quasar | aa3170ce6b4bbd9960ac0ccd60f7d0b39cc0d28254bfe73545b540cbd8444b21

Resubmissions

15/10/2024, 18:43

241015-xcv14avdjn 10

15/10/2024, 00:19

15/10/2024, 00:16

14/10/2024, 23:42

14/10/2024, 23:27

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15/10/2024, 00:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

e35d832888fda0fd705386a4b94ecc49
SHA1

86380c3eea496c7947c25c547748cfeed51c4de9
SHA256

aa3170ce6b4bbd9960ac0ccd60f7d0b39cc0d28254bfe73545b540cbd8444b21
SHA512

60d6aec705948474fa007dad26fdba9b92dcb1098aefb4eed2898af7b048729e4a3ee5af7e7b9ca9e555b97b54f6d97007dfc1531d0abb9e5da01b5911c5fd63
SSDEEP

49152:Av4lL26AaNeWgPhlmVqvMQ7XSKNEREuY4oGdPwTHHB72eh2NT:AvQL26AaNeWgPhlmVqkQ7XSKmREuT

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

HomoThugger-36407.portmap.host:36407

Mutex

42d6f4c0-e8fc-473a-b92d-ded3fb29334a

Attributes

encryption_key
3CDA48FEB25557C87485A9F37CDC861398BEA3C7
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/3548-1-0x0000000000E00000-0x0000000001124000-memory.dmp	family_quasar

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133734251776898098"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4089630652-1596403869-279772308-1000\{6C1A911B-B3AD-4460-B3C5-B7370F52675E}	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3736	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2388	chrome.exe
2388	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe
3116	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
2388	chrome.exe
2388	chrome.exe
2388	chrome.exe
2388	chrome.exe
2388	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3548	Client-built.exe
Token: SeShutdownPrivilege	2388	chrome.exe
Token: SeCreatePagefilePrivilege	2388	chrome.exe
Token: SeShutdownPrivilege	2388	chrome.exe
Token: SeCreatePagefilePrivilege	2388	chrome.exe
Token: SeShutdownPrivilege	2388	chrome.exe
Token: SeCreatePagefilePrivilege	2388	chrome.exe
Token: SeShutdownPrivilege	2388	chrome.exe
Token: SeCreatePagefilePrivilege	2388	chrome.exe
Token: SeShutdownPrivilege	2388	chrome.exe
Token: SeCreatePagefilePrivilege	2388	chrome.exe
Token: SeShutdownPrivilege	2388	chrome.exe
Token: SeCreatePagefilePrivilege	2388	chrome.exe
Token: SeShutdownPrivilege	2388	chrome.exe
Token: SeCreatePagefilePrivilege	2388	chrome.exe
Token: SeShutdownPrivilege	2388	chrome.exe
Token: SeCreatePagefilePrivilege	2388	chrome.exe
Token: SeShutdownPrivilege	2388	chrome.exe
Token: SeCreatePagefilePrivilege	2388	chrome.exe
Token: SeShutdownPrivilege	2388	chrome.exe
Token: SeCreatePagefilePrivilege	2388	chrome.exe
Token: SeShutdownPrivilege	2388	chrome.exe
Token: SeCreatePagefilePrivilege	2388	chrome.exe
Token: SeShutdownPrivilege	2388	chrome.exe
Token: SeCreatePagefilePrivilege	2388	chrome.exe
Token: SeShutdownPrivilege	2388	chrome.exe
Token: SeCreatePagefilePrivilege	2388	chrome.exe
Token: SeShutdownPrivilege	2388	chrome.exe
Token: SeCreatePagefilePrivilege	2388	chrome.exe
Token: SeShutdownPrivilege	2388	chrome.exe
Token: SeCreatePagefilePrivilege	2388	chrome.exe
Token: SeShutdownPrivilege	2388	chrome.exe
Token: SeCreatePagefilePrivilege	2388	chrome.exe
Token: SeShutdownPrivilege	2388	chrome.exe
Token: SeCreatePagefilePrivilege	2388	chrome.exe
Token: SeShutdownPrivilege	2388	chrome.exe
Token: SeCreatePagefilePrivilege	2388	chrome.exe
Token: SeShutdownPrivilege	2388	chrome.exe
Token: SeCreatePagefilePrivilege	2388	chrome.exe
Token: SeShutdownPrivilege	2388	chrome.exe
Token: SeCreatePagefilePrivilege	2388	chrome.exe
Token: SeShutdownPrivilege	2388	chrome.exe
Token: SeCreatePagefilePrivilege	2388	chrome.exe
Token: SeShutdownPrivilege	2388	chrome.exe
Token: SeCreatePagefilePrivilege	2388	chrome.exe
Token: SeShutdownPrivilege	2388	chrome.exe
Token: SeCreatePagefilePrivilege	2388	chrome.exe
Token: SeShutdownPrivilege	2388	chrome.exe
Token: SeCreatePagefilePrivilege	2388	chrome.exe
Token: SeShutdownPrivilege	2388	chrome.exe
Token: SeCreatePagefilePrivilege	2388	chrome.exe
Token: SeShutdownPrivilege	2388	chrome.exe
Token: SeCreatePagefilePrivilege	2388	chrome.exe
Token: SeShutdownPrivilege	2388	chrome.exe
Token: SeCreatePagefilePrivilege	2388	chrome.exe
Token: SeShutdownPrivilege	2388	chrome.exe
Token: SeCreatePagefilePrivilege	2388	chrome.exe
Token: SeShutdownPrivilege	2388	chrome.exe
Token: SeCreatePagefilePrivilege	2388	chrome.exe
Token: SeShutdownPrivilege	2388	chrome.exe
Token: SeCreatePagefilePrivilege	2388	chrome.exe
Token: SeShutdownPrivilege	2388	chrome.exe
Token: SeCreatePagefilePrivilege	2388	chrome.exe
Token: SeShutdownPrivilege	2388	chrome.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
3548	Client-built.exe
3548	Client-built.exe
2388	chrome.exe
2388	chrome.exe
2388	chrome.exe
2388	chrome.exe
2388	chrome.exe
2388	chrome.exe
2388	chrome.exe
2388	chrome.exe
2388	chrome.exe
2388	chrome.exe
2388	chrome.exe
2388	chrome.exe
2388	chrome.exe
2388	chrome.exe
2388	chrome.exe
2388	chrome.exe
2388	chrome.exe
2388	chrome.exe
2388	chrome.exe
2388	chrome.exe
2388	chrome.exe
2388	chrome.exe
2388	chrome.exe
2388	chrome.exe
2388	chrome.exe
2388	chrome.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
3548	Client-built.exe
3548	Client-built.exe
2388	chrome.exe
2388	chrome.exe
2388	chrome.exe
2388	chrome.exe
2388	chrome.exe
2388	chrome.exe
2388	chrome.exe
2388	chrome.exe
2388	chrome.exe
2388	chrome.exe
2388	chrome.exe
2388	chrome.exe
2388	chrome.exe
2388	chrome.exe
2388	chrome.exe
2388	chrome.exe
2388	chrome.exe
2388	chrome.exe
2388	chrome.exe
2388	chrome.exe
2388	chrome.exe
2388	chrome.exe
2388	chrome.exe
2388	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3548 wrote to memory of 3736	3548	Client-built.exe	87
PID 3548 wrote to memory of 3736	3548	Client-built.exe	87
PID 2388 wrote to memory of 3172	2388	chrome.exe	99
PID 2388 wrote to memory of 3172	2388	chrome.exe	99
PID 2388 wrote to memory of 4892	2388	chrome.exe	100
PID 2388 wrote to memory of 4892	2388	chrome.exe	100
PID 2388 wrote to memory of 4892	2388	chrome.exe	100
PID 2388 wrote to memory of 4892	2388	chrome.exe	100
PID 2388 wrote to memory of 4892	2388	chrome.exe	100
PID 2388 wrote to memory of 4892	2388	chrome.exe	100
PID 2388 wrote to memory of 4892	2388	chrome.exe	100
PID 2388 wrote to memory of 4892	2388	chrome.exe	100
PID 2388 wrote to memory of 4892	2388	chrome.exe	100
PID 2388 wrote to memory of 4892	2388	chrome.exe	100
PID 2388 wrote to memory of 4892	2388	chrome.exe	100
PID 2388 wrote to memory of 4892	2388	chrome.exe	100
PID 2388 wrote to memory of 4892	2388	chrome.exe	100
PID 2388 wrote to memory of 4892	2388	chrome.exe	100
PID 2388 wrote to memory of 4892	2388	chrome.exe	100
PID 2388 wrote to memory of 4892	2388	chrome.exe	100
PID 2388 wrote to memory of 4892	2388	chrome.exe	100
PID 2388 wrote to memory of 4892	2388	chrome.exe	100
PID 2388 wrote to memory of 4892	2388	chrome.exe	100
PID 2388 wrote to memory of 4892	2388	chrome.exe	100
PID 2388 wrote to memory of 4892	2388	chrome.exe	100
PID 2388 wrote to memory of 4892	2388	chrome.exe	100
PID 2388 wrote to memory of 4892	2388	chrome.exe	100
PID 2388 wrote to memory of 4892	2388	chrome.exe	100
PID 2388 wrote to memory of 4892	2388	chrome.exe	100
PID 2388 wrote to memory of 4892	2388	chrome.exe	100
PID 2388 wrote to memory of 4892	2388	chrome.exe	100
PID 2388 wrote to memory of 4892	2388	chrome.exe	100
PID 2388 wrote to memory of 4892	2388	chrome.exe	100
PID 2388 wrote to memory of 4892	2388	chrome.exe	100
PID 2388 wrote to memory of 4912	2388	chrome.exe	101
PID 2388 wrote to memory of 4912	2388	chrome.exe	101
PID 2388 wrote to memory of 1560	2388	chrome.exe	102
PID 2388 wrote to memory of 1560	2388	chrome.exe	102
PID 2388 wrote to memory of 1560	2388	chrome.exe	102
PID 2388 wrote to memory of 1560	2388	chrome.exe	102
PID 2388 wrote to memory of 1560	2388	chrome.exe	102
PID 2388 wrote to memory of 1560	2388	chrome.exe	102
PID 2388 wrote to memory of 1560	2388	chrome.exe	102
PID 2388 wrote to memory of 1560	2388	chrome.exe	102
PID 2388 wrote to memory of 1560	2388	chrome.exe	102
PID 2388 wrote to memory of 1560	2388	chrome.exe	102
PID 2388 wrote to memory of 1560	2388	chrome.exe	102
PID 2388 wrote to memory of 1560	2388	chrome.exe	102
PID 2388 wrote to memory of 1560	2388	chrome.exe	102
PID 2388 wrote to memory of 1560	2388	chrome.exe	102
PID 2388 wrote to memory of 1560	2388	chrome.exe	102
PID 2388 wrote to memory of 1560	2388	chrome.exe	102
PID 2388 wrote to memory of 1560	2388	chrome.exe	102
PID 2388 wrote to memory of 1560	2388	chrome.exe	102
PID 2388 wrote to memory of 1560	2388	chrome.exe	102
PID 2388 wrote to memory of 1560	2388	chrome.exe	102
PID 2388 wrote to memory of 1560	2388	chrome.exe	102
PID 2388 wrote to memory of 1560	2388	chrome.exe	102
PID 2388 wrote to memory of 1560	2388	chrome.exe	102
PID 2388 wrote to memory of 1560	2388	chrome.exe	102
PID 2388 wrote to memory of 1560	2388	chrome.exe	102
PID 2388 wrote to memory of 1560	2388	chrome.exe	102
PID 2388 wrote to memory of 1560	2388	chrome.exe	102
PID 2388 wrote to memory of 1560	2388	chrome.exe	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3548
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x11c,0x120,0x124,0x118,0x128,0x7ffc786acc40,0x7ffc786acc4c,0x7ffc786acc58
  2⤵
  PID:3172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1940,i,15700989414497050231,5155235598095206604,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1936 /prefetch:2
  2⤵
  PID:4892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2120,i,15700989414497050231,5155235598095206604,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2112 /prefetch:3
  2⤵
  PID:4912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2316,i,15700989414497050231,5155235598095206604,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2504 /prefetch:8
  2⤵
  PID:1560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3180,i,15700989414497050231,5155235598095206604,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:3780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3232,i,15700989414497050231,5155235598095206604,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:3348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4592,i,15700989414497050231,5155235598095206604,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4600 /prefetch:1
  2⤵
  PID:2396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4728,i,15700989414497050231,5155235598095206604,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4740 /prefetch:8
  2⤵
  PID:228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4896,i,15700989414497050231,5155235598095206604,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4536 /prefetch:8
  2⤵
  PID:528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4956,i,15700989414497050231,5155235598095206604,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4876 /prefetch:8
  2⤵
  PID:3352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4948,i,15700989414497050231,5155235598095206604,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4828 /prefetch:8
  2⤵
  PID:4744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4748,i,15700989414497050231,5155235598095206604,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4724 /prefetch:1
  2⤵
  PID:4524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3376,i,15700989414497050231,5155235598095206604,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5228 /prefetch:1
  2⤵
  PID:2844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=5360,i,15700989414497050231,5155235598095206604,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3416 /prefetch:8
  2⤵
  PID:2692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5348,i,15700989414497050231,5155235598095206604,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3396 /prefetch:8
  2⤵
  - Modifies registry class
  PID:1704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4492,i,15700989414497050231,5155235598095206604,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4936 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3116

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
791658d2c171e1d48fccdfeb30c9adcc

SHA1
cfc6673d4334169b205a4fd743e5d2b5d729c326

SHA256
85c032344ed3fef797611709b1384880bbc22790390916ee9a9f7bd568b37ca6

SHA512
49a309b6c54c087aceef2fe7ae26d8afc0a738df6e5562c1b63c2e9f58c5992fb9e40e93290fe46818d7db6ce454f5c6c09e25733b5e9acd36c56e531500be2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
720B

MD5
0254c1669631bc10841b2b4f53b60e00

SHA1
159f4d62a162743e8ef68f9a53aaf6c07c5093e0

SHA256
4f0bb6e8b8cb465ebed5520aa5ecbc674b6ed12fc59b9217c79cb02fd19f536c

SHA512
e76db276ce326ef473c327e9c3aab661b47d588cb91341608638af6321e256ec756d833cde59bdc6421af60a5dd671f0a0254906e4724b8c6df683debb369833

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
840B

MD5
087c773f032f08b830fc515c30cd5205

SHA1
467a4e40fdc074aa1475841bfa2a44ad2942e7d0

SHA256
a38beee37605d3d09e003c0c5d4a1389ee6a7eaf830b1cbfe5cc32459db7bb0b

SHA512
a1cd2002b260b5d6cde855a5ef07fac37f62fdd79cf36a1c2c3653b07d6b7c653d741bf001591e0fc0177ee1581691ea50c23396f7b73c059f28f790fe3737a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
4a5906f918f0ef996d23f6a02044bbfb

SHA1
cf40be8320131248d891f41607e87de9eb0c5115

SHA256
6509b245ee1da47b524ec013c6257383abac43309dee4f30a8167a10b4e40624

SHA512
796af062d71468a1b33a94d260e5f8118f1cbbb55c6eb29287b64c14147d9da5f4e009d19b43f6fdcd64718417f2ac06f0176a992e46b174f71adf7c4259045e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
f43b07715efb224393db45b28bf03786

SHA1
eb049504c662899ac9b72b188a8ed877a941d232

SHA256
d80d04968f1e28c15a96242767279fd5e1fc3c78468f32814ed8879b95ebe231

SHA512
2e87bde01f12b278120c3da82fb8bf3c5945f941bc595b0f4b2d6883242d65f2a385218446d8e36583d697804d94bf577f16256d409fac0ca5db5846762d48e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
a9fe8279e8c81cd84d62385940fae160

SHA1
15997c304b7b87c59ec766bef6b6b8fb1fe27fea

SHA256
7c096935e7b83ca83e729ec3a3e192707880fbe23092a3acd1a74cdb5de1a119

SHA512
71f4d645f30fcf4e035843d6396484397a795dcc2253d95e6331a192182b2ab552550a6db958ae5774c970e262799f7354d689022e12c789282a8d929aa2cb89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
64ede9e9ed96539e3414d245018a51f5

SHA1
522510be0c3e2361ec7b3e1daa4e8e82a5b0ba12

SHA256
d496979d26bc9c4f81a2bab641026a0031151fd37822fbc44859613a6c9d27f2

SHA512
7c050c86b79ef2c82a98b14f681951a8fbac209b39291997a3c94d8b2e69f1fb22925fa7935e70e6d603889423a4beebfb8acc81c23bf80d68cbe6e77cc1de2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
b91d64d5d4cd81b0c03eb8be7e70b3b8

SHA1
03744bdb56f152b3da7e428bbe1d182cb1f1368e

SHA256
f04af03726205b956e753e93a5a62a0376b0fecef17b99bd614d7da27c77d269

SHA512
505ed77b449862d85afcfaaaf36ac8b2dc32cc9164e26c482f40d628726e43097c40ac6828e3264d29d1c2a936a4dc864939cf926c3e32361d00c3d7f034f2d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
180f9f1c54b7e3afbd0e88cf1dff7b59

SHA1
d769d1f4bf8c09e5314bbe1b949111500d91faee

SHA256
94bf5c116d0083aea1f2046f9c6badd53aac68d3d9f86b7c0eeb3a657e82f992

SHA512
736956fc63e5ff8cf2cb2359db5856f6e5a9ab4d3046a5ceee39741d82c278e823d131fe2b9c15d5d1540bcfce64d25ec04dcfe0f60619b41ec410f27c30f684

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
0ec512be6d4c8a45241ac867d1ad1f5e

SHA1
86b5e1c625ab977a9d78ee733697bbfeaaaee8d1

SHA256
3e0cc22743c4979cb94a05dd1c990c113f8291033692e54c4d82f7301daf25e0

SHA512
e2aece301cc0556ed77d14ebd1b6a9d5de264c5227defeb40e9db050d6bf4d169a6c7c6d99da13d100aded84d788761b198478745686fd9efc110f7a0fddfdcc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
fa0aeb6d3bca726f6e5ad484d4077fa1

SHA1
1cb0e657a96f93aa10a0c7329aef276f3577835b

SHA256
7f7302da0b65bce5a833e624d21dcc23c4ef6ff1bb9a4cd192c9fb69ab7872c1

SHA512
fbbe6c7aed48c7f03e0b6a52bbe2f82ee80e8e73c87ea03f8a769aa33f08ff644ec708ac4a1b693c6231169d1339db15ef8f595d04c4368b8d0d35c834508918

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
eb0b56dec107b2e14c3924fae4ec9ec0

SHA1
6120a5a0be59c9cee783e1c8fb4d3a478aba80da

SHA256
e40fe21957f6fb2cc2ce0fb795fbb9499333c86742edb2e1e3f20bb9640ee77e

SHA512
937d51ff0cc7addf6510749caf1973404395a3cd6114bca16c3cd420bbb944b983ba4c30c80000af4923d58707704e1e748b27301e944e5a248a7d953f1ac4d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
727688acd245c3f26d5373d56b490138

SHA1
2192a11cdf8fafe8b30218b9382b59b3fc6e28f3

SHA256
68183ae1e8fe7e95bf804f239c7bdacec609edbaffd6867c080a05c16743fe8b

SHA512
757bf399ccef2664af78c210af7b22fb837c41007a7881a006adc73c46a42a94dbacd4173f4b6487ef73eb9880dbcb72fdf5501ed3a130cb0abf231a3d1e3e6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1d4b59417bda511bd49e9e168c49506e

SHA1
0db3762ba9e3d58de561bb11690880124aab758c

SHA256
7b11ca5b752e09083809510c39209a6e8bd9931c06d9346bdec9324233ecbbdc

SHA512
54af4430305d212bb12c05409e58249a24c410f7a30d35cc55641e4bbf4b696bc63b1a2869182909138f20eb25e6601655c4f2df75b0c69884f397922bd62b5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2820a8d77b46c65be170df53a7777b84

SHA1
b87a98dda6417cc20690b63aa21ad1454e83b5ea

SHA256
26c9d52f2e6d74fb765eb0de1b906ad4f36dedd7aa76e27dcd764a8a1c6d0c54

SHA512
a8342524bb7ebc4faedeeb7230d26fbe72a6c1ada5b7419751843db55257cb8e3d184aefd687f63da942f23042b4ef8eb06d52b1feac10c9740deb3c3b946acc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
124402e7de348b71804755303d038d14

SHA1
681a89f08575cc654be117a4b379ffdcc6c4196c

SHA256
0e3029660659d1bd0c2e0e717b4b45628edbda937d4b6ab742b0c5a33d728b82

SHA512
d250c6c3c0cf5943fb125defd9170513fae0ba4ad027c2d54f0721940c085088cbf3aee3d4d42a99b143663cdf138fc340dd511ccf9476251d4e682ddd76f3c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
206844b40d13cd5c8b415d98b12f1bb4

SHA1
1db67a5d63a89d1ca061e7bce907b07906aabe9b

SHA256
ea9117c9871df716bc1926d6b60590b97c327c18df449335b4a87d1ee0144492

SHA512
f2def8a617a289c761be40744376a11da70f7d2c4660fa89d33174f7efc18ca95641702d6d73a88b361ac3c63c911289940a3901daf011de53fd472dda5044b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
41232e1ac6ca538cc2c2ff101b6525a6

SHA1
e7cb2975dccb02e1f8a32fbe45f2daea3c4f5a67

SHA256
bde9dad8991fe0c1e368ca82677449118eb8a19c86aad9244a15110f790c2626

SHA512
726916614a1c9abe8817c4df5a3b4386ca192863d67eba708aeeb60b193d8f426447f39dfc1e5fac3dc45dbe1d244230b8f5f2246349a81316199aaa16499a72

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
52162a42e5191e523983b76fd9a9d273

SHA1
d152b38c229f8d0acbe0b1990555fbd930451b29

SHA256
dc87b5f5e054fc5c234db690aaa02fb5bcf78387922d33c35ee6c187a163bee3

SHA512
e92233792e5a9787f111afbbc746f97ca56b5270f1c16df5131fb658c49dc394c4ce41a039b52746814ec113f5502f52a6f29ea7aa16c2f98058ae18dedcaaf1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
527519c51d1e841a6b71946d6c0a0550

SHA1
bfae981b1072890465cbf94c821777eefbe35a37

SHA256
7ed1b173fb861c8c39c7a20d1797c68c9642b97c58669563cfc70ac0e150a787

SHA512
5b9ce5e453679c27477b60a81fc0e0d41568d20d568a2f26271470c1786b3ad2c810ef0e7d8343f5c6cb31849dfa88d3c75fd8d6c72d9333ee7c05ba8495efcc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
227KB

MD5
a91d01eed8c4456f3bcfc34aa27e8510

SHA1
0cc5b18e4f98b52f1f8611f7427dd464149aac66

SHA256
2a44e446691d195e751692e8d595f619bcc9e5f0047900feb6ac451806ebfa5b

SHA512
f19e7d2db824d142ecc355bd28ec94d2267864458573c6670bb43a144364a95ad760ca1d5da00b7e5165ae3d0fd79bceb0f0d07983577974fb29914b275dd6a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
2bf376cca949ec7f6610efaeffd69413

SHA1
3614442d3512466a3b857a7f7687db0d5362d83a

SHA256
59feaab5b100d92db101ce879cf7851e179eec77c7e139af2e936e3be75c2c23

SHA512
13b411949331d8dedc096af14b30b893f302b33758c521e99389ad33ad117fcac165fb09808680aded4434b62d3c342ce93bff0945baf3738f2a94a1c5988dae

Download Submit
memory/3548-8-0x000000001CD20000-0x000000001CD5C000-memory.dmp

Filesize
240KB

Download
memory/3548-0-0x00007FFC7EB33000-0x00007FFC7EB35000-memory.dmp

Filesize
8KB

Download
memory/3548-7-0x000000001CCC0000-0x000000001CCD2000-memory.dmp

Filesize
72KB

Download
memory/3548-4-0x000000001CD80000-0x000000001CE32000-memory.dmp

Filesize
712KB

Download
memory/3548-3-0x000000001CC70000-0x000000001CCC0000-memory.dmp

Filesize
320KB

Download
memory/3548-2-0x00007FFC7EB30000-0x00007FFC7F5F1000-memory.dmp

Filesize
10.8MB

Download
memory/3548-9-0x00007FFC7EB33000-0x00007FFC7EB35000-memory.dmp

Filesize
8KB

Download
memory/3548-10-0x00007FFC7EB30000-0x00007FFC7F5F1000-memory.dmp

Filesize
10.8MB

Download
memory/3548-1-0x0000000000E00000-0x0000000001124000-memory.dmp

Filesize
3.1MB

Download