quasar | 79f300b09c37db91ebf1028e55b2badc1892e858ed769a506b6a0a0b687c4eb0

Analysis

max time kernel
149s
max time network
152s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
09/11/2024, 06:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

cbd1f0ebb0cc7ab3065577d7836e094d
SHA1

6cbceb387dc251d5d362968bdde796b75e32a7e2
SHA256

79f300b09c37db91ebf1028e55b2badc1892e858ed769a506b6a0a0b687c4eb0
SHA512

305544157ac69d70b7dffb3ecdc28d03644abea39205b1ef4c0e84d3c648636882ceac3a825959523afd991f4d89bf248c5d64b581dfc513b1670db268cec531
SSDEEP

49152:rv+I22SsaNYfdPBldt698dBcjHLdRJ6JbR3LoGdgTHHB72eh2NT:rvz22SsaNYfdPBldt6+dBcjHLdRJ6L

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.0.5:3389

184.190.169.22:3389

Mutex

e953a12b-d12f-4655-9196-2a906680e711

Attributes

encryption_key
F7A4C0B83260582C04F31A9EF99110BA6BD39592
install_name
scvhost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
scvhost
subdirectory
js-JN

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/3712-1-0x0000000000430000-0x0000000000754000-memory.dmp	family_quasar
behavioral1/files/0x00500000000450bb-3.dat	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
2204	scvhost.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\system32\js-JN\scvhost.exe	Client-built.exe
File opened for modification	C:\Windows\system32\js-JN\scvhost.exe	Client-built.exe
File opened for modification	C:\Windows\system32\js-JN	Client-built.exe
File opened for modification	C:\Windows\system32\js-JN\scvhost.exe	scvhost.exe
File opened for modification	C:\Windows\system32\js-JN	scvhost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133756064252502758"	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2316	schtasks.exe
324	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4820	chrome.exe
4820	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3712	Client-built.exe
Token: SeDebugPrivilege	2204	scvhost.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe

Suspicious use of FindShellTrayWindow 30 IoCs

pid	Process
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2204	scvhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3712 wrote to memory of 324	3712	Client-built.exe	82
PID 3712 wrote to memory of 324	3712	Client-built.exe	82
PID 3712 wrote to memory of 2204	3712	Client-built.exe	84
PID 3712 wrote to memory of 2204	3712	Client-built.exe	84
PID 2204 wrote to memory of 2316	2204	scvhost.exe	85
PID 2204 wrote to memory of 2316	2204	scvhost.exe	85
PID 4820 wrote to memory of 4108	4820	chrome.exe	103
PID 4820 wrote to memory of 4108	4820	chrome.exe	103
PID 4820 wrote to memory of 4676	4820	chrome.exe	104
PID 4820 wrote to memory of 4676	4820	chrome.exe	104
PID 4820 wrote to memory of 4676	4820	chrome.exe	104
PID 4820 wrote to memory of 4676	4820	chrome.exe	104
PID 4820 wrote to memory of 4676	4820	chrome.exe	104
PID 4820 wrote to memory of 4676	4820	chrome.exe	104
PID 4820 wrote to memory of 4676	4820	chrome.exe	104
PID 4820 wrote to memory of 4676	4820	chrome.exe	104
PID 4820 wrote to memory of 4676	4820	chrome.exe	104
PID 4820 wrote to memory of 4676	4820	chrome.exe	104
PID 4820 wrote to memory of 4676	4820	chrome.exe	104
PID 4820 wrote to memory of 4676	4820	chrome.exe	104
PID 4820 wrote to memory of 4676	4820	chrome.exe	104
PID 4820 wrote to memory of 4676	4820	chrome.exe	104
PID 4820 wrote to memory of 4676	4820	chrome.exe	104
PID 4820 wrote to memory of 4676	4820	chrome.exe	104
PID 4820 wrote to memory of 4676	4820	chrome.exe	104
PID 4820 wrote to memory of 4676	4820	chrome.exe	104
PID 4820 wrote to memory of 4676	4820	chrome.exe	104
PID 4820 wrote to memory of 4676	4820	chrome.exe	104
PID 4820 wrote to memory of 4676	4820	chrome.exe	104
PID 4820 wrote to memory of 4676	4820	chrome.exe	104
PID 4820 wrote to memory of 4676	4820	chrome.exe	104
PID 4820 wrote to memory of 4676	4820	chrome.exe	104
PID 4820 wrote to memory of 4676	4820	chrome.exe	104
PID 4820 wrote to memory of 4676	4820	chrome.exe	104
PID 4820 wrote to memory of 4676	4820	chrome.exe	104
PID 4820 wrote to memory of 4676	4820	chrome.exe	104
PID 4820 wrote to memory of 4676	4820	chrome.exe	104
PID 4820 wrote to memory of 4676	4820	chrome.exe	104
PID 4820 wrote to memory of 4844	4820	chrome.exe	105
PID 4820 wrote to memory of 4844	4820	chrome.exe	105
PID 4820 wrote to memory of 1820	4820	chrome.exe	106
PID 4820 wrote to memory of 1820	4820	chrome.exe	106
PID 4820 wrote to memory of 1820	4820	chrome.exe	106
PID 4820 wrote to memory of 1820	4820	chrome.exe	106
PID 4820 wrote to memory of 1820	4820	chrome.exe	106
PID 4820 wrote to memory of 1820	4820	chrome.exe	106
PID 4820 wrote to memory of 1820	4820	chrome.exe	106
PID 4820 wrote to memory of 1820	4820	chrome.exe	106
PID 4820 wrote to memory of 1820	4820	chrome.exe	106
PID 4820 wrote to memory of 1820	4820	chrome.exe	106
PID 4820 wrote to memory of 1820	4820	chrome.exe	106
PID 4820 wrote to memory of 1820	4820	chrome.exe	106
PID 4820 wrote to memory of 1820	4820	chrome.exe	106
PID 4820 wrote to memory of 1820	4820	chrome.exe	106
PID 4820 wrote to memory of 1820	4820	chrome.exe	106
PID 4820 wrote to memory of 1820	4820	chrome.exe	106
PID 4820 wrote to memory of 1820	4820	chrome.exe	106
PID 4820 wrote to memory of 1820	4820	chrome.exe	106
PID 4820 wrote to memory of 1820	4820	chrome.exe	106
PID 4820 wrote to memory of 1820	4820	chrome.exe	106
PID 4820 wrote to memory of 1820	4820	chrome.exe	106
PID 4820 wrote to memory of 1820	4820	chrome.exe	106
PID 4820 wrote to memory of 1820	4820	chrome.exe	106
PID 4820 wrote to memory of 1820	4820	chrome.exe	106

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3712
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "scvhost" /sc ONLOGON /tr "C:\Windows\system32\js-JN\scvhost.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:324
- C:\Windows\system32\js-JN\scvhost.exe
  "C:\Windows\system32\js-JN\scvhost.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "scvhost" /sc ONLOGON /tr "C:\Windows\system32\js-JN\scvhost.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff8eaabcc40,0x7ff8eaabcc4c,0x7ff8eaabcc58
  2⤵
  PID:4108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2068,i,2350153222641751889,2154597671479901659,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2064 /prefetch:2
  2⤵
  PID:4676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1908,i,2350153222641751889,2154597671479901659,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2100 /prefetch:3
  2⤵
  PID:4844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2280,i,2350153222641751889,2154597671479901659,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2348 /prefetch:8
  2⤵
  PID:1820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3168,i,2350153222641751889,2154597671479901659,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3176,i,2350153222641751889,2154597671479901659,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:1156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3732,i,2350153222641751889,2154597671479901659,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4600 /prefetch:1
  2⤵
  PID:2492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1640,i,2350153222641751889,2154597671479901659,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4768 /prefetch:8
  2⤵
  PID:4652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4908,i,2350153222641751889,2154597671479901659,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4620 /prefetch:8
  2⤵
  PID:1464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5044,i,2350153222641751889,2154597671479901659,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5068 /prefetch:8
  2⤵
  PID:4572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5072,i,2350153222641751889,2154597671479901659,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5080 /prefetch:8
  2⤵
  PID:8
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4800,i,2350153222641751889,2154597671479901659,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4912 /prefetch:8
  2⤵
  PID:3440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4892,i,2350153222641751889,2154597671479901659,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5264 /prefetch:8
  2⤵
  PID:1492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4420,i,2350153222641751889,2154597671479901659,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5132 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5404,i,2350153222641751889,2154597671479901659,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5336 /prefetch:8
  2⤵
  PID:2984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5392,i,2350153222641751889,2154597671479901659,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5384 /prefetch:8
  2⤵
  PID:764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4852,i,2350153222641751889,2154597671479901659,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4864 /prefetch:8
  2⤵
  PID:2420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5508,i,2350153222641751889,2154597671479901659,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4560 /prefetch:1
  2⤵
  PID:4116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1300,i,2350153222641751889,2154597671479901659,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1304 /prefetch:8
  2⤵
  PID:692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5600,i,2350153222641751889,2154597671479901659,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5588 /prefetch:8
  2⤵
  PID:4716

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:2732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff8eaabcc40,0x7ff8eaabcc4c,0x7ff8eaabcc58
  2⤵
  PID:4548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ff8eaabcc40,0x7ff8eaabcc4c,0x7ff8eaabcc58
  2⤵
  PID:4236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
0234a81d26910d3ef4936a7a52955221

SHA1
cddc803af646e61447892b9a52fbe6cdd57ff702

SHA256
8e11617289ba6cddf6006f08ae9a64349c1bff2e36b22ba604f9dcddecb40946

SHA512
0c5d15e2a27dbf04d14af7266c98dd67176a5a7017335158badfa126a386708c01df00bc9882d2442aa1132ec23df52677da20adec301b76cddd8de495914a09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\8e116dd4-0fd5-4571-83c6-d95cfe2242c2.tmp

Filesize
9KB

MD5
cc1d4e359b43bd8582d061f4fb157197

SHA1
d22b1e437c81ec0858d150681adf0e0adf865f60

SHA256
7130e3703dde04b3e435fb1065e69cbd8705edb689cf8de054b80d8f394440fb

SHA512
f5d247144aaf8d7daffc22cac8af8c07533b598191e6219967e72d2406c7b9887ef8784b8f2665e629628e9beec2cb00312de37198445e44296174f0a664fb96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
f85757858b82451d4dd6027f1af68225

SHA1
674f31767c6038701075d62ff752b8ae19b87dbf

SHA256
c538ff14785aff802929a95c8d93ea635c626e6061668dc18f79baca82d1c79f

SHA512
fb7c556d31a6a3c11fd32a55fae68c2b6ca0a1c755fc0e44b3bebbe68eaded3f2617a2cadbe12ee5b1f49a1813b1035b5f554d2c4e41f95b82eae0a521c6d289

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

Filesize
62KB

MD5
24393e2ccc4e7a164f062df993d27335

SHA1
c8f960244677439e72295d499440f295ae5be7c5

SHA256
3ecbdf289749ebf07b749a91eb3db3d1f8fc338e5cae2dae22730fb893736130

SHA512
a675af57b19197f17a1be1351c3cee6a291f23dc2614081bd7bd71adbe5eb0d191c4d50b295d43b3a002d48454a24ef9e4dc52510f2db54dcfe0c8e71948d10c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
8dc3825bdf8c06c52e1ddd65ed9e8a97

SHA1
e26a31531a74e5b8f1d09a10a4abd674f5345bdb

SHA256
9d6ac4d9ae1a9a5fedbdc4e585c5a20bec9555edc5be124a9e444783d5ecc61f

SHA512
ae8e5860b40da802f130cef57b52782242024b2efea263354fe2577cdabc78c6de5de090fc008ed9dc25bd96c48a1bb456087df25e2b5e5d6fe99caefda02553

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
9d9518a43282c6747bf667dbb1f261fa

SHA1
da2cf90a7f4e41ad0320ac67f022fccd44002558

SHA256
7c2eb9fac44802e88df8ebae49d01980da4c5ec91064d6421e5cb559b0626ac0

SHA512
bff351b85c86527e94852b782418b267ccadfdd617fc43b4e5a9f2e51d40f196213a293cb16a1d8a6942a4a2760e0b3356c958f703f9c43ec9e09e8d91a09ab1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
2735c2e8c58eebd6b6284a833f0d74cd

SHA1
ddd3051d5d1c8629fec62b48a85e8261b127c18f

SHA256
769ae0467ac2865f358ce5646e95f0dbe15fd2916588cbd33f856aec406d2b42

SHA512
0c7f9d485feb6a57078fe648c415b6645251611f4d95709602b4aeceaf716e3b5ee9cfcf301013c4dfd4fc04d6cba9f4f839f10ef9172c32fe4e999057524a8e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f6adab8836df3dbd649e35e7b50f0b69

SHA1
614d8b2fcecd4aa238a2bbaf64c0260cc3b899ff

SHA256
d9d2afd8f31f88a51f8814f7e19510ff3aa1c89aecd525764af9ee870610f97d

SHA512
1495c2e1c3a93c53f7df237698e2225044abe4068c5652508c3a281bf56162d7a304a48310608c350af14fc5f45fdb48cf3026e17ce9a62d567970c7b15a6c63

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
97a87ddc365bd6dfd9ab6dfa64f70989

SHA1
009b75d69da83f57ec899b37afdda47f346897c5

SHA256
12f445e7834d27ddc506ba9458e64f8c3c61d4928efe941b56b43efe93b9214f

SHA512
abcad376b0e4792f51ef9568dc97520020a856f161b1cb6be2386841340d96dbc82bf1d4615130a31803010cebd7948fc35fca3a53c309848f704731eca9d22a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
3001cabc5f34889cdf24edd038289ebb

SHA1
778073bd0ed74726b9eab031c68c583e2cfe2a06

SHA256
f6ba6f6f9c9ff7f0e7de90130285de7fbbc16349582ad0e0291b008dc2a11cbe

SHA512
6578a808a07e578d697342515e7936cbf8a4872b9fb3864a9e8ff87172242ad96a322a6a77b7845d22b3d823be45cbf3d44f3939f0db137f40bcc42b0cb026ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c6568b635893ad85c08ddeafb13e56fd

SHA1
797eeaa6fda219659168eb0b1ef358eb96170a34

SHA256
f2d8c2ccf90a1ad0a2553f8d8cc8f604cc82cfa9bb4432b29a34eecea6b75cd8

SHA512
5da3b201136f99669e9084998d29c04076f224810a11f1cff64814937267cf9d4609d41225d6b2a00fb73fb52d5e767e0b0261686450004d7645209d5aea25b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
4d953869996e5832dd77ca9ea1e692ef

SHA1
e6d840c20e5135e56ec6e779b77c306f7c5f0499

SHA256
24609f50f9da98a8bfaf9c764b9c86681fd12042eaa3511ae64ee7d620de62f5

SHA512
e4cac7c0f2b4ec1e639f478148f9bd08bf0644e31263cc0b2f43f246bcd8a03038ea08f04a58efe05fd560ef6d829d183911ff624e791cbb6570e9a5cb7f1805

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
6892089b5ee56542db439755acd12d61

SHA1
4dfdf429316f5d00d5b438988e7f43ebe790a84d

SHA256
40121e4220c07bd465a017fb585c99ecff1dfcf7061bfac9a067d052d6ecf9f1

SHA512
2d8ae16fe244103dd52207a19b230d0b4ef2e83ed04e60d98a5d7fce5c6f52a7243ed5db9dc30fbba5bf973822267e01becee44b47f3f77193bc00d4166bb354

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
39047e4813676293b83e41a9fe724ba6

SHA1
578dcda4dfb730fd9be85ee6c24c1e791d5f7239

SHA256
0eba4600da47070d9db37948dac9b1e3a9dbb0f8c75cd71270944652db129cc2

SHA512
050e5a0427653d8677f42cb28ea9e35d004f22bdca0f15c80621c7dafa19d73525f48b1a51d4957ccfce8e4856b6923f78a68d4702e427bc0bf63fc4b66754ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
e92856993a4223f3afe3cb5d7e445a09

SHA1
fd5255b2af1b1c701622592559f72cfcbb6d46a5

SHA256
8d57a7c449f012a3e7bd2c06b09601791718dfec3bc33849a5f078c0bd32ca6b

SHA512
9e887c0a73a7fe08940ad7278527dfaee575dc2d5d7abb1ed9ca08c70726b2ac24839379f1f2dd0f1285b88a73fc66c0ecf51ea80f4a17d8afa39d3a250ca272

Download Submit
C:\Windows\System32\js-JN\scvhost.exe

Filesize
3.1MB

MD5
cbd1f0ebb0cc7ab3065577d7836e094d

SHA1
6cbceb387dc251d5d362968bdde796b75e32a7e2

SHA256
79f300b09c37db91ebf1028e55b2badc1892e858ed769a506b6a0a0b687c4eb0

SHA512
305544157ac69d70b7dffb3ecdc28d03644abea39205b1ef4c0e84d3c648636882ceac3a825959523afd991f4d89bf248c5d64b581dfc513b1670db268cec531

Download Submit
memory/2204-8-0x000000001B340000-0x000000001B390000-memory.dmp

Filesize
320KB

Download
memory/2204-10-0x00007FF8F3550000-0x00007FF8F4012000-memory.dmp

Filesize
10.8MB

Download
memory/2204-103-0x000000001C8F0000-0x000000001C902000-memory.dmp

Filesize
72KB

Download
memory/2204-104-0x000000001C950000-0x000000001C98C000-memory.dmp

Filesize
240KB

Download
memory/2204-9-0x000000001C990000-0x000000001CA42000-memory.dmp

Filesize
712KB

Download
memory/2204-7-0x00007FF8F3550000-0x00007FF8F4012000-memory.dmp

Filesize
10.8MB

Download
memory/2204-161-0x000000001EBF0000-0x000000001F118000-memory.dmp

Filesize
5.2MB

Download
memory/2204-6-0x00007FF8F3550000-0x00007FF8F4012000-memory.dmp

Filesize
10.8MB

Download
memory/3712-0-0x00007FF8F3553000-0x00007FF8F3555000-memory.dmp

Filesize
8KB

Download
memory/3712-5-0x00007FF8F3550000-0x00007FF8F4012000-memory.dmp

Filesize
10.8MB

Download
memory/3712-2-0x00007FF8F3550000-0x00007FF8F4012000-memory.dmp

Filesize
10.8MB

Download
memory/3712-1-0x0000000000430000-0x0000000000754000-memory.dmp

Filesize
3.1MB

Download