quasar | adde0d3454abb438006cba083245b964eb1945ff164809d784fbc0d61b1dfdf2

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15/07/2024, 19:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NovaWare V.3.exe
Size

3.5MB
MD5

f3c97ad109022357adf1efd83ee4008a
SHA1

a244328dc018ac0e89e9bb7fe15edc4264fa4422
SHA256

adde0d3454abb438006cba083245b964eb1945ff164809d784fbc0d61b1dfdf2
SHA512

6992fae6ae4852380f9597bc207fd001a93734eb1bb2f5181c7e5b4051ac0c3c3bdeee4b46e5d3a3b5f41ab30cd5457e0335d98f236122d6c2bcf01e3fe9704c
SSDEEP

98304:OvOL26AaNeWgPhlmVqkQ7XSKdJCwrqRqM+y+N32/rDc:wO4SPwAoB2j

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

eggballsbird-31516.portmap.host:31516

Mutex

6a8db52f-1bdf-4856-8cce-d200c8503544

Attributes

encryption_key
A49DCA5598D0CD7A141F7624387E04CCB7142671
install_name
NovaWare V3.1.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Java Updater
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/604-1-0x0000000000670000-0x00000000009FE000-memory.dmp	family_quasar
behavioral2/files/0x00080000000234be-6.dat	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
2088	NovaWare V3.1.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Crashpad\metadata	setup.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	setup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133655458186407962"	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2932	schtasks.exe
1584	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3756	chrome.exe
3756	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2088	NovaWare V3.1.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	604	NovaWare V.3.exe
Token: SeDebugPrivilege	2088	NovaWare V3.1.exe
Token: SeShutdownPrivilege	3756	chrome.exe
Token: SeCreatePagefilePrivilege	3756	chrome.exe
Token: SeShutdownPrivilege	3756	chrome.exe
Token: SeCreatePagefilePrivilege	3756	chrome.exe
Token: SeShutdownPrivilege	3756	chrome.exe
Token: SeCreatePagefilePrivilege	3756	chrome.exe
Token: SeShutdownPrivilege	3756	chrome.exe
Token: SeCreatePagefilePrivilege	3756	chrome.exe
Token: SeShutdownPrivilege	3756	chrome.exe
Token: SeCreatePagefilePrivilege	3756	chrome.exe
Token: SeShutdownPrivilege	3756	chrome.exe
Token: SeCreatePagefilePrivilege	3756	chrome.exe
Token: SeShutdownPrivilege	3756	chrome.exe
Token: SeCreatePagefilePrivilege	3756	chrome.exe
Token: SeShutdownPrivilege	3756	chrome.exe
Token: SeCreatePagefilePrivilege	3756	chrome.exe
Token: SeShutdownPrivilege	3756	chrome.exe
Token: SeCreatePagefilePrivilege	3756	chrome.exe
Token: SeShutdownPrivilege	3756	chrome.exe
Token: SeCreatePagefilePrivilege	3756	chrome.exe
Token: SeShutdownPrivilege	3756	chrome.exe
Token: SeCreatePagefilePrivilege	3756	chrome.exe
Token: SeShutdownPrivilege	3756	chrome.exe
Token: SeCreatePagefilePrivilege	3756	chrome.exe
Token: SeShutdownPrivilege	3756	chrome.exe
Token: SeCreatePagefilePrivilege	3756	chrome.exe
Token: SeShutdownPrivilege	3756	chrome.exe
Token: SeCreatePagefilePrivilege	3756	chrome.exe
Token: SeShutdownPrivilege	3756	chrome.exe
Token: SeCreatePagefilePrivilege	3756	chrome.exe
Token: SeShutdownPrivilege	3756	chrome.exe
Token: SeCreatePagefilePrivilege	3756	chrome.exe
Token: SeShutdownPrivilege	3756	chrome.exe
Token: SeCreatePagefilePrivilege	3756	chrome.exe
Token: SeShutdownPrivilege	3756	chrome.exe
Token: SeCreatePagefilePrivilege	3756	chrome.exe
Token: SeShutdownPrivilege	3756	chrome.exe
Token: SeCreatePagefilePrivilege	3756	chrome.exe
Token: SeShutdownPrivilege	3756	chrome.exe
Token: SeCreatePagefilePrivilege	3756	chrome.exe
Token: SeShutdownPrivilege	3756	chrome.exe
Token: SeCreatePagefilePrivilege	3756	chrome.exe
Token: SeShutdownPrivilege	3756	chrome.exe
Token: SeCreatePagefilePrivilege	3756	chrome.exe
Token: SeShutdownPrivilege	3756	chrome.exe
Token: SeCreatePagefilePrivilege	3756	chrome.exe
Token: SeShutdownPrivilege	3756	chrome.exe
Token: SeCreatePagefilePrivilege	3756	chrome.exe
Token: SeShutdownPrivilege	3756	chrome.exe
Token: SeCreatePagefilePrivilege	3756	chrome.exe
Token: SeShutdownPrivilege	3756	chrome.exe
Token: SeCreatePagefilePrivilege	3756	chrome.exe
Token: SeShutdownPrivilege	3756	chrome.exe
Token: SeCreatePagefilePrivilege	3756	chrome.exe
Token: SeShutdownPrivilege	3756	chrome.exe
Token: SeCreatePagefilePrivilege	3756	chrome.exe
Token: SeShutdownPrivilege	3756	chrome.exe
Token: SeCreatePagefilePrivilege	3756	chrome.exe
Token: SeShutdownPrivilege	3756	chrome.exe
Token: SeCreatePagefilePrivilege	3756	chrome.exe
Token: SeShutdownPrivilege	3756	chrome.exe
Token: SeCreatePagefilePrivilege	3756	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2088	NovaWare V3.1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 604 wrote to memory of 2932	604	NovaWare V.3.exe	86
PID 604 wrote to memory of 2932	604	NovaWare V.3.exe	86
PID 604 wrote to memory of 2088	604	NovaWare V.3.exe	88
PID 604 wrote to memory of 2088	604	NovaWare V.3.exe	88
PID 2088 wrote to memory of 1584	2088	NovaWare V3.1.exe	89
PID 2088 wrote to memory of 1584	2088	NovaWare V3.1.exe	89
PID 3756 wrote to memory of 3476	3756	chrome.exe	94
PID 3756 wrote to memory of 3476	3756	chrome.exe	94
PID 3756 wrote to memory of 1460	3756	chrome.exe	95
PID 3756 wrote to memory of 1460	3756	chrome.exe	95
PID 3756 wrote to memory of 1460	3756	chrome.exe	95
PID 3756 wrote to memory of 1460	3756	chrome.exe	95
PID 3756 wrote to memory of 1460	3756	chrome.exe	95
PID 3756 wrote to memory of 1460	3756	chrome.exe	95
PID 3756 wrote to memory of 1460	3756	chrome.exe	95
PID 3756 wrote to memory of 1460	3756	chrome.exe	95
PID 3756 wrote to memory of 1460	3756	chrome.exe	95
PID 3756 wrote to memory of 1460	3756	chrome.exe	95
PID 3756 wrote to memory of 1460	3756	chrome.exe	95
PID 3756 wrote to memory of 1460	3756	chrome.exe	95
PID 3756 wrote to memory of 1460	3756	chrome.exe	95
PID 3756 wrote to memory of 1460	3756	chrome.exe	95
PID 3756 wrote to memory of 1460	3756	chrome.exe	95
PID 3756 wrote to memory of 1460	3756	chrome.exe	95
PID 3756 wrote to memory of 1460	3756	chrome.exe	95
PID 3756 wrote to memory of 1460	3756	chrome.exe	95
PID 3756 wrote to memory of 1460	3756	chrome.exe	95
PID 3756 wrote to memory of 1460	3756	chrome.exe	95
PID 3756 wrote to memory of 1460	3756	chrome.exe	95
PID 3756 wrote to memory of 1460	3756	chrome.exe	95
PID 3756 wrote to memory of 1460	3756	chrome.exe	95
PID 3756 wrote to memory of 1460	3756	chrome.exe	95
PID 3756 wrote to memory of 1460	3756	chrome.exe	95
PID 3756 wrote to memory of 1460	3756	chrome.exe	95
PID 3756 wrote to memory of 1460	3756	chrome.exe	95
PID 3756 wrote to memory of 1460	3756	chrome.exe	95
PID 3756 wrote to memory of 1460	3756	chrome.exe	95
PID 3756 wrote to memory of 1460	3756	chrome.exe	95
PID 3756 wrote to memory of 964	3756	chrome.exe	96
PID 3756 wrote to memory of 964	3756	chrome.exe	96
PID 3756 wrote to memory of 2596	3756	chrome.exe	97
PID 3756 wrote to memory of 2596	3756	chrome.exe	97
PID 3756 wrote to memory of 2596	3756	chrome.exe	97
PID 3756 wrote to memory of 2596	3756	chrome.exe	97
PID 3756 wrote to memory of 2596	3756	chrome.exe	97
PID 3756 wrote to memory of 2596	3756	chrome.exe	97
PID 3756 wrote to memory of 2596	3756	chrome.exe	97
PID 3756 wrote to memory of 2596	3756	chrome.exe	97
PID 3756 wrote to memory of 2596	3756	chrome.exe	97
PID 3756 wrote to memory of 2596	3756	chrome.exe	97
PID 3756 wrote to memory of 2596	3756	chrome.exe	97
PID 3756 wrote to memory of 2596	3756	chrome.exe	97
PID 3756 wrote to memory of 2596	3756	chrome.exe	97
PID 3756 wrote to memory of 2596	3756	chrome.exe	97
PID 3756 wrote to memory of 2596	3756	chrome.exe	97
PID 3756 wrote to memory of 2596	3756	chrome.exe	97
PID 3756 wrote to memory of 2596	3756	chrome.exe	97
PID 3756 wrote to memory of 2596	3756	chrome.exe	97
PID 3756 wrote to memory of 2596	3756	chrome.exe	97
PID 3756 wrote to memory of 2596	3756	chrome.exe	97
PID 3756 wrote to memory of 2596	3756	chrome.exe	97
PID 3756 wrote to memory of 2596	3756	chrome.exe	97
PID 3756 wrote to memory of 2596	3756	chrome.exe	97
PID 3756 wrote to memory of 2596	3756	chrome.exe	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\NovaWare V.3.exe
"C:\Users\Admin\AppData\Local\Temp\NovaWare V.3.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:604
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\NovaWare V3.1.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2932
- C:\Users\Admin\AppData\Roaming\SubDir\NovaWare V3.1.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\NovaWare V3.1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\NovaWare V3.1.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffe238ccc40,0x7ffe238ccc4c,0x7ffe238ccc58
  2⤵
  PID:3476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2000,i,12537385028612289848,514027619875472569,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=1996 /prefetch:2
  2⤵
  PID:1460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2024,i,12537385028612289848,514027619875472569,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2164 /prefetch:3
  2⤵
  PID:964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2312,i,12537385028612289848,514027619875472569,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2504 /prefetch:8
  2⤵
  PID:2596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3192,i,12537385028612289848,514027619875472569,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:3656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3240,i,12537385028612289848,514027619875472569,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:1568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4576,i,12537385028612289848,514027619875472569,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3864 /prefetch:1
  2⤵
  PID:220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4880,i,12537385028612289848,514027619875472569,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4896 /prefetch:8
  2⤵
  PID:1800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4916,i,12537385028612289848,514027619875472569,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4924 /prefetch:8
  2⤵
  PID:4176
- C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Program Files directory
  PID:4160
- - C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0x7ff7cd074698,0x7ff7cd0746a4,0x7ff7cd0746b0
    3⤵
    - Drops file in Program Files directory
    PID:3524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4824,i,12537385028612289848,514027619875472569,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4704 /prefetch:1
  2⤵
  PID:4464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5240,i,12537385028612289848,514027619875472569,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4080 /prefetch:1
  2⤵
  PID:2740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=3224,i,12537385028612289848,514027619875472569,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3524 /prefetch:1
  2⤵
  PID:648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4496,i,12537385028612289848,514027619875472569,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3204 /prefetch:2
  2⤵
  PID:2708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4680,i,12537385028612289848,514027619875472569,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4624 /prefetch:1
  2⤵
  PID:2284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4656,i,12537385028612289848,514027619875472569,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5308 /prefetch:1
  2⤵
  PID:4580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4712,i,12537385028612289848,514027619875472569,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:4644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5140,i,12537385028612289848,514027619875472569,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4932 /prefetch:1
  2⤵
  PID:460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5276,i,12537385028612289848,514027619875472569,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3256 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5180,i,12537385028612289848,514027619875472569,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4888 /prefetch:1
  2⤵
  PID:2368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=4832,i,12537385028612289848,514027619875472569,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3576 /prefetch:1
  2⤵
  PID:3044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=4708,i,12537385028612289848,514027619875472569,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5308 /prefetch:1
  2⤵
  PID:1932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5848,i,12537385028612289848,514027619875472569,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5868 /prefetch:8
  2⤵
  PID:2964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5840,i,12537385028612289848,514027619875472569,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5992 /prefetch:8
  2⤵
  PID:1532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5264,i,12537385028612289848,514027619875472569,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=6004 /prefetch:8
  2⤵
  PID:4144

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:3100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
211KB

MD5
151fb811968eaf8efb840908b89dc9d4

SHA1
7ec811009fd9b0e6d92d12d78b002275f2f1bee1

SHA256
043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed

SHA512
83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
216B

MD5
133a7fa614c77f2d894f86e988cae38c

SHA1
b2f237ab7998092838e798f593e8c1d586942a41

SHA256
cc3e47883112e0d23da933b363c5e08db8d3e9f426892de363791da0ddca0461

SHA512
7bcf6b411aeab0bd1c6c79cf67bfce692f6c1e64c28247d9dbd1c212afdf124bb87167cb8aa4fb96a31093453f3bf460780eb92ca763e91996f3b23aaa406ef8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
576B

MD5
ed91c4420bc34d13d7ee4f281a6e8320

SHA1
c146f967903b6da2d23eed70a6b6b1d07d5a7677

SHA256
f40f8a63b5b9b0b65fc43a186aa1b7b33e4520a6445d0045adbe76cbeb3b0a4e

SHA512
9ffa8dd070cf50064d8f3ab78fb0dd2c25522bde984da7f2d90e23462cb6523789de4d2a7b2e2456927783260ae5283f6ffd340b4d32e8f68c5f4de2d44ab1a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
b15ec51fd911262f6a1330af80526ae1

SHA1
28bbb4829f3a5996a7fcbd291cf81f7aefc34e4f

SHA256
8de5f86eb8c1b51285bea73f00bcc9d9dbfbb096fc5c85bed9f6ac252aaa8710

SHA512
ff38e88841cafb1c7c019cd9fc91b43b3ee0e0f95dcf3755397de747ffe0cf5f729fc32f7ddbd7787f04336cb0356fdfcc87f7f5bd663f204024035ae25435f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
2e505460d57dc90bb0f0fc71fd8236d3

SHA1
0419292ad06dfe53f9928665819fb98481ef4bcd

SHA256
2b711ce8422b99c2759fbbd040712840970240a2129b192d4aefa4803b71b8b7

SHA512
aeeeb235cc0bf88c203b70166d34c7d14b6c93641ee503572dee7d62a1ad2c3cd66dbf9f38a0ff2dedf5ffce9cf4b6f6ce738defc340bfa70a4caf730b83564c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
a35601928d9a203ef2fed9133cbf70b5

SHA1
55416300c7ba771b428494e302fb00da7f402aec

SHA256
458a74af2580e80272161d1ecad60b343adc7a0d275233cfdc3a2f94662f04e5

SHA512
6bf22bb6f09e6f6701743f563d20192c6c808d06e807fd76fb89c132e666a324dc21c504713749ad8cae85345e175d4aa6de0c55a9cece42c0e32d9362275dad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
12e11d29c4b34f69c4b93f1918f63ae5

SHA1
b90d6de181becb61de71181e965fd93c30fc8cc0

SHA256
afcba3b037ece5e8097d07015fc8e2bb307734da4f8b8685418908d3e5824ec6

SHA512
d14ca7b27537d71008bd167617cfd496bfa97e554eedbf47eff0492d7b2560f29e918eea1cc2855d55aa667b2303183398e31f32e05d12711eb422628950bcbc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
174bb6175ed391eab86dc2a709b9f10f

SHA1
b2bcae46d11f61b9f49795cb3a976a3cef71a08e

SHA256
a0dcc7a19ce5729d41aebb6013df8ae2876313c2cd26633fa4c69be090f71137

SHA512
623d1557191d957872002c17f637fa039648d144745ef74fde6562408b895049db0d7e2368497e83bd823f43e2278172f5e87692e8d848f615533965e9c98b05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a9a60e0c0544558f5b132db3ca98f6e3

SHA1
178132ba7591408668d2b9eb05b08cfca7bf8a5b

SHA256
b525f0e4e409479e69101b61fe8a590016da1dfaa1eae694fa0d4592ea415a7d

SHA512
5212a1cc7bd905314e3e3a97595ab5db678debeef31c8aabe685246b2eeadab082f7193dc5738a8aefc51d8265685eac67f34f3ba93ceb30fd53c5e145f6836e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c9ffc880e6c3272b6eec1ea3ff85eef8

SHA1
e9f6ef91f398c8338a77baac4dd8fdfbc988f3a3

SHA256
933c9fc698d00f967dd211f809602f2387897019fbcbdd5586525b243703408a

SHA512
248730362ce002e0a210e68e4a18cb7c0fdfaf504378c59e6ba80711384c45d33acd210d2c4836a29060aa9f0f5ba19b6558b1ca26a9b7fbf37df9756892381c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d4a2d5555268460f37d3ac2af9bfd96b

SHA1
652d7c2eae6bbf6e09fe92d685f5c215e3b2f973

SHA256
3d85d49ca05eac19b7c293de955434beca009c78d652f19a59300d7deab6ce55

SHA512
e21cb61ecae60ecbb7bccc162e57d77c29293416faf70725b641fb82045fbdba495a36267d19282d2cb4e2818c441165391185d9b2ee6d3fb7d615ab559c423a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ba317677fbbc31ffd35709cdf7f0e117

SHA1
f058029ee68ee182774f9727008978a5726bb538

SHA256
a9526156005fb2a295c58454939dbe489f32c2726be2f43aa7e0fe51d0dd55b3

SHA512
fa3b4d8f67b5ceea2c5742b38dcd0868350eca6e060d8cc842b8d6dd3233e6474568b71268febb9187cf04aaefba2b136c2cbd6aa4311adb2672645f83fac455

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
22c53fd4cf3444930980e5fdb4e0f65f

SHA1
92a7d4e8757ddac5dd3cdd25e9f53903b062b254

SHA256
180857bbcf12c3e63c8883b98e707fdd751a4352b45be074f4f5a245536a3e7b

SHA512
6b65717057b4901d63845cebb3ab9227fb6e7267ccd124dadb4504f15a84377619b85ba391e9257c9b2e5bd24a39789a6cd2face59e4500ad9c6b2cc5fbd87fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
730634c6c8f1976ceb779e64365ad983

SHA1
d7c563f3e185fbe0645188d24929fba65d441943

SHA256
dc94b439583f9280746231416d3730e664e359504ef13bb8f95ebbeef974f0f2

SHA512
abb10e3e5ef9f817b798f1ca588b0c3ad02fb02b3502e7bd7092b5191d59a38e8f45e05894450389e00cba0cc9fac4111ba2ad968a06211b26501a34bcd3e2d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
96ff5f37f34f63bba6ba9703701c85d2

SHA1
e18e0170104e5315f9cdf50721cf33fff107b0fe

SHA256
20d2b41db120938d1c0ee0a245819204e1546acdb9f57acd2b705e0eaa8ede77

SHA512
6433fe37bdd68ac2e7435580c8896424d4b7a6831cf13c584959ac98b5dc09cc357c5af302c5b155aab7a89f349f600725fbb3646fe25cde681545fe6820ff4e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ded6b6344ac4aad3e03ec8b2e09734e0

SHA1
55f080fe51d7d9aff58c32e02f226866663a55ef

SHA256
2bf9aa4e07d0ef6c6e53d45f56675447217fcac2fd7973d9c7b8c2de83ada7a3

SHA512
3f91180f4f5d5c9d6bb824053c3212392d95634e40c85dcd6515f68173fb305cbf02e6918c0aead290d0cde4154023329a2592b73627e459d300c819a767a1e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c06f8f4fa5d64bb25391c343419d7678

SHA1
34c610a05fff077e081a9fa3bc0700013ecff598

SHA256
68fbf5eb8fca1d7e469f853dffe9bf6c99759f17b3359354420250a38500abaf

SHA512
e5bbd5b78b4e916e7fcaac8461209dda3a1974baa3518a94701bfc1c2ff7fda795f27a466f05247a401a604d6c5c2414f3f69c02fff577e7d2ecab2533e0ebfe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
4a88ef7c8e8e604724d834caf135b5e6

SHA1
318a84db62d880442bc8f3820d9b23bf231ba2b0

SHA256
fbc70d0ca3de12867ab348cffb0636cb08f0fc5fcc94b41cc187792b3cd28125

SHA512
16bb6c07e732842375cf35179f45df4ad6d703156f681458b8a0c8a18139cad5356921bcc4df54968895e14194358fad390d32d859d85b561ccc74dbf15f1901

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
d31a978d9e3411bc254d0838fbcb6c74

SHA1
549cf25799f25e55237c84f0416340a459f20795

SHA256
27c58e12f90782df5a2ab78b6aeb063b4c93aacae3c159b3e635116fa2b98e3e

SHA512
9e89d41a7a88e8074c72e64793ce906e5f87a4cec040e1423b5b87915df56248ad6806f48fd7779a620134697024d888c925cd35cf3eb185b095bb1152773004

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
183KB

MD5
0579c3d0edb387fb1825b45d871a84e3

SHA1
2782bcb4ed254b8f677ea44675549c0e9b13a8d3

SHA256
96466fb6396681a71792b7594223cbbb201164238ea7b023662fab2bd516ba16

SHA512
b3fce38cc7f0a2e0ada7e505782071acb6c7dd04db3c3f36cc8318b16611ccdd88919451a0676ea6c8335bc60ed255d67572ad4ec30398346b5e9ea8a82e0da3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
183KB

MD5
756565ef65cea3ed1e3a8b91d299c753

SHA1
cab2d08ab5abaed116fcf8adb41db00508d66e22

SHA256
93de8afa947dd2104d80a24ff3d9224d86893daa0723719b507718d15fd8f230

SHA512
9ed43559f1ea01170d24d31501564f5df8cb8feff4cb1044e723a82f645a4d7e1e87ec7fbf4e6b19ecf02a61d83c9da63ac25634b1ea28a378087c93812244f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
183KB

MD5
951a4b4579ae55776e23feea32517f01

SHA1
c88a8e1edaae434a4981a9e5d008e3bfe218a55c

SHA256
79acfda8b9877c11e14f6369b54391f92a5850701ff9101cd50f543aad3846b6

SHA512
9fd2181f818a69c014fc3a0cda517d35fbdbc8821813b3aedbe71b7a63f48215ec713d5e1cacf5c9369dfb8600584baf916cd3088daf0c9038002d19aa8b45de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
183KB

MD5
fef15dfc1b85dcae21595dd2e7a4f0b6

SHA1
25690d3004880bcf3f58cc2c262748d65ddec0f5

SHA256
cc2e92b34b88293a73854f9f0e5d669e567e92a7af6bf335cd9fc98a72d3f9ac

SHA512
d80b4c436e11b4e7ef8ff794d75014bbc465f5821a8811584d2f20b109fe103a13811caf2d6c22d05993b147473638bd5b4b129ed19d5409da55fc178288f035

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\NovaWare V3.1.exe

Filesize
3.5MB

MD5
f3c97ad109022357adf1efd83ee4008a

SHA1
a244328dc018ac0e89e9bb7fe15edc4264fa4422

SHA256
adde0d3454abb438006cba083245b964eb1945ff164809d784fbc0d61b1dfdf2

SHA512
6992fae6ae4852380f9597bc207fd001a93734eb1bb2f5181c7e5b4051ac0c3c3bdeee4b46e5d3a3b5f41ab30cd5457e0335d98f236122d6c2bcf01e3fe9704c

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 581362.crdownload

Filesize
6KB

MD5
eb6ca705d56aa43acf5a6943003bd412

SHA1
64cddd534e3536f91c82b2a0384153e769147eee

SHA256
aaab21af0334f9add44817624051173d0da03623e0242a1cd27bfb981bcf3724

SHA512
555d1dbb94e53b98866dc7e9fa4b2438b0e7e967ed4e6f65ba050c0ed9d92c99e35938950de929259d36aadb39093381896382c21d357a6b4d44b1ad78dc6d11

Download Submit
memory/604-0-0x00007FFE28B03000-0x00007FFE28B05000-memory.dmp

Filesize
8KB

Download
memory/604-9-0x00007FFE28B00000-0x00007FFE295C1000-memory.dmp

Filesize
10.8MB

Download
memory/604-2-0x00007FFE28B00000-0x00007FFE295C1000-memory.dmp

Filesize
10.8MB

Download
memory/604-1-0x0000000000670000-0x00000000009FE000-memory.dmp

Filesize
3.6MB

Download
memory/2088-98-0x00007FFE28B00000-0x00007FFE295C1000-memory.dmp

Filesize
10.8MB

Download
memory/2088-97-0x00007FFE28B00000-0x00007FFE295C1000-memory.dmp

Filesize
10.8MB

Download
memory/2088-38-0x000000001CAD0000-0x000000001CFF8000-memory.dmp

Filesize
5.2MB

Download
memory/2088-13-0x000000001C2E0000-0x000000001C392000-memory.dmp

Filesize
712KB

Download
memory/2088-12-0x000000001BAD0000-0x000000001BB20000-memory.dmp

Filesize
320KB

Download
memory/2088-11-0x00007FFE28B00000-0x00007FFE295C1000-memory.dmp

Filesize
10.8MB

Download
memory/2088-10-0x00007FFE28B00000-0x00007FFE295C1000-memory.dmp

Filesize
10.8MB

Download