quasar | hxxps://pcapi-server[.]com/download/Zhuriken[.]exe

Analysis

max time kernel
288s
max time network
297s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
03-07-2024 13:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://pcapi-server.com/download/Zhuriken.exe

Score

10^/10

quasar office04 evasion execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

91.92.253.215:4782

Mutex

4304b988-116c-4522-ab83-7f9ad875f60f

Attributes

encryption_key
A6B8B9B9B02FC86103A59CE003D7B3B45DAF8550
install_name
Client.exe
log_directory
ZhurikenLogs
reconnect_delay
3000
startup_key
Zhuriken Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar payload 1 IoCs

Processes:

resource yara_rule

behavioral2/memory/4652-85-0x0000000000400000-0x0000000000724000-memory.dmp family_quasar
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

Zhuriken.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Zhuriken.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2972 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

Zhuriken.exe

pid process

4308 Zhuriken.exe
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Zhuriken.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Zhuriken.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Zhuriken.exe

description pid process target process

PID 4308 set thread context of 4652 4308 Zhuriken.exe ilasm.exe

resource	yara_rule
behavioral2/memory/4652-85-0x0000000000400000-0x0000000000724000-memory.dmp	family_quasar

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Zhuriken.exe

pid	process
2972	powershell.exe

pid	process
4308	Zhuriken.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Zhuriken.exe

description	pid	process	target process
PID 4308 set thread context of 4652	4308	Zhuriken.exe	ilasm.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133644876225253276"	chrome.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

chrome.exepowershell.exe

pid process

2584 chrome.exe
2584 chrome.exe
2972 powershell.exe
2972 powershell.exe
2972 powershell.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

2584 chrome.exe
2584 chrome.exe
2584 chrome.exe
2584 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exepowershell.exeilasm.exe

description	pid	process
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeDebugPrivilege	2972	powershell.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeDebugPrivilege	4652	ilasm.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe

Suspicious use of FindShellTrayWindow 37 IoCs

Processes:

chrome.exe

pid	process
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

ilasm.exe

pid process

4652 ilasm.exe

pid	process
4652	ilasm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2584 wrote to memory of 4064	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 4064	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 64	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 64	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 64	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 64	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 64	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 64	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 64	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 64	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 64	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 64	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 64	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 64	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 64	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 64	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 64	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 64	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 64	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 64	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 64	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 64	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 64	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 64	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 64	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 64	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 64	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 64	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 64	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 64	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 64	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 64	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 64	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 4648	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 4648	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 60	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 60	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 60	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 60	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 60	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 60	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 60	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 60	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 60	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 60	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 60	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 60	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 60	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 60	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 60	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 60	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 60	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 60	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 60	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 60	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 60	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 60	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 60	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 60	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 60	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 60	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 60	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 60	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 60	2584	chrome.exe	chrome.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

Zhuriken.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Zhuriken.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Zhuriken.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://pcapi-server.com/download/Zhuriken.exe
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb61f3ab58,0x7ffb61f3ab68,0x7ffb61f3ab78
2⤵
PID:4064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1636 --field-trial-handle=1908,i,9299943795555058221,10018328970009975102,131072 /prefetch:2
2⤵
PID:64

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1908,i,9299943795555058221,10018328970009975102,131072 /prefetch:8
2⤵
PID:4648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2220 --field-trial-handle=1908,i,9299943795555058221,10018328970009975102,131072 /prefetch:8
2⤵
PID:60

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3068 --field-trial-handle=1908,i,9299943795555058221,10018328970009975102,131072 /prefetch:1
2⤵
PID:1568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3084 --field-trial-handle=1908,i,9299943795555058221,10018328970009975102,131072 /prefetch:1
2⤵
PID:836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4676 --field-trial-handle=1908,i,9299943795555058221,10018328970009975102,131072 /prefetch:8
2⤵
PID:3276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4824 --field-trial-handle=1908,i,9299943795555058221,10018328970009975102,131072 /prefetch:8
2⤵
PID:4144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4804 --field-trial-handle=1908,i,9299943795555058221,10018328970009975102,131072 /prefetch:8
2⤵
PID:3616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 --field-trial-handle=1908,i,9299943795555058221,10018328970009975102,131072 /prefetch:8
2⤵
PID:3520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4960 --field-trial-handle=1908,i,9299943795555058221,10018328970009975102,131072 /prefetch:8
2⤵
PID:1584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5052 --field-trial-handle=1908,i,9299943795555058221,10018328970009975102,131072 /prefetch:8
2⤵
PID:4804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5048 --field-trial-handle=1908,i,9299943795555058221,10018328970009975102,131072 /prefetch:8
2⤵
PID:4376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4396 --field-trial-handle=1908,i,9299943795555058221,10018328970009975102,131072 /prefetch:8
2⤵
PID:4144

C:\Users\Admin\Downloads\Zhuriken.exe
"C:\Users\Admin\Downloads\Zhuriken.exe"
2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System policy modification
PID:4308

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath $env:UserProfile
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
3⤵
PID:3952

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe"
3⤵
PID:1244

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4560 --field-trial-handle=1908,i,9299943795555058221,10018328970009975102,131072 /prefetch:1
2⤵
PID:1948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=2700 --field-trial-handle=1908,i,9299943795555058221,10018328970009975102,131072 /prefetch:1
2⤵
PID:5012

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1576

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
544b2ac07b2580db5cf0435c8447efb5

SHA1
78aad69b14f357684a517cc6394796e0a84e81fe

SHA256
ab23121480957b8dd4fdfc18d7300e2445b61756bbb54bc52a4858ce45f1b2ff

SHA512
eb70553576dd0e43fa59b7a5ef825679cddc0fa6fc45872317ff308a0583cbd9fc6c4941841e29630ecf048d5a918551187e5226ecc014a853af094867585bdd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
fdc68c189a7203203a199c2d36e8da47

SHA1
edbd0be787004ecab8c8b541987c7b7e58922eb8

SHA256
f6ed21d6bb7f3af619fe159d5ea20f82443119a2d1bc818516d247ee3d9b2fe7

SHA512
bc3e9cee28359c78da934b99fa731f91d1ef5c55a2ea6c0a7e9d9d7ac7eb1acb3590f3a2c0c97a3560eced9267b598dc4b19e9ba1208166c3ab3bd8ddc04a5cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
3f04fb4cf1b7840daf80fb8d5b64101e

SHA1
9fd30db2276b69b0bce622f9ba814550e6d59e80

SHA256
27ce2f0c69d65bf68553ad5ddc5d867f3720fe532cf85a357be0e809039a7383

SHA512
290dfddfbba40c58885d552af82091b4aeb44c835fa123f03c3d19ddd20da229c26e380e15f9fece65e274f172e2a2f8204f8e1a99c297bc39e359050dc50084

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
9KB

MD5
ae2cd33b7c9544b8ca78b73561950eba

SHA1
80c37b5f79e638909f5386a178194c1a15c64ec2

SHA256
93b83604f643bb635fc4c99b88e2c4402f693f3bc0f064ab95287a380838a2a0

SHA512
0c3a0fb135725991e7222b59723ade7445d752ccf0d426bc5a251903b0e259b8f17e80dcf4188b9e024952094d3521cec65740c108ec70dca42ad8807060f6cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
9470c36d6e6f6ebf86c675e86486a5c3

SHA1
2eb460446dad4b2aa3d3a5d5e530153f8db81810

SHA256
708d3fe09d4846600eacbbe496420396506c63964f105b6edabe0e0618237c24

SHA512
ac970b8fb9f212df319fd342aba676d5d3edd464650bbe8457618b3b8d69228865a715614f81bc4dd2f5d5d159ef636643154f9d32e1bbdecca60918115beaae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
138KB

MD5
6ed6b4acb4dc9b1410732d3f899a3502

SHA1
45a8fdbb69bdaa197d7694feed0fcf07eb11b20d

SHA256
c39509d2598ae8845eebe30ffbf7ab45da2f47cda66ce3670f05f813b6678a0d

SHA512
21a04106fc63fe6a4b94c4016ad233351baafa3707d25a90c513211ab9f17230456ef598c2dbe48cbe2da26d466e7c2b795cb9421f0e2bb8f4ccb3068c051b1d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
138KB

MD5
fb8cb461917e7eff070adfe844b9743a

SHA1
ba43175b7d1eb9be7c0c5429d4a1c17d98c71f26

SHA256
1d77ae0642b2613dbda682a129212600d029c244be9e6e876299e40b8d3e843b

SHA512
5f35140fc779921a87a0c6f6639476d79af145bd4cf58e2914e9fbd24af70c3a54aa536ba1a9fc1a6475027f83aef73c5c1b9fdb6e0524c5466d383e4e2c81ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2qe4kz0d.4kw.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 853281.crdownload
Filesize
5.1MB

MD5
45effac2bbf16528c8c6fd5d84a3ba61

SHA1
5747767e68d7e892099c77394f1918e75bc62dbc

SHA256
d6df17927a07ce2452b7dd53cce9228380e0754aca04ab045e473e3f6c589d55

SHA512
3f3c4cc622548ab559290e16bd96f5e7b7d7df31f9af74f38eddb49d0c2c4f225478959d4fe9eb255f2dee0f45bace7bd6cecf7658eff2ef26635e45e6668d89

Download Submit
\??\pipe\crashpad_2584_XNAJYSAMGIPLSEFJ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2972-84-0x00007FFB4F0C0000-0x00007FFB4FB81000-memory.dmp

Filesize
10.8MB

Download
memory/2972-80-0x00007FFB4F0C0000-0x00007FFB4FB81000-memory.dmp

Filesize
10.8MB

Download
memory/2972-79-0x00007FFB4F0C0000-0x00007FFB4FB81000-memory.dmp

Filesize
10.8MB

Download
memory/2972-78-0x000001DA316A0000-0x000001DA316C2000-memory.dmp

Filesize
136KB

Download
memory/2972-68-0x00007FFB4F0C3000-0x00007FFB4F0C5000-memory.dmp

Filesize
8KB

Download
memory/4652-86-0x00000000065D0000-0x0000000006B74000-memory.dmp

Filesize
5.6MB

Download
memory/4652-87-0x0000000005EE0000-0x0000000005F72000-memory.dmp

Filesize
584KB

Download
memory/4652-88-0x0000000005E40000-0x0000000005E4A000-memory.dmp

Filesize
40KB

Download
memory/4652-91-0x00000000075A0000-0x0000000007BB8000-memory.dmp

Filesize
6.1MB

Download
memory/4652-92-0x0000000006370000-0x00000000063C0000-memory.dmp

Filesize
320KB

Download
memory/4652-93-0x0000000007040000-0x00000000070F2000-memory.dmp

Filesize
712KB

Download
memory/4652-85-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download