quasar | 72f27c509e27de2edbe9d98fa9258624260d3cabd7b9932636dceb610180d7ef

Analysis

max time kernel
150s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2024, 13:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TempWoofpriv.exe
Size

3.1MB
MD5

b9aee7a92f002f80a6b04c252b05bb29
SHA1

4e186ba6d401d5e45627ac789d3cf22d19698b8c
SHA256

72f27c509e27de2edbe9d98fa9258624260d3cabd7b9932636dceb610180d7ef
SHA512

b3f899e279c6f72cb8517160b747bcd44339909b61a82e4304d1e29e9e5da9506acdde8531d25ed3a3506781743c74427437dcfc6981bc992fdb5d83652cb6cd
SSDEEP

49152:6vWI22SsaNYfdPBldt698dBcjHRwn85kbRULoGdWiTHHB72eh2NT:6v722SsaNYfdPBldt6+dBcjHRwn85XG

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.1.28:4782

Mutex

d77230bf-9913-4330-a1f9-b2094453e604

Attributes

encryption_key
954674A032C3A24E1CEB078DEAC16D915B41486D
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/1312-1-0x0000000000070000-0x0000000000394000-memory.dmp	family_quasar
behavioral2/files/0x0032000000023b81-5.dat	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
1996	Client.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133747682895861970"	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2140	schtasks.exe
2468	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4280	chrome.exe
4280	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1312	TempWoofpriv.exe
Token: SeDebugPrivilege	1996	Client.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1996	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 2140	1312	TempWoofpriv.exe	87
PID 1312 wrote to memory of 2140	1312	TempWoofpriv.exe	87
PID 1312 wrote to memory of 1996	1312	TempWoofpriv.exe	89
PID 1312 wrote to memory of 1996	1312	TempWoofpriv.exe	89
PID 1996 wrote to memory of 2468	1996	Client.exe	91
PID 1996 wrote to memory of 2468	1996	Client.exe	91
PID 4280 wrote to memory of 4816	4280	chrome.exe	106
PID 4280 wrote to memory of 4816	4280	chrome.exe	106
PID 4280 wrote to memory of 4932	4280	chrome.exe	107
PID 4280 wrote to memory of 4932	4280	chrome.exe	107
PID 4280 wrote to memory of 4932	4280	chrome.exe	107
PID 4280 wrote to memory of 4932	4280	chrome.exe	107
PID 4280 wrote to memory of 4932	4280	chrome.exe	107
PID 4280 wrote to memory of 4932	4280	chrome.exe	107
PID 4280 wrote to memory of 4932	4280	chrome.exe	107
PID 4280 wrote to memory of 4932	4280	chrome.exe	107
PID 4280 wrote to memory of 4932	4280	chrome.exe	107
PID 4280 wrote to memory of 4932	4280	chrome.exe	107
PID 4280 wrote to memory of 4932	4280	chrome.exe	107
PID 4280 wrote to memory of 4932	4280	chrome.exe	107
PID 4280 wrote to memory of 4932	4280	chrome.exe	107
PID 4280 wrote to memory of 4932	4280	chrome.exe	107
PID 4280 wrote to memory of 4932	4280	chrome.exe	107
PID 4280 wrote to memory of 4932	4280	chrome.exe	107
PID 4280 wrote to memory of 4932	4280	chrome.exe	107
PID 4280 wrote to memory of 4932	4280	chrome.exe	107
PID 4280 wrote to memory of 4932	4280	chrome.exe	107
PID 4280 wrote to memory of 4932	4280	chrome.exe	107
PID 4280 wrote to memory of 4932	4280	chrome.exe	107
PID 4280 wrote to memory of 4932	4280	chrome.exe	107
PID 4280 wrote to memory of 4932	4280	chrome.exe	107
PID 4280 wrote to memory of 4932	4280	chrome.exe	107
PID 4280 wrote to memory of 4932	4280	chrome.exe	107
PID 4280 wrote to memory of 4932	4280	chrome.exe	107
PID 4280 wrote to memory of 4932	4280	chrome.exe	107
PID 4280 wrote to memory of 4932	4280	chrome.exe	107
PID 4280 wrote to memory of 4932	4280	chrome.exe	107
PID 4280 wrote to memory of 4932	4280	chrome.exe	107
PID 4280 wrote to memory of 3220	4280	chrome.exe	108
PID 4280 wrote to memory of 3220	4280	chrome.exe	108
PID 4280 wrote to memory of 4492	4280	chrome.exe	109
PID 4280 wrote to memory of 4492	4280	chrome.exe	109
PID 4280 wrote to memory of 4492	4280	chrome.exe	109
PID 4280 wrote to memory of 4492	4280	chrome.exe	109
PID 4280 wrote to memory of 4492	4280	chrome.exe	109
PID 4280 wrote to memory of 4492	4280	chrome.exe	109
PID 4280 wrote to memory of 4492	4280	chrome.exe	109
PID 4280 wrote to memory of 4492	4280	chrome.exe	109
PID 4280 wrote to memory of 4492	4280	chrome.exe	109
PID 4280 wrote to memory of 4492	4280	chrome.exe	109
PID 4280 wrote to memory of 4492	4280	chrome.exe	109
PID 4280 wrote to memory of 4492	4280	chrome.exe	109
PID 4280 wrote to memory of 4492	4280	chrome.exe	109
PID 4280 wrote to memory of 4492	4280	chrome.exe	109
PID 4280 wrote to memory of 4492	4280	chrome.exe	109
PID 4280 wrote to memory of 4492	4280	chrome.exe	109
PID 4280 wrote to memory of 4492	4280	chrome.exe	109
PID 4280 wrote to memory of 4492	4280	chrome.exe	109
PID 4280 wrote to memory of 4492	4280	chrome.exe	109
PID 4280 wrote to memory of 4492	4280	chrome.exe	109
PID 4280 wrote to memory of 4492	4280	chrome.exe	109
PID 4280 wrote to memory of 4492	4280	chrome.exe	109
PID 4280 wrote to memory of 4492	4280	chrome.exe	109
PID 4280 wrote to memory of 4492	4280	chrome.exe	109

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\TempWoofpriv.exe
"C:\Users\Admin\AppData\Local\Temp\TempWoofpriv.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2140
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2468

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffc071bcc40,0x7ffc071bcc4c,0x7ffc071bcc58
  2⤵
  PID:4816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1936,i,10565294674190564305,13869059269141812474,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1932 /prefetch:2
  2⤵
  PID:4932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2052,i,10565294674190564305,13869059269141812474,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2120 /prefetch:3
  2⤵
  PID:3220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2248,i,10565294674190564305,13869059269141812474,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2512 /prefetch:8
  2⤵
  PID:4492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3168,i,10565294674190564305,13869059269141812474,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:3676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3256,i,10565294674190564305,13869059269141812474,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:5072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3736,i,10565294674190564305,13869059269141812474,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3740 /prefetch:1
  2⤵
  PID:3288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4712,i,10565294674190564305,13869059269141812474,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4720 /prefetch:8
  2⤵
  PID:3992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4696,i,10565294674190564305,13869059269141812474,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4764 /prefetch:8
  2⤵
  PID:4212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4732,i,10565294674190564305,13869059269141812474,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4844 /prefetch:8
  2⤵
  PID:3024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4876,i,10565294674190564305,13869059269141812474,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4524 /prefetch:8
  2⤵
  PID:3768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5020,i,10565294674190564305,13869059269141812474,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4960 /prefetch:8
  2⤵
  PID:440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4984,i,10565294674190564305,13869059269141812474,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4820 /prefetch:8
  2⤵
  PID:592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4792,i,10565294674190564305,13869059269141812474,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4764 /prefetch:1
  2⤵
  PID:3012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4704,i,10565294674190564305,13869059269141812474,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5224 /prefetch:1
  2⤵
  PID:1656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4536,i,10565294674190564305,13869059269141812474,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4884 /prefetch:1
  2⤵
  PID:1940

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5028

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\823157a8-3177-4536-88ce-72e8921ebcb5.tmp

Filesize
232KB

MD5
c813df4ca242dac533e3f9bd675d048d

SHA1
828bb4ca5cd395a5c81866d48eb68a3121f9bbaf

SHA256
d97fee35808589662efb042d9f53e1267924fa97cd9306a5bb0c9201f4286fa8

SHA512
8a715ba97244c3c4ec74035182e84622d09f3eb26a9da4ea6cca96f6c93ca51b25e1bd86ca4fc84f964e390531129762009cd4d5401ad87833b817378c9f817c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
2038347894c3143ae9c82c28cae0af52

SHA1
f998f0b2108e6839275503e125df4424a58ea829

SHA256
a71937115a253d87479324e53296e40ea0f56c25070fff0a41a86c9bbb950559

SHA512
e75792e4e48db2645273aa1049d8f80f2ff5a476a4341406fac47293c4025804dad6e457484a1176a9927975db8989497cfc73f5ed6d86bd7015c6fd2056e01e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
0e6d9664b988f11dd8be8a70d3619a35

SHA1
cbc79bf6addcf5c520356371826e42c188feecc7

SHA256
8fff9341a65990d869160eb208ac6fb64dab1f97591920048fef05051df634c6

SHA512
6deb4420ecf5fb0bad421fc161698a93b9d8f667fde28f8dd2bce97a9475e5920f2a58adc675ca8fa7d082ec5d0f0593337e42495313d51a7687a0586b71f107

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
b00cef043729defd9ae0da6c2072f067

SHA1
9b64fec158a0c457dc9afc65ac806d142edb0c80

SHA256
b9853f3d03364ccde9d767d786ea0193ef2035f66ceb59fe152b3bb6c45af8ab

SHA512
a1cc2347800131cf5b5a2830ff2d6aa7736da43317950bb96b7c8db403c800299ac73ce79952e2fbe5a0f868e8205c50c31a24c6e426392a5390d6da8856069b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
d0989cb584fef70557e66c936e2e2e44

SHA1
06660e1586dd106b773a688ad9367fa14d33dfc5

SHA256
23487a81aaceccebbf115715d27b030b84f232a641a752284fd66e67b58808d8

SHA512
9ff0952a8b2a04962e4e3d89cfc9f8aaf9689ee3725f36a713c762ce221404230b41bc007ca745d9563174a396fdb38918dbe9e3972e6efff5125e8b4d008763

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
5e900a3f0693b54bdf1de919b21fa687

SHA1
bc319e729a5c46494286a4aaa44f6c8043c781f0

SHA256
b8710233688b5c0f2aaa43507a73ad73cd47c592709d640d8969e7e6a94b8902

SHA512
0ce56a03d5dca777d8c080523841e5c054333b1c551463645135803cc8590dbc70a0515859fd977879854a7744858584fa57bee7d025ba0b9441a0f9475ba09d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5d8aaf7d5102cc23a0fc90a454e9269d

SHA1
ab996107e41df3fa0dd102fcfb4ece7df73669bd

SHA256
d1a2ce7c8804770bf5ed476f25ba52ccfedce60d1fdb59a7991cc10015ab8693

SHA512
d9f8ed96bc829e3475b5a05e7ee70b73cd8067d6e745953fb3cb83446f9926fdd8eb069b05c35e39baa1db2be375b7635088009128435553fdb7b69159790d46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
a5d2fddbaa455b6cd1ad7f13a89ccad8

SHA1
2a85bb2182560a8a3e86f3e6ec8a4c27021779d5

SHA256
e080c0af303c77fff0e36794c398806769bd60ec3bbecda41d353883da128b31

SHA512
dc0d3c3d5983576599317ed4cdfc3907dcbe657289838ab66bef9a7e786b48d825ee1ce4b4cc20af013e6d1db06e1dfee57778e427bae8f4b4e897088870e88d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a55f0a9d8545d494550766cf529773e8

SHA1
78c79595e7aae1a7b1bdf7bbaba7566364ccc578

SHA256
e47eca06ff21ba1ce32fa217bcbf5192353b053e5e08a701439285c31559a737

SHA512
c87167b0f0ba1f88c45238feeaefbe523ae475e777e0c0186d0a9922d4acddc1bbbc3f1073a6c3b7f4bc5da0d08e18bf3c3ecddce69128e0f33669e8f26d3c20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
2d564f05bda2f8e851700a557196223b

SHA1
51df69026300d75f39adf969fc64d7109abaeb89

SHA256
0265da7cf0d58ada39f6bd21cf2e449fe9cef8395f8f18e453433818e72d7bd1

SHA512
95c43b34ded605a9eefc824ffebded1d1cd484b4468496caa2ea636ce318c2d7c712314378183dd19a71cede6ad7b89d862293bdeaad1e87b05608d374c1112e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
966748dca6119cc3023a735c4e73d83c

SHA1
7834b3827a4f8b236266cd20da77339754aa4a34

SHA256
ad9f18c02521a4700935a36ed909ea07e42d1148e3f3048e74cff0ea50551e3d

SHA512
b288d17264636d59c2a2b94c3a70c8f7e63a0791064f30a7dcdd295ec56a64d51e2b8c346bc7530858774d1e980c9de0a7c6c67a8fe00f405bdeb3f5d17ac324

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
ed09d997e91dfb320fc7b068105783f0

SHA1
6b91159c90bb6aee575cae126384ff4e2dc99fb1

SHA256
116ef76b3088572ebed4e5ba8083fc789472866665f9610b3fbd34da33b6448c

SHA512
2120fe08dde252a885a957867c3486fa9b8a5e795c2dfce211331c3b193a38a9c92c800a93b095df77c1310e1a5b80bfb88e67e5b4ed418eddd5e5d1462227e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
0fc9d026bcbe7efc7850d2ac0f7e6694

SHA1
5d58f98c47d7661a57a5fd7869373a222a6ffa47

SHA256
c5b28828e5993912ea3720caf68d4492470831d0ac28c3d2cfb5e6748aebc902

SHA512
6362284df166a438af2a7dfb91f82629802691d38ede6acb57f3957ce9347e25c216d4a1a4322b849f95881c02653828cb8aebedaa06666b44e07bd227736800

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
57530b1498cdc380f63f1b0da187311e

SHA1
d84ebbefc9e1ba9f47deca7831b488d3f51704d7

SHA256
c0207e8072b0f0de778952e2bbf661e1f7f0e3a19ebff56435a643a7ab0b1a6f

SHA512
b750e45823b0f57c8e8a5bd10b909bc896264bffd876d10670ecfa70d4406706e33be5dd0483977ace91e09c1a2b37021e0db5c92e6c343b1b529719c5092931

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
b9aee7a92f002f80a6b04c252b05bb29

SHA1
4e186ba6d401d5e45627ac789d3cf22d19698b8c

SHA256
72f27c509e27de2edbe9d98fa9258624260d3cabd7b9932636dceb610180d7ef

SHA512
b3f899e279c6f72cb8517160b747bcd44339909b61a82e4304d1e29e9e5da9506acdde8531d25ed3a3506781743c74427437dcfc6981bc992fdb5d83652cb6cd

Download Submit
memory/1312-0-0x00007FFC0E973000-0x00007FFC0E975000-memory.dmp

Filesize
8KB

Download
memory/1312-8-0x00007FFC0E970000-0x00007FFC0F431000-memory.dmp

Filesize
10.8MB

Download
memory/1312-2-0x00007FFC0E970000-0x00007FFC0F431000-memory.dmp

Filesize
10.8MB

Download
memory/1312-1-0x0000000000070000-0x0000000000394000-memory.dmp

Filesize
3.1MB

Download
memory/1996-11-0x000000001BC80000-0x000000001BCD0000-memory.dmp

Filesize
320KB

Download
memory/1996-63-0x000000001C6C0000-0x000000001CBE8000-memory.dmp

Filesize
5.2MB

Download
memory/1996-14-0x00007FFC0E970000-0x00007FFC0F431000-memory.dmp

Filesize
10.8MB

Download
memory/1996-13-0x00007FFC0E970000-0x00007FFC0F431000-memory.dmp

Filesize
10.8MB

Download
memory/1996-12-0x000000001BD90000-0x000000001BE42000-memory.dmp

Filesize
712KB

Download
memory/1996-10-0x00007FFC0E970000-0x00007FFC0F431000-memory.dmp

Filesize
10.8MB

Download
memory/1996-9-0x00007FFC0E970000-0x00007FFC0F431000-memory.dmp

Filesize
10.8MB

Download