quasar | 78c3578aa894e56a27efeaa4daa26b2effd9e90a3ffaa32abea06f78e19ba735

Resubmissions

26/01/2025, 17:48

250126-wdl9xayjfw 10

26/01/2025, 17:45

250126-wbvs9syjax 10

Analysis

max time kernel
130s
max time network
227s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
26/01/2025, 17:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eclipse executor/eclipse executor.exe
Size

3.1MB
MD5

1512ffa41753d2f49de5b5296f5c174e
SHA1

596412e03c09c60c822f6e0d12072e4cb861fa72
SHA256

1df2e7dd996b5cfc2aea6b38548ef0375664ef618743bbcb623df319f9e48f3e
SHA512

b07550d650a0960b0ffda941e0a71c4ce4630964cd74c58e2ae21225cceb1666c6d1de234a0f1802578f4a9afeca653cd1f295bd4d5a97d4afbd1ff0f5f582f5
SSDEEP

49152:rv3I22SsaNYfdPBldt698dBcjHaFenk3xg2oGdaBTHHB72eh2NT:rv422SsaNYfdPBldt6+dBcjHasno

Score

10^/10

quasar made discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

made

2001:569:7e70:6a00:c8f3:749c:278f:2c17:4782

Mutex

9d96368e-1352-46e3-8281-8f5eaf945edb

Attributes

encryption_key
AF603C3CFA231D1BD841E315C27377C7E4A49333
install_name
client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Java startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral1/memory/1628-1-0x0000000000A30000-0x0000000000D54000-memory.dmp	family_quasar
behavioral1/files/0x000b000000016cab-5.dat	family_quasar
behavioral1/memory/1984-8-0x0000000001270000-0x0000000001594000-memory.dmp	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
1984	client.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2424	schtasks.exe
3068	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3040	chrome.exe
3040	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1984	client.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1628	eclipse executor.exe
Token: SeDebugPrivilege	1984	client.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe
Token: SeShutdownPrivilege	3040	chrome.exe

Suspicious use of FindShellTrayWindow 50 IoCs

pid	Process
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe
3040	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1984	client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 2424	1628	eclipse executor.exe	30
PID 1628 wrote to memory of 2424	1628	eclipse executor.exe	30
PID 1628 wrote to memory of 2424	1628	eclipse executor.exe	30
PID 1628 wrote to memory of 1984	1628	eclipse executor.exe	32
PID 1628 wrote to memory of 1984	1628	eclipse executor.exe	32
PID 1628 wrote to memory of 1984	1628	eclipse executor.exe	32
PID 1984 wrote to memory of 3068	1984	client.exe	33
PID 1984 wrote to memory of 3068	1984	client.exe	33
PID 1984 wrote to memory of 3068	1984	client.exe	33
PID 3040 wrote to memory of 3032	3040	chrome.exe	36
PID 3040 wrote to memory of 3032	3040	chrome.exe	36
PID 3040 wrote to memory of 3032	3040	chrome.exe	36
PID 3040 wrote to memory of 1692	3040	chrome.exe	38
PID 3040 wrote to memory of 1692	3040	chrome.exe	38
PID 3040 wrote to memory of 1692	3040	chrome.exe	38
PID 3040 wrote to memory of 1692	3040	chrome.exe	38
PID 3040 wrote to memory of 1692	3040	chrome.exe	38
PID 3040 wrote to memory of 1692	3040	chrome.exe	38
PID 3040 wrote to memory of 1692	3040	chrome.exe	38
PID 3040 wrote to memory of 1692	3040	chrome.exe	38
PID 3040 wrote to memory of 1692	3040	chrome.exe	38
PID 3040 wrote to memory of 1692	3040	chrome.exe	38
PID 3040 wrote to memory of 1692	3040	chrome.exe	38
PID 3040 wrote to memory of 1692	3040	chrome.exe	38
PID 3040 wrote to memory of 1692	3040	chrome.exe	38
PID 3040 wrote to memory of 1692	3040	chrome.exe	38
PID 3040 wrote to memory of 1692	3040	chrome.exe	38
PID 3040 wrote to memory of 1692	3040	chrome.exe	38
PID 3040 wrote to memory of 1692	3040	chrome.exe	38
PID 3040 wrote to memory of 1692	3040	chrome.exe	38
PID 3040 wrote to memory of 1692	3040	chrome.exe	38
PID 3040 wrote to memory of 1692	3040	chrome.exe	38
PID 3040 wrote to memory of 1692	3040	chrome.exe	38
PID 3040 wrote to memory of 1692	3040	chrome.exe	38
PID 3040 wrote to memory of 1692	3040	chrome.exe	38
PID 3040 wrote to memory of 1692	3040	chrome.exe	38
PID 3040 wrote to memory of 1692	3040	chrome.exe	38
PID 3040 wrote to memory of 1692	3040	chrome.exe	38
PID 3040 wrote to memory of 1692	3040	chrome.exe	38
PID 3040 wrote to memory of 1692	3040	chrome.exe	38
PID 3040 wrote to memory of 1692	3040	chrome.exe	38
PID 3040 wrote to memory of 1692	3040	chrome.exe	38
PID 3040 wrote to memory of 1692	3040	chrome.exe	38
PID 3040 wrote to memory of 1692	3040	chrome.exe	38
PID 3040 wrote to memory of 1692	3040	chrome.exe	38
PID 3040 wrote to memory of 1692	3040	chrome.exe	38
PID 3040 wrote to memory of 1692	3040	chrome.exe	38
PID 3040 wrote to memory of 1692	3040	chrome.exe	38
PID 3040 wrote to memory of 1692	3040	chrome.exe	38
PID 3040 wrote to memory of 1692	3040	chrome.exe	38
PID 3040 wrote to memory of 1692	3040	chrome.exe	38
PID 3040 wrote to memory of 944	3040	chrome.exe	39
PID 3040 wrote to memory of 944	3040	chrome.exe	39
PID 3040 wrote to memory of 944	3040	chrome.exe	39
PID 3040 wrote to memory of 2260	3040	chrome.exe	40
PID 3040 wrote to memory of 2260	3040	chrome.exe	40
PID 3040 wrote to memory of 2260	3040	chrome.exe	40
PID 3040 wrote to memory of 2260	3040	chrome.exe	40
PID 3040 wrote to memory of 2260	3040	chrome.exe	40
PID 3040 wrote to memory of 2260	3040	chrome.exe	40
PID 3040 wrote to memory of 2260	3040	chrome.exe	40
PID 3040 wrote to memory of 2260	3040	chrome.exe	40
PID 3040 wrote to memory of 2260	3040	chrome.exe	40
PID 3040 wrote to memory of 2260	3040	chrome.exe	40

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\eclipse executor\eclipse executor.exe
"C:\Users\Admin\AppData\Local\Temp\eclipse executor\eclipse executor.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Java startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2424
- C:\Users\Admin\AppData\Roaming\SubDir\client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Java startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7179758,0x7fef7179768,0x7fef7179778
  2⤵
  PID:3032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1164 --field-trial-handle=1248,i,16053899152029751045,8219984516209333281,131072 /prefetch:2
  2⤵
  PID:1692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1524 --field-trial-handle=1248,i,16053899152029751045,8219984516209333281,131072 /prefetch:8
  2⤵
  PID:944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1644 --field-trial-handle=1248,i,16053899152029751045,8219984516209333281,131072 /prefetch:8
  2⤵
  PID:2260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2284 --field-trial-handle=1248,i,16053899152029751045,8219984516209333281,131072 /prefetch:1
  2⤵
  PID:1832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2304 --field-trial-handle=1248,i,16053899152029751045,8219984516209333281,131072 /prefetch:1
  2⤵
  PID:1952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1404 --field-trial-handle=1248,i,16053899152029751045,8219984516209333281,131072 /prefetch:2
  2⤵
  PID:2700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3148 --field-trial-handle=1248,i,16053899152029751045,8219984516209333281,131072 /prefetch:1
  2⤵
  PID:2400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=1060 --field-trial-handle=1248,i,16053899152029751045,8219984516209333281,131072 /prefetch:1
  2⤵
  PID:2948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3212 --field-trial-handle=1248,i,16053899152029751045,8219984516209333281,131072 /prefetch:1
  2⤵
  PID:2600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2728 --field-trial-handle=1248,i,16053899152029751045,8219984516209333281,131072 /prefetch:8
  2⤵
  PID:3028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4024 --field-trial-handle=1248,i,16053899152029751045,8219984516209333281,131072 /prefetch:1
  2⤵
  PID:1588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2640 --field-trial-handle=1248,i,16053899152029751045,8219984516209333281,131072 /prefetch:1
  2⤵
  PID:2156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3832 --field-trial-handle=1248,i,16053899152029751045,8219984516209333281,131072 /prefetch:1
  2⤵
  PID:1192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=2436 --field-trial-handle=1248,i,16053899152029751045,8219984516209333281,131072 /prefetch:1
  2⤵
  PID:3008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3364 --field-trial-handle=1248,i,16053899152029751045,8219984516209333281,131072 /prefetch:1
  2⤵
  PID:2408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=2384 --field-trial-handle=1248,i,16053899152029751045,8219984516209333281,131072 /prefetch:1
  2⤵
  PID:904

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000a

Filesize
215KB

MD5
7b49e7ed72d5c3ab75ea4aa12182314a

SHA1
1338fc8f099438e5465615ace45c245450f98c84

SHA256
747c584047f6a46912d5c5354b6186e04ea24cf61246a89c57077faf96679db6

SHA512
6edf4594e2b850f3ede5a68738e6482dd6e9a5312bffa61b053312aa383df787641f6747ac91fa71bb80c51ed52a0c23cc911f063cd6e322d9a1210aea64e985

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
c20e8aa876d154050e734c84b2511077

SHA1
96b034aa941beeeab0d463f76d53a2ad16282ce2

SHA256
94da7e8ef492d51689d4883a30dda1249a53247082e6c21f71ce42a3b8bd06f0

SHA512
de68a8ae43fc219e08ad65ee4e2ae754d5855631ee035e212d9ca17dbc94f8a3dc4341941f7913f199dd6be256bcaa831d0f3ae4269510ec03f2112ce330f3cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
1214bdd422758401d1d0caa6c86167f2

SHA1
42edad8de77d3013bb5bc18c8483926dc45d0727

SHA256
808003af27c8ba8133d0ec59da329ece7072649d41f795b9555ca77a3cb66ade

SHA512
6dbf3c7ef06db32e4f5285a497011d72e6f09c6d31d5ed95c85f23feb92a4d08a159c987cb218b89b96e9e15db42d9e4c5916f13eb50f3e975f6884236a190b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
933B

MD5
d006bb511f88832d82277bd25b5c7b59

SHA1
ab3353fa9d370caa173796f2b6143af1c254c48c

SHA256
590297fbb008065aedb6559c57977d99ac8b231922066a9cf7e55eea69404804

SHA512
0798d2587a4758b6ba8ea2e9b9cf46b2bbd3ec0f969ea2ca1b2df43b51aad95786a1a6140293bfcbb4b3572bddda955ebbbd9792ebcf7a2a063fdd8480782a6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
527B

MD5
4a349daff6314c94a95f0886da1d22fb

SHA1
e4a213f18e951d667c7d6eee61e24222add15301

SHA256
01110956bf6539daef5575c75de75cc72003c290252d2a60c0302b8adfa067ed

SHA512
33bec06069f2ba7a23f5d0077a3f19a88f8eab003734836be5afda1948f29952313aabf906080ea92c064ca12ad1e62822a38efca4c3508641a67aaad2648f6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
2c0a81b44c960ffe7f1c3ea1ed200804

SHA1
dd3a0a6af04aa9c1105af3602ca3ce45b103ed32

SHA256
7dbd801f885dc15fdee18a7188ebc6531a4a1c58272f08958c7aa222e55a5505

SHA512
73a649571ac3fcd7b52780045c15281a01b8e49c56ec1df90b960eee69933573207bdde9d580c2d3235d2416bcdaea10769ae4a07fbc1d6677d06216d148c07a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
527B

MD5
bcf09a9ddd8cf0b2b1b1ad9c6a4453f4

SHA1
77f23566e5688feefebaf697b3202955a4d98688

SHA256
af4a160bc4acb6ca0b049b9c2fe3b2df8c433d0a4e4b7d2e079d8562b8fdf62b

SHA512
78217a3362fe36d32ace2b8bcb3ede5326b316391a646f0bd1112e8cb20ebd8878a86bf7580caf3d2ab4151080dfb8a1dfd3c9d7f4688ad33a0054ea8f2ade38

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
9b7c4f3b4f3171e9ae9c5db8be7a4e48

SHA1
0970f5792760913b0bc9ad54fab8108221cae835

SHA256
f606ad2313215ec98f6fa2ec90693208e844013945a0275ff56fbf087753d230

SHA512
16cf7e115dd71a0649f051af5e29a72f95617087dd524142f5f0586a4d05c798f1a0f4b5459d98db1b1ebc9b4b3bb3aa6af6a1fa1333bc66505a133739a1cbdb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
ae772ce7c5b35f83573979ab10ca075c

SHA1
192d6ed3f89a2f5f0c68090bb81bf535efbaadbb

SHA256
540525287e93b8d5db53782418e9336bcacb5bb22d55629b8e008c4316435181

SHA512
2f43e06164cab6f54cb7f54a6d1a09d7e918ae00fbafa87165966370b2b71c08deecbe37b6370407931cf577c66474d0454f20efe445c116c577d2c025e30957

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
e443198bb24627155ce5eae5e0f46370

SHA1
7bf302cca676c26ea363c7dd7946d6116b4d0aff

SHA256
f9b191ed7ab0132e2e1d41b437c7996705606b617489b56c7d0292aa5aebd605

SHA512
57d6a2846abc070cbad0703d2593e7ef9318f82d7762068e13c3a1ca7c2d43752108d77d12182d5d7955019493e87353541bdee539c95208b108d54d26208bd0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
9dee08a8b8e6198c967fa558c8f3bd3d

SHA1
40eeeeedb2263d6538776f23159b4a8c56811194

SHA256
4a8ec60a2ce6bae47833b2cde7455622ccf3f08fa0adea950f4b2af9790b8277

SHA512
197e4ceea5196419269c68c46cf7d68fd38a0ec8b5bdd5de0072a164e1f37c85ac935f2ced9488533c67c8df5b462afa07de46f6a199eb7e1022edcd79c5614c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
4e3764f72c81ec55dd27ab582963d298

SHA1
5d097d82c3469fd909b72bee1998f4f96415d84b

SHA256
65cf32c87085187d3ec58cf811d364cabe10d6dd863074bb10db42b723c17880

SHA512
7d270f9f3db5feb8d67273a3e3690b380e5ae309f272ef36a48876e973fbc6e032ca82d701a21d1ba55447a0cb967a95747f7d617f3dc282119fa5c2ac792db4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
354KB

MD5
553c9350394ca33c371245542f87173f

SHA1
1917b820eeb09552b1dbe36225c770ad75e2aa4f

SHA256
5c478f4051c030c1e844169a4bf9a4915a635020e6b2d46d39541a2e63bd6de8

SHA512
6b00b5fa2a3f3705027ef096a7d1dcf44145b84260b2e304f6eb81c49cefbc59b397d8c1b14e74f62411f497c92cf6a2db85e8f8f8e373e83d1bb301559dacae

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE7E1.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE803.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\client.exe

Filesize
3.1MB

MD5
1512ffa41753d2f49de5b5296f5c174e

SHA1
596412e03c09c60c822f6e0d12072e4cb861fa72

SHA256
1df2e7dd996b5cfc2aea6b38548ef0375664ef618743bbcb623df319f9e48f3e

SHA512
b07550d650a0960b0ffda941e0a71c4ce4630964cd74c58e2ae21225cceb1666c6d1de234a0f1802578f4a9afeca653cd1f295bd4d5a97d4afbd1ff0f5f582f5

Download Submit
memory/1628-0-0x000007FEF5A63000-0x000007FEF5A64000-memory.dmp

Filesize
4KB

Download
memory/1628-9-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp

Filesize
9.9MB

Download
memory/1628-2-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp

Filesize
9.9MB

Download
memory/1628-1-0x0000000000A30000-0x0000000000D54000-memory.dmp

Filesize
3.1MB

Download
memory/1984-11-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp

Filesize
9.9MB

Download
memory/1984-10-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp

Filesize
9.9MB

Download
memory/1984-8-0x0000000001270000-0x0000000001594000-memory.dmp

Filesize
3.1MB

Download
memory/1984-7-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp

Filesize
9.9MB

Download