quasar | b1b8ad9032b829e2ac3956ce8f302745802cd2d5ae686c700796e2f2ee81b0f7

Analysis

max time kernel
71s
max time network
72s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
07-11-2024 04:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mielda loco 12.exe
Size

3.1MB
MD5

4ae7ab9b981922837aae1c86c7f726a3
SHA1

1783e0788fb2a103d71bc9a05ae2fb85c0d70ee9
SHA256

b1b8ad9032b829e2ac3956ce8f302745802cd2d5ae686c700796e2f2ee81b0f7
SHA512

79c4bf39ae1761414b5f37186c2483a4b8755168824d6e783ea9cab26e7c0118f391b6417c622b65ea3ac3924ae745a6abe4838ca1d87671898ad90ae9a18e58
SSDEEP

49152:Cv+lL26AaNeWgPhlmVqvMQ7XSK6v9y/ZBxOPoGdexMTHHB72eh2NT:CvuL26AaNeWgPhlmVqkQ7XSK64/M2

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

Cristopher11sa-62565.portmap.host:62565

Mutex

e51e2b65-e963-4051-9736-67d57ed46798

Attributes

encryption_key
AEA258EF65BF1786F0F767C0BE2497ECC304C46F
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4968-1-0x0000000000D60000-0x0000000001084000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Executes dropped EXE 1 IoCs

Processes:

Client.exe

pid process

4292 Client.exe
Drops file in Windows directory 1 IoCs

Processes:

chrome.exe

description ioc process

File opened for modification C:\Windows\SystemTemp chrome.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

pid	process
4292	Client.exe

description	ioc	process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133754280482127721"	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

976 schtasks.exe
228 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

1204 chrome.exe
1204 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

chrome.exe

pid process

1204 chrome.exe
1204 chrome.exe
1204 chrome.exe
1204 chrome.exe
1204 chrome.exe
1204 chrome.exe

pid	process
976	schtasks.exe
228	schtasks.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

mielda loco 12.exeClient.exechrome.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	4968	mielda loco 12.exe
Token: SeDebugPrivilege	4292	Client.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: 33	1616	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1616	AUDIODG.EXE
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Client.exe

pid process

4292 Client.exe

pid	process
4292	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

mielda loco 12.exeClient.exechrome.exe

description	pid	process	target process
PID 4968 wrote to memory of 976	4968	mielda loco 12.exe	schtasks.exe
PID 4968 wrote to memory of 976	4968	mielda loco 12.exe	schtasks.exe
PID 4968 wrote to memory of 4292	4968	mielda loco 12.exe	Client.exe
PID 4968 wrote to memory of 4292	4968	mielda loco 12.exe	Client.exe
PID 4292 wrote to memory of 228	4292	Client.exe	schtasks.exe
PID 4292 wrote to memory of 228	4292	Client.exe	schtasks.exe
PID 1204 wrote to memory of 4016	1204	chrome.exe	chrome.exe
PID 1204 wrote to memory of 4016	1204	chrome.exe	chrome.exe
PID 1204 wrote to memory of 1672	1204	chrome.exe	chrome.exe
PID 1204 wrote to memory of 1672	1204	chrome.exe	chrome.exe
PID 1204 wrote to memory of 1672	1204	chrome.exe	chrome.exe
PID 1204 wrote to memory of 1672	1204	chrome.exe	chrome.exe
PID 1204 wrote to memory of 1672	1204	chrome.exe	chrome.exe
PID 1204 wrote to memory of 1672	1204	chrome.exe	chrome.exe
PID 1204 wrote to memory of 1672	1204	chrome.exe	chrome.exe
PID 1204 wrote to memory of 1672	1204	chrome.exe	chrome.exe
PID 1204 wrote to memory of 1672	1204	chrome.exe	chrome.exe
PID 1204 wrote to memory of 1672	1204	chrome.exe	chrome.exe
PID 1204 wrote to memory of 1672	1204	chrome.exe	chrome.exe
PID 1204 wrote to memory of 1672	1204	chrome.exe	chrome.exe
PID 1204 wrote to memory of 1672	1204	chrome.exe	chrome.exe
PID 1204 wrote to memory of 1672	1204	chrome.exe	chrome.exe
PID 1204 wrote to memory of 1672	1204	chrome.exe	chrome.exe
PID 1204 wrote to memory of 1672	1204	chrome.exe	chrome.exe
PID 1204 wrote to memory of 1672	1204	chrome.exe	chrome.exe
PID 1204 wrote to memory of 1672	1204	chrome.exe	chrome.exe
PID 1204 wrote to memory of 1672	1204	chrome.exe	chrome.exe
PID 1204 wrote to memory of 1672	1204	chrome.exe	chrome.exe
PID 1204 wrote to memory of 1672	1204	chrome.exe	chrome.exe
PID 1204 wrote to memory of 1672	1204	chrome.exe	chrome.exe
PID 1204 wrote to memory of 1672	1204	chrome.exe	chrome.exe
PID 1204 wrote to memory of 1672	1204	chrome.exe	chrome.exe
PID 1204 wrote to memory of 1672	1204	chrome.exe	chrome.exe
PID 1204 wrote to memory of 1672	1204	chrome.exe	chrome.exe
PID 1204 wrote to memory of 1672	1204	chrome.exe	chrome.exe
PID 1204 wrote to memory of 1672	1204	chrome.exe	chrome.exe
PID 1204 wrote to memory of 1672	1204	chrome.exe	chrome.exe
PID 1204 wrote to memory of 1672	1204	chrome.exe	chrome.exe
PID 1204 wrote to memory of 568	1204	chrome.exe	chrome.exe
PID 1204 wrote to memory of 568	1204	chrome.exe	chrome.exe
PID 1204 wrote to memory of 3692	1204	chrome.exe	chrome.exe
PID 1204 wrote to memory of 3692	1204	chrome.exe	chrome.exe
PID 1204 wrote to memory of 3692	1204	chrome.exe	chrome.exe
PID 1204 wrote to memory of 3692	1204	chrome.exe	chrome.exe
PID 1204 wrote to memory of 3692	1204	chrome.exe	chrome.exe
PID 1204 wrote to memory of 3692	1204	chrome.exe	chrome.exe
PID 1204 wrote to memory of 3692	1204	chrome.exe	chrome.exe
PID 1204 wrote to memory of 3692	1204	chrome.exe	chrome.exe
PID 1204 wrote to memory of 3692	1204	chrome.exe	chrome.exe
PID 1204 wrote to memory of 3692	1204	chrome.exe	chrome.exe
PID 1204 wrote to memory of 3692	1204	chrome.exe	chrome.exe
PID 1204 wrote to memory of 3692	1204	chrome.exe	chrome.exe
PID 1204 wrote to memory of 3692	1204	chrome.exe	chrome.exe
PID 1204 wrote to memory of 3692	1204	chrome.exe	chrome.exe
PID 1204 wrote to memory of 3692	1204	chrome.exe	chrome.exe
PID 1204 wrote to memory of 3692	1204	chrome.exe	chrome.exe
PID 1204 wrote to memory of 3692	1204	chrome.exe	chrome.exe
PID 1204 wrote to memory of 3692	1204	chrome.exe	chrome.exe
PID 1204 wrote to memory of 3692	1204	chrome.exe	chrome.exe
PID 1204 wrote to memory of 3692	1204	chrome.exe	chrome.exe
PID 1204 wrote to memory of 3692	1204	chrome.exe	chrome.exe
PID 1204 wrote to memory of 3692	1204	chrome.exe	chrome.exe
PID 1204 wrote to memory of 3692	1204	chrome.exe	chrome.exe
PID 1204 wrote to memory of 3692	1204	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\mielda loco 12.exe
"C:\Users\Admin\AppData\Local\Temp\mielda loco 12.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4968
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:976
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4292
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ffb99b3cc40,0x7ffb99b3cc4c,0x7ffb99b3cc58
  2⤵
  PID:4016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2080,i,16477895153279369484,2184186495575336191,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2076 /prefetch:2
  2⤵
  PID:1672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1976,i,16477895153279369484,2184186495575336191,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2172 /prefetch:3
  2⤵
  PID:568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2312,i,16477895153279369484,2184186495575336191,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2480 /prefetch:8
  2⤵
  PID:3692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3144,i,16477895153279369484,2184186495575336191,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3156 /prefetch:1
  2⤵
  PID:2768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3176,i,16477895153279369484,2184186495575336191,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:1572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4548,i,16477895153279369484,2184186495575336191,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4544 /prefetch:1
  2⤵
  PID:2340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4664,i,16477895153279369484,2184186495575336191,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4692 /prefetch:8
  2⤵
  PID:2324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4812,i,16477895153279369484,2184186495575336191,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4820 /prefetch:8
  2⤵
  PID:696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4696,i,16477895153279369484,2184186495575336191,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5000 /prefetch:8
  2⤵
  PID:2088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5016,i,16477895153279369484,2184186495575336191,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5012 /prefetch:8
  2⤵
  PID:4500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5048,i,16477895153279369484,2184186495575336191,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4796 /prefetch:1
  2⤵
  PID:1756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=5152,i,16477895153279369484,2184186495575336191,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3168 /prefetch:8
  2⤵
  PID:1236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5316,i,16477895153279369484,2184186495575336191,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5352 /prefetch:1
  2⤵
  PID:2616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5464,i,16477895153279369484,2184186495575336191,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5460 /prefetch:1
  2⤵
  PID:2324

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:552

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3c8 0x310
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
cb1f5c3b0c21a3503fbe13dad993079f

SHA1
22fc0c0bc2bb26bc06d775da574b66d2fcec475f

SHA256
9aef0bf336de96fb7aa42a0f4922080527620e96d37faf991e839fbcd2405cfc

SHA512
e32507a63724617684f2b936e7dd22500c3c65e34ce23e5c8f3535e085f0565d4a0b65c5fa16c834ad532ebaa9306028c21108c5e0bb39e48554808255862fe5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000032

Filesize
215KB

MD5
e579aca9a74ae76669750d8879e16bf3

SHA1
0b8f462b46ec2b2dbaa728bea79d611411bae752

SHA256
6e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf

SHA512
df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.reddit.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
73ff357d027517da7be607c7edaad1e5

SHA1
cded3b6b13dd5e8c405266c13ef5c0de5487fca3

SHA256
6769fa5a40795287bcd11d9a895dda9d9ed572f5277e37d85e0cb1ed2899598c

SHA512
2daf12ffb77658b750361b1dd62f058b2a5b4ba3f858e67bcbbbccae6fa914745adf9e251575ac09b8e5ea16a060e85d69ea2359300d6054ca14b13262eed26e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
b4ca33bfec94d82c3a77fc7ba0e239a2

SHA1
521c90e3ad4f93cb26c6e060e1a5aca84230d039

SHA256
b5325b46a278577f185a3c1593a3a76d665e958fd9cdd95c20d4d2828aaf1b83

SHA512
2ba7407b2101e90cecdad3e1942333ce127dec61b3a5715ac65e6b2982f077a1eebaef80e8dbfce8ce3b8f0f45c0049e359d2320adeebe6cee7840207c47506e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3b1097dd5dd722fb45723b5817ee865b

SHA1
ab25c8ebba15b86990f1d0dcaf38ecf0478a0a59

SHA256
2283a94f18d156e1de3e065fd0075d30302ca2c6450163a2f9b53160d335ae96

SHA512
7ac3c3a1092ee4368c47367972fd4017d9b8fd3eded0030ab9e946e8bac86e9147fbdc8888d9ab3f82366b1aa66f477e404b85a584799b052b609b44f166d11e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
27eb6805420707d71045f87afab1a1fc

SHA1
7fb1737b3fa1d5a6bd12638592e2ffbff1dc4c9b

SHA256
aa4354737513f6ed929ca008091c30f23a5489f9f043eddbc6d4b905beac6b5a

SHA512
0e54509a851ac2067e310d7702dbafd8a4d7e1bf477cf6627c856e473b117b2926a4ccfede08b085f81a7bc7a241db8ea00d4d141fe7dfd7ac881f8fa7d9f8ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
c11431f48cdc9158ef79dc5a28dc57ac

SHA1
931c382f3babb4a11e367b8ef0239d12ad73eb8c

SHA256
717aa46603194abedc15252d511a07432767aefeeb0d081045cf2805bdaf49cd

SHA512
e3b78372269b6799edbf252f48f5421b91d2f3419604980610d8595d664aa006fc655bf045d2f177df567a63eeb0363c3d01cea63e5cb1c05c2d6fc1d5dbdeb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt

Filesize
76B

MD5
a7a2f6dbe4e14a9267f786d0d5e06097

SHA1
5513aebb0bda58551acacbfc338d903316851a7b

SHA256
dd9045ea2f3beaf0282320db70fdf395854071bf212ad747e8765837ec390cbc

SHA512
aa5d81e7ee3a646afec55aee5435dc84fe06d84d3e7e1c45c934f258292c0c4dc2f2853a13d2f2b37a98fe2f1dcc7639eacf51b09e7dcccb2e29c2cbd3ba1835

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt~RFe58408e.TMP

Filesize
140B

MD5
6bb03a0e03f668009f8d3d1c5ff16344

SHA1
4fc137932256e9256ace5d6ca3a6e9c7f2f4d724

SHA256
b034579b7e593c68f925657464b7ee9719675e4f3add8b703561d14781e13c9b

SHA512
56c49fef0b37e1a960a872e47f34ab164e065f59e8c2d4507cb74e159158356b0149bed3d308ef8f101cf1d6855afeac939e0cfc789b6df3bfc93889a6720074

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
cc71ac39af7591d252577730316e6f35

SHA1
451f6f2927db705ef4cb7b6fbb481bd019017205

SHA256
5aa04748f90b0f092047e525a531b2d98b8c4c8068802e9c811ec916d5aca805

SHA512
931fb88a1b5fbfc6010fefa21a4c51f3eafeb89f1c1718e258f419ec259de19e0b951b29d59039421efbe9acaca9af67d7a86e6ef030ecbdfb282876cec2764e

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
4ae7ab9b981922837aae1c86c7f726a3

SHA1
1783e0788fb2a103d71bc9a05ae2fb85c0d70ee9

SHA256
b1b8ad9032b829e2ac3956ce8f302745802cd2d5ae686c700796e2f2ee81b0f7

SHA512
79c4bf39ae1761414b5f37186c2483a4b8755168824d6e783ea9cab26e7c0118f391b6417c622b65ea3ac3924ae745a6abe4838ca1d87671898ad90ae9a18e58

Download Submit
\??\pipe\crashpad_1204_BPOOYRNGWIFBCZYK

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4292-49-0x000000001E990000-0x000000001EEB8000-memory.dmp

Filesize
5.2MB

Download
memory/4292-14-0x00007FFBA02D0000-0x00007FFBA0D92000-memory.dmp

Filesize
10.8MB

Download
memory/4292-13-0x000000001BA60000-0x000000001BA9C000-memory.dmp

Filesize
240KB

Download
memory/4292-12-0x0000000001EA0000-0x0000000001EB2000-memory.dmp

Filesize
72KB

Download
memory/4292-9-0x000000001B860000-0x000000001B912000-memory.dmp

Filesize
712KB

Download
memory/4292-8-0x0000000001920000-0x0000000001970000-memory.dmp

Filesize
320KB

Download
memory/4292-7-0x00007FFBA02D0000-0x00007FFBA0D92000-memory.dmp

Filesize
10.8MB

Download
memory/4292-6-0x00007FFBA02D0000-0x00007FFBA0D92000-memory.dmp

Filesize
10.8MB

Download
memory/4968-0-0x00007FFBA02D3000-0x00007FFBA02D5000-memory.dmp

Filesize
8KB

Download
memory/4968-5-0x00007FFBA02D0000-0x00007FFBA0D92000-memory.dmp

Filesize
10.8MB

Download
memory/4968-2-0x00007FFBA02D0000-0x00007FFBA0D92000-memory.dmp

Filesize
10.8MB

Download
memory/4968-1-0x0000000000D60000-0x0000000001084000-memory.dmp

Filesize
3.1MB

Download