6352704fe

SHA256
66693a97527cc91537d251c4a511254f750fd82a046a92b253221f92ef2576a5

SHA512
4a19bdeb00c2e6370e6032e9b6f33dc55172d09bf1d30672a58035e4f5fcc86d58e442a00c5601b0b9c42a71fc52d565609567f935c4a8669af236c773f392bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2b270da32afacecef892754f0284513d

SHA1
7f15f4f475a07eaad7b8281afafe864fe2291fd0

SHA256
642e1e72f47c3146153031cec2c47133dbadb91a25760f33f6d21212ab6204dc

SHA512
5983f142b12034b7788143b4614d00e2786d09c1a700808772f9539d701999ee2ea70641c562de46c26c56d421a9038855334858c580013ab8de0f084590be5e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bf4c297999ca474cf5b817e997d67cd0

SHA1
f528562adf124079ca052404ca7f84fe72a20e7a

SHA256
7b53a324f24df72925c716d3f8672b83d2fb46746a9106fe700aba90c72355c9

SHA512
97881be34fc79d6fcd3b1b7c2c13a6ccfef7a58346f375fd371f4507ac0d9d40adf885298d2292208ba5b07897e1ca99fc60af7553ceb33f9918af1447ca3aea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
54f0186473f4e69fa070d638a7cba213

SHA1
3c81723b4bbced8db94ed39061e27fe110c0b1e4

SHA256
70c31746c0233e5666df21dd87e05875dd9ca9dc286d5b4733b0464803d0fd46

SHA512
0b0e201ecbb0bdc9005bd7af80b901cc4d070e29091d6ea22555163e054611c1de0e938ff110a5d045f0fb58107d0980eb8dae0b95f5187f9aa0e0981bf88ce4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ce844f977937ac74a9ee49a7860846c5

SHA1
0c1196a1b8cba2d1f761fdc411b7c97c83879b94

SHA256
1593e5071a652f71ac53cd3005ffda3f1fc9c7b578daf4679fe91456f86499d9

SHA512
ef3b7f4fa36fcdf841e1d01c275646a6d73a58c54cec6761f014feda2e7cf9140385f0a19d8cee661598dd248803cdf54b89f1668b16e1fe44822ebfdc9cf86a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7f00f4ec25c50e2be04b46b7318d1511

SHA1
4344819c74f377dee1373c16a870a593a6c1e806

SHA256
409b85b694d1214762e48f80ea464fd78041e782edadf7149cd32307c26acd4d

SHA512
6f16b585db5398071a377232038f58265db22b9e1302f7b42e38e808dd12acb4bd63db30ea7dda60d5b3184b695e2c75b3db5e51131ae3f34fb70d0a05a4ffcb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
72980dd90173386a04d625071ecbb30b

SHA1
f78811714066dd729df3e69e4cdf8daa9ee62d07

SHA256
bb6c120bae83bc664f82673137c88fbb2587426b5f000d5ddc9649eea2119c3e

SHA512
6319837039c0d53c1a25bda0141827d0b1fe9c0bb2d623644cc69d719cf75f932f3ba59720feff5548061e0bee31392fdc0dbaf73d625f9f0bc1870af824ee03

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0f9a781c47dc4415ae939563909eb4c8

SHA1
1aa8d00c84db1d9d7af36fd1d208983503116521

SHA256
4d37f53ce9f9f8c974e21aeca9aa2c7951de93a3ef653096344654f70fa5986d

SHA512
9debf0b93df2618858d77064deeaf25456462c31965f550a328c8ca04a4b02e81f704b1abee056f172375a04b5fb80f7075edeb3607a91da19ec6c9ef5df7b73

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1393ee425d28991d271ba30e80e50fdd

SHA1
4617ca5ee725de35bb5c328be3de89c0731c8f6c

SHA256
80a16c6313d04e5f4c1a103b883e0bfaa4578876dab24b77b0131521b1145116

SHA512
0f6dfffccd5ed351866c001239dae939798fa9d59c1b864b0112076ef6871c3b435b3941ed132f0d3d4f1be9a65576c12dcbb33bc7e6ed800a93d7535c59f55c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8ca3ef31d50fcf442a1cd8e14a6c485f

SHA1
cda50f6e58da90bf3fe3d8474af6381362e67cec

SHA256
ac5c09812a0a19d5c72c7c215ab6d3940568c9d57e0c1aa863687e54c760d884

SHA512
4612f3c95b7aa5ace78f54d5b13612c96db6eb9c8eea26142902321c24acddb5b310eed1382aa479e832787d56afa106746dd45325bac0babb8561a81a17699e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
81a683830893d32e2a592acb3a4f29c1

SHA1
03f16326f53e0cb364afc85e36131269bc750cce

SHA256
c162db839cb2cdff14dad3db8cd7487fee799aff36d080a3010dfdfd941c31b7

SHA512
2d4856b549d9f893fd32411d95ec93f7427721256883f49bfeb0fcc6068a93a02b65d010028ec92495c41634d9b10c7f7e4a1542c9e562c05915fdcd4e24c27f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9500593f21969b1395ad50be931947d1

SHA1
861458bfec7d30380883c813915482686693a11e

SHA256
a7f05da55711ab99f42be8708de64c078037d28fccbb4552d379ec7d08165c35

SHA512
4a0e039415d13536ca8770e277419b5d157326b7f0be10bff039a849b3f2d81c5a0ac53cc9e06d0ff6738befbe66507c49b5ca65a0b9f4b5608e79fff865b63b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
729b531b96954ac3184c795062f03e02

SHA1
1105ec277f2ae046f9c48558a618d7a1522fd8b7

SHA256
2dc45962a4121b153f4e7ac5f3883a77482cbcefe369849b220f40dd712f55cd

SHA512
decccd7508865bc0424ebfb5023bac6e4f15329e926e12e653add00474c1f1e8048d8e5719f075adcdc63436061eef42e820e665a7de552a630ce77aa95ae79b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d3fd465014ca868e2f3b985f7137eded

SHA1
f3eba16b0394ad4dac6f307e7067c220461f49d8

SHA256
d3ae21a000330609b79034ea97c32a664d2292e465ff58155181a5f5b0120a1f

SHA512
150022addcd0aeb1985058e1bc2d177e7a0c34d13b0c940a874cd1909770064f26017e82e8286dd309ad7c1e74eb4a2f698eef71a179744184cc8e06e0743bbf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
89aafa20c9cbf5a8cebdb8562b32b69c

SHA1
62c1508534f73431e544993d72369cedc1fb1641

SHA256
3b912d7fe34ea13c9e8d80072dfff2eb17ef126455707f742bf3798bdce8bc79

SHA512
0ec4c1de900ac57aef268938e06b4eb2ec7fb509fadfd7bf5111af40c318df603f126b700e640f54d00fc95981b25faa63032dfe6d5cdf793cccb600a6e5d4d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
1a326441420fe387e8cf5be433fca668

SHA1
b9809e7e7b48d2e625000bc8e9963f84bc4c8fed

SHA256
042379eb5b403bea48e372253fbaddac9a58acd772f249190c1a6d704007f9fe

SHA512
883e81aacacb0eccf1e344a02285ca912f55d8e8580b40e4ecb29e9c7e0d98044f171aaa903f40ac961f4be598c2789376ed3aba362bbf14d82d72b90292a3b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
ec0f3c422ecabbcfd90d215125de6535

SHA1
e9815c233f1e7a2f36105be402285f28d947f184

SHA256
e2f4a096a19d7458e0635380b2b1447d1f3f236824912e874e61b8c6fcd1b71a

SHA512
add9bb6490cc80caa8d25c7aa72cf1eff9f12200e52d58684442b19d1d732ba5af2a438eb6779f4ee3fada9cbcfd8c8080b19f95330b602075bc4c4657da3c19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2D58.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2E28.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\System32\modules\svchost.exe

Filesize
3.2MB

MD5
bde27400071e8114a50e49c7a7d5aca3

SHA1
e8ba2d9c033467c5b9bc68f3646da6d24ab18bec

SHA256
cf69d61f1cba5ad3feb85ba91931d37ae5862eb2a7d5d9f5ab10b8817139cdcc

SHA512
13be08ea18cc1859f5bcc2f8346d1772e232ab9380a80e20116183f880fc21999b520e91c1206faffbbd60111b12567e99ed4807d219d409f9848cd7c5596cbf

Download Submit
memory/1964-0-0x000007FEF4E33000-0x000007FEF4E34000-memory.dmp

Filesize
4KB

Download
memory/1964-1-0x0000000000CD0000-0x0000000001010000-memory.dmp

Filesize
3.2MB

Download
memory/1964-2-0x000007FEF4E30000-0x000007FEF581C000-memory.dmp

Filesize
9.9MB

Download
memory/1964-10-0x000007FEF4E30000-0x000007FEF581C000-memory.dmp

Filesize
9.9MB

Download
memory/2676-8-0x00000000001C0000-0x0000000000500000-memory.dmp

Filesize
3.2MB

Download
memory/2676-9-0x000007FEF4E30000-0x000007FEF581C000-memory.dmp

Filesize
9.9MB

Download
memory/2676-11-0x000007FEF4E30000-0x000007FEF581C000-memory.dmp

Filesize
9.9MB

Download
memory/2676-12-0x000007FEF4E30000-0x000007FEF581C000-memory.dmp

Filesize
9.9MB

Download
memory/2676-13-0x000007FEF4E30000-0x000007FEF581C000-memory.dmp

Filesize
9.9MB

Download