quasar | f6fe8fbbafb40ded2572c45d74740d6aa5a7bd6149e2ec2ddedf9030b7411228

Analysis

max time kernel
1495s
max time network
1798s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
11/05/2024, 14:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

client.exe
Size

3.1MB
MD5

3923567323be44b3a3955f8b69585396
SHA1

c2db51125c1d664ac02e9ea28fbe4fb6fc47e59a
SHA256

f6fe8fbbafb40ded2572c45d74740d6aa5a7bd6149e2ec2ddedf9030b7411228
SHA512

5d410bfeb594674195c46dbd228c4967e5df07bd3b6fe3d16a8be48690d58354d4448e35b9fc7a99bca720ed104d6e24be8fd8d8abc31392ccd55a556da14dca
SSDEEP

49152:KvBt62XlaSFNWPjljiFa2RoUYIx8pnrTFvJKuoGdNTHHB72eh2NT:Kvr62XlaSFNWPjljiFXRoUYI6Tl

Score

10^/10

quasar watchdog discovery spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

watchdog

142.115.43.143:8080

Mutex

1c1f3ace-a14c-4361-99eb-65aedb6d50fd

Attributes

encryption_key
3FAEE4D5FC9BC245D4CA5F4165EAFD34E8D5FE16
install_name
watchdog.exe
log_directory
logs
reconnect_delay
3000
startup_key
watchdog
subdirectory
drivers

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/1360-1-0x0000000000C90000-0x0000000000FB4000-memory.dmp	family_quasar
behavioral1/files/0x000500000002aa12-5.dat	family_quasar

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\watchdog.exe	client.exe
File opened for modification	C:\Windows\system32\drivers\watchdog.exe	client.exe
File opened for modification	C:\Windows\system32\drivers\watchdog.exe	watchdog.exe

Executes dropped EXE 1 IoCs

pid	Process
1436	watchdog.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2316	icacls.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers	client.exe
File opened for modification	C:\Windows\system32\drivers	watchdog.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4568	schtasks.exe
832	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133599112286025040"	chrome.exe

Suspicious behavior: EnumeratesProcesses 49 IoCs

pid	Process
4220	chrome.exe
4220	chrome.exe
1436	watchdog.exe
1436	watchdog.exe
1436	watchdog.exe
1436	watchdog.exe
1436	watchdog.exe
1436	watchdog.exe
1436	watchdog.exe
1436	watchdog.exe
1436	watchdog.exe
1436	watchdog.exe
1436	watchdog.exe
1436	watchdog.exe
1436	watchdog.exe
1436	watchdog.exe
1436	watchdog.exe
1436	watchdog.exe
1436	watchdog.exe
1436	watchdog.exe
1436	watchdog.exe
1436	watchdog.exe
1436	watchdog.exe
1436	watchdog.exe
1436	watchdog.exe
1436	watchdog.exe
1436	watchdog.exe
1436	watchdog.exe
1436	watchdog.exe
1436	watchdog.exe
1436	watchdog.exe
1436	watchdog.exe
1436	watchdog.exe
1436	watchdog.exe
1436	watchdog.exe
1436	watchdog.exe
1436	watchdog.exe
1436	watchdog.exe
1436	watchdog.exe
1436	watchdog.exe
1436	watchdog.exe
1436	watchdog.exe
1436	watchdog.exe
1436	watchdog.exe
1436	watchdog.exe
1436	watchdog.exe
1436	watchdog.exe
1436	watchdog.exe
1436	watchdog.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1360	client.exe
Token: SeDebugPrivilege	1436	watchdog.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe
Token: SeShutdownPrivilege	4220	chrome.exe
Token: SeCreatePagefilePrivilege	4220	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1436	watchdog.exe
4756	TextInputHost.exe
4756	TextInputHost.exe
4756	TextInputHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1360 wrote to memory of 4568	1360	client.exe	80
PID 1360 wrote to memory of 4568	1360	client.exe	80
PID 1360 wrote to memory of 1436	1360	client.exe	82
PID 1360 wrote to memory of 1436	1360	client.exe	82
PID 1436 wrote to memory of 832	1436	watchdog.exe	83
PID 1436 wrote to memory of 832	1436	watchdog.exe	83
PID 4220 wrote to memory of 2508	4220	chrome.exe	91
PID 4220 wrote to memory of 2508	4220	chrome.exe	91
PID 4220 wrote to memory of 2100	4220	chrome.exe	92
PID 4220 wrote to memory of 2100	4220	chrome.exe	92
PID 4220 wrote to memory of 2100	4220	chrome.exe	92
PID 4220 wrote to memory of 2100	4220	chrome.exe	92
PID 4220 wrote to memory of 2100	4220	chrome.exe	92
PID 4220 wrote to memory of 2100	4220	chrome.exe	92
PID 4220 wrote to memory of 2100	4220	chrome.exe	92
PID 4220 wrote to memory of 2100	4220	chrome.exe	92
PID 4220 wrote to memory of 2100	4220	chrome.exe	92
PID 4220 wrote to memory of 2100	4220	chrome.exe	92
PID 4220 wrote to memory of 2100	4220	chrome.exe	92
PID 4220 wrote to memory of 2100	4220	chrome.exe	92
PID 4220 wrote to memory of 2100	4220	chrome.exe	92
PID 4220 wrote to memory of 2100	4220	chrome.exe	92
PID 4220 wrote to memory of 2100	4220	chrome.exe	92
PID 4220 wrote to memory of 2100	4220	chrome.exe	92
PID 4220 wrote to memory of 2100	4220	chrome.exe	92
PID 4220 wrote to memory of 2100	4220	chrome.exe	92
PID 4220 wrote to memory of 2100	4220	chrome.exe	92
PID 4220 wrote to memory of 2100	4220	chrome.exe	92
PID 4220 wrote to memory of 2100	4220	chrome.exe	92
PID 4220 wrote to memory of 2100	4220	chrome.exe	92
PID 4220 wrote to memory of 2100	4220	chrome.exe	92
PID 4220 wrote to memory of 2100	4220	chrome.exe	92
PID 4220 wrote to memory of 2100	4220	chrome.exe	92
PID 4220 wrote to memory of 2100	4220	chrome.exe	92
PID 4220 wrote to memory of 2100	4220	chrome.exe	92
PID 4220 wrote to memory of 2100	4220	chrome.exe	92
PID 4220 wrote to memory of 2100	4220	chrome.exe	92
PID 4220 wrote to memory of 2100	4220	chrome.exe	92
PID 4220 wrote to memory of 2100	4220	chrome.exe	92
PID 4220 wrote to memory of 1592	4220	chrome.exe	93
PID 4220 wrote to memory of 1592	4220	chrome.exe	93
PID 4220 wrote to memory of 3528	4220	chrome.exe	94
PID 4220 wrote to memory of 3528	4220	chrome.exe	94
PID 4220 wrote to memory of 3528	4220	chrome.exe	94
PID 4220 wrote to memory of 3528	4220	chrome.exe	94
PID 4220 wrote to memory of 3528	4220	chrome.exe	94
PID 4220 wrote to memory of 3528	4220	chrome.exe	94
PID 4220 wrote to memory of 3528	4220	chrome.exe	94
PID 4220 wrote to memory of 3528	4220	chrome.exe	94
PID 4220 wrote to memory of 3528	4220	chrome.exe	94
PID 4220 wrote to memory of 3528	4220	chrome.exe	94
PID 4220 wrote to memory of 3528	4220	chrome.exe	94
PID 4220 wrote to memory of 3528	4220	chrome.exe	94
PID 4220 wrote to memory of 3528	4220	chrome.exe	94
PID 4220 wrote to memory of 3528	4220	chrome.exe	94
PID 4220 wrote to memory of 3528	4220	chrome.exe	94
PID 4220 wrote to memory of 3528	4220	chrome.exe	94
PID 4220 wrote to memory of 3528	4220	chrome.exe	94
PID 4220 wrote to memory of 3528	4220	chrome.exe	94
PID 4220 wrote to memory of 3528	4220	chrome.exe	94
PID 4220 wrote to memory of 3528	4220	chrome.exe	94
PID 4220 wrote to memory of 3528	4220	chrome.exe	94
PID 4220 wrote to memory of 3528	4220	chrome.exe	94
PID 4220 wrote to memory of 3528	4220	chrome.exe	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\client.exe
"C:\Users\Admin\AppData\Local\Temp\client.exe"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1360
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "watchdog" /sc ONLOGON /tr "C:\Windows\system32\drivers\watchdog.exe" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:4568
- C:\Windows\system32\drivers\watchdog.exe
  "C:\Windows\system32\drivers\watchdog.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1436
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "watchdog" /sc ONLOGON /tr "C:\Windows\system32\drivers\watchdog.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:832
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /K CHCP 437
    3⤵
    PID:2456
  - - C:\Windows\system32\chcp.com
      CHCP 437
      4⤵
      PID:4932
  - - C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
      java
      4⤵
      PID:2056
    - - C:\Windows\system32\icacls.exe
        
        C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
        5⤵
        Modifies file permissions
        
        PID:2316
  - - C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
      java -version
      4⤵
      PID:1964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffc20eeab58,0x7ffc20eeab68,0x7ffc20eeab78
  2⤵
  PID:2508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=1800,i,6960122061073267485,6644878460361262350,131072 /prefetch:2
  2⤵
  PID:2100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1800,i,6960122061073267485,6644878460361262350,131072 /prefetch:8
  2⤵
  PID:1592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1556 --field-trial-handle=1800,i,6960122061073267485,6644878460361262350,131072 /prefetch:8
  2⤵
  PID:3528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3048 --field-trial-handle=1800,i,6960122061073267485,6644878460361262350,131072 /prefetch:1
  2⤵
  PID:3564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3168 --field-trial-handle=1800,i,6960122061073267485,6644878460361262350,131072 /prefetch:1
  2⤵
  PID:4676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4232 --field-trial-handle=1800,i,6960122061073267485,6644878460361262350,131072 /prefetch:1
  2⤵
  PID:1372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4400 --field-trial-handle=1800,i,6960122061073267485,6644878460361262350,131072 /prefetch:8
  2⤵
  PID:1684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4488 --field-trial-handle=1800,i,6960122061073267485,6644878460361262350,131072 /prefetch:8
  2⤵
  PID:4976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4576 --field-trial-handle=1800,i,6960122061073267485,6644878460361262350,131072 /prefetch:8
  2⤵
  PID:3396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4864 --field-trial-handle=1800,i,6960122061073267485,6644878460361262350,131072 /prefetch:8
  2⤵
  PID:4044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4908 --field-trial-handle=1800,i,6960122061073267485,6644878460361262350,131072 /prefetch:8
  2⤵
  PID:1732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4868 --field-trial-handle=1800,i,6960122061073267485,6644878460361262350,131072 /prefetch:1
  2⤵
  PID:1348

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4420

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
45ddbfe06910bd0712febd34bcf116b5

SHA1
0fa0b880873db3ea7af95d33076b286d3b903580

SHA256
60a220bf9f4fe1c64dda467340ea5f23dfb85226d8ab137bca40c9521204408a

SHA512
b078a749df4287813c5f5040dcec6e84324e6065c0944cf5daaa08d0b5fca24394a6a264262a3666c51113cb1361c5d99d9a263b043fb6806f088c67cd8774af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
80086a72e938cb739bf3373407c0be9a

SHA1
efdde776adfcad191d22580754568f3b8fd587ef

SHA256
07deceaf6c28877894087cf7c2e2e0a0d9aa5c583e4462578e024e5e31af4433

SHA512
de77e8ff76d98e817187b376349d647dfd14a34682ad4dbc201d2d8fa9130d617933a2d2a04d26f9dfdc49648032a04d1f2da1a7a114f08dafadc08e5d4de2ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
422561b315b4838e2afc478a95b68fcc

SHA1
df4e030b966d5afb93dd263b551d47618fc3b26c

SHA256
e91e759add7e039b03d8477003f9a82dff2e62fc9b0066550ba8f441a634cbac

SHA512
ef21078d6fba565c4dae3d750596aa5a77a1cd318a23f6fddb6d424a9716ccf86235507d62aa10138efc745f118fe2ddb3a2000a87dc57ef2af2f7dcc205f9c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
c223fbfcae5d0f57f9dbdae0bf228e5f

SHA1
7dd2d4b211eed646b5213a6506fac322649a397e

SHA256
3d33ed05b314f03ab36cfbbe1bc672cfa46a6ac4351e67bcb8c3258788997038

SHA512
dcd3cfd1bbe4ac5c59835d1ca13c7b2a30c462bb42da01955caeb9b5f322db57950636d20ea6156a222bcd41d64587ea423ad070f48fc4131defb92021244798

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
76145154761228852641d83a081534b7

SHA1
3eba3796a85bde271cb2b6428c11a91781e0534d

SHA256
68f15de6fd90b56998b01780a8f9f6ba802f8f6cc87b0b929091fe7795384a2f

SHA512
0ef8ea75b164ebd7082c01f431e616fedba919aa787a40779c61c67077a94b3ea9602dd86ae93cbcac44aba1a57237a85b37150801c4aa3f4e8a0746a878582d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
cf3bf0a968daa6703ff670a7d4083344

SHA1
4f4684e8a25fdcd6c481267725e8e731b83ad79b

SHA256
cd5ff8e6aec55a5deb0073635fccc785081563b0cf0a696e4801746fb66fe1b9

SHA512
5d50a4e2b16e618d680d4783cd31eda878cb8c6def03c4dd90e2fe7c7a484a7cb65503028b1455f5b67566fad193491a76dc228102553dd6d21eaf68742afc17

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
eab7eca57ed77b152dfb0d8b410b5509

SHA1
13855bf1400a1fc9f5d35dc083b077c4aa308db3

SHA256
74f776bb4ea9f11777284971a633973ca8aeaba0425ab1e59e71cc87edd8c0bc

SHA512
d6bc5000cc4340857325899cfd9da9a39a7b90506890a2e937ab9c448d238e0faf7552b2c2dd7ee452fcde1aba7e08917a985b543cb903fcc4ac1dc5cdc40b70

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
256KB

MD5
7033f02f7ad0267b10bbd6d6696720e3

SHA1
218b08c6af87b2f79d3b7b09cd4a177cd753198b

SHA256
d67f7ef6d58dae932a92456084ac9cf0c555f24eb7ded0c019217ee24b1e17c5

SHA512
5131135e9e0a2bf9f96b1c1d2e2d6edc4b1bde7efd7c8a96bc400d5fa327b6b1fe7334eaa29d73546924f2b90f4cdef6c2e7268af23fe44ee940ff6d84c0150d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
256KB

MD5
6722a279b52eaa9a3011e11aadf31776

SHA1
085868b276c22815b36340b3c6cf480ca8624a9f

SHA256
4f0f28b41ecd8b45d1ea5cc301d6101c20c11c8f5e5a9d2857e2674e1a2e1e1c

SHA512
cd4e07e197b070041200a9006bb1a6c0d70327d475fe3fe1ea53ac715b40e75a4a5b19042e31e22391f8d0d52d87e6f084bf29142dee39126fe7eeb3442ccacf

Download Submit
C:\Windows\System32\drivers\watchdog.exe

Filesize
3.1MB

MD5
3923567323be44b3a3955f8b69585396

SHA1
c2db51125c1d664ac02e9ea28fbe4fb6fc47e59a

SHA256
f6fe8fbbafb40ded2572c45d74740d6aa5a7bd6149e2ec2ddedf9030b7411228

SHA512
5d410bfeb594674195c46dbd228c4967e5df07bd3b6fe3d16a8be48690d58354d4448e35b9fc7a99bca720ed104d6e24be8fd8d8abc31392ccd55a556da14dca

Download Submit
memory/1360-10-0x00007FFC11E20000-0x00007FFC128E2000-memory.dmp

Filesize
10.8MB

Download
memory/1360-0-0x00007FFC11E23000-0x00007FFC11E25000-memory.dmp

Filesize
8KB

Download
memory/1360-2-0x00007FFC11E20000-0x00007FFC128E2000-memory.dmp

Filesize
10.8MB

Download
memory/1360-1-0x0000000000C90000-0x0000000000FB4000-memory.dmp

Filesize
3.1MB

Download
memory/1436-11-0x00007FFC11E20000-0x00007FFC128E2000-memory.dmp

Filesize
10.8MB

Download
memory/1436-48-0x000000001E250000-0x000000001E778000-memory.dmp

Filesize
5.2MB

Download
memory/1436-17-0x00007FFC11E20000-0x00007FFC128E2000-memory.dmp

Filesize
10.8MB

Download
memory/1436-16-0x00007FFC11E20000-0x00007FFC128E2000-memory.dmp

Filesize
10.8MB

Download
memory/1436-15-0x000000001BDD0000-0x000000001BE0C000-memory.dmp

Filesize
240KB

Download
memory/1436-14-0x000000001BD70000-0x000000001BD82000-memory.dmp

Filesize
72KB

Download
memory/1436-13-0x000000001BE10000-0x000000001BEC2000-memory.dmp

Filesize
712KB

Download
memory/1436-12-0x000000001BD00000-0x000000001BD50000-memory.dmp

Filesize
320KB

Download
memory/1436-9-0x00007FFC11E20000-0x00007FFC128E2000-memory.dmp

Filesize
10.8MB

Download
memory/1964-235-0x000001FA944D0000-0x000001FA944D1000-memory.dmp

Filesize
4KB

Download
memory/2056-223-0x000001C9D8B10000-0x000001C9D8B11000-memory.dmp

Filesize
4KB

Download