quasar | de49824df46b1db23b705329e2013bbe0ad49d937b5372d8dae1dd56bc4ac465

Analysis

max time kernel
90s
max time network
93s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
16-11-2024 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Huxer.exe
Size

3.1MB
MD5

9f9f5cccd13664c2dd5b286b272754b6
SHA1

38ed8cdc75fa4d46535d2816e9b0618a9239ced1
SHA256

fdac17a6a4d49e1086ea1b72f88c3861f62abffef217855ab5563a26031647bf
SHA512

e1d78c861f1780245aa0af647206a2fa40de33c96b3a5102f19e335e3f9e0873a42093409b7aba289f72b2079291af3aac4d2ff19bb83ee7acef7478f44f8006
SSDEEP

49152:Ovkt62XlaSFNWPjljiFa2RoUYIzy7RJ6TbR3LoGdZSTHHB72eh2NT:Ov462XlaSFNWPjljiFXRoUYIz2RJ6F

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.2.140:4782

Mutex

cf851edc-cac3-430f-93fc-9c6fd7bc752a

Attributes

encryption_key
91A9A127B605D8AEEBAF1FC4373FB709BB07F819
install_name
Huxer.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Key
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2648-1-0x0000000000A00000-0x0000000000D24000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Huxer.exe	family_quasar

Executes dropped EXE 1 IoCs

Processes:

Huxer.exe

pid process

2620 Huxer.exe
Drops file in Windows directory 1 IoCs

Processes:

chrome.exe

description ioc process

File opened for modification C:\Windows\SystemTemp chrome.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

pid	process
2620	Huxer.exe

description	ioc	process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133762273795164204"	chrome.exe

Modifies registry class 4 IoCs

Processes:

BackgroundTransferHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

2788 schtasks.exe
2640 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

572 chrome.exe
572 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

chrome.exe

pid process

572 chrome.exe
572 chrome.exe
572 chrome.exe
572 chrome.exe
572 chrome.exe

pid	process
2788	schtasks.exe
2640	schtasks.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

Processes:

Huxer.exeHuxer.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	2648	Huxer.exe
Token: SeDebugPrivilege	2620	Huxer.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeCreatePagefilePrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeCreatePagefilePrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeCreatePagefilePrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeCreatePagefilePrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeCreatePagefilePrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeCreatePagefilePrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeCreatePagefilePrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeCreatePagefilePrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeCreatePagefilePrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeCreatePagefilePrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeCreatePagefilePrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeCreatePagefilePrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeCreatePagefilePrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeCreatePagefilePrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeCreatePagefilePrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeCreatePagefilePrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeCreatePagefilePrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeCreatePagefilePrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeCreatePagefilePrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeCreatePagefilePrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeCreatePagefilePrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeCreatePagefilePrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeCreatePagefilePrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeCreatePagefilePrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeCreatePagefilePrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeCreatePagefilePrivilege	572	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

chrome.exe

pid	process
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Huxer.exe

pid process

2620 Huxer.exe

pid	process
2620	Huxer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Huxer.exeHuxer.exechrome.exe

description	pid	process	target process
PID 2648 wrote to memory of 2788	2648	Huxer.exe	schtasks.exe
PID 2648 wrote to memory of 2788	2648	Huxer.exe	schtasks.exe
PID 2648 wrote to memory of 2620	2648	Huxer.exe	Huxer.exe
PID 2648 wrote to memory of 2620	2648	Huxer.exe	Huxer.exe
PID 2620 wrote to memory of 2640	2620	Huxer.exe	schtasks.exe
PID 2620 wrote to memory of 2640	2620	Huxer.exe	schtasks.exe
PID 572 wrote to memory of 880	572	chrome.exe	chrome.exe
PID 572 wrote to memory of 880	572	chrome.exe	chrome.exe
PID 572 wrote to memory of 3420	572	chrome.exe	chrome.exe
PID 572 wrote to memory of 3420	572	chrome.exe	chrome.exe
PID 572 wrote to memory of 3420	572	chrome.exe	chrome.exe
PID 572 wrote to memory of 3420	572	chrome.exe	chrome.exe
PID 572 wrote to memory of 3420	572	chrome.exe	chrome.exe
PID 572 wrote to memory of 3420	572	chrome.exe	chrome.exe
PID 572 wrote to memory of 3420	572	chrome.exe	chrome.exe
PID 572 wrote to memory of 3420	572	chrome.exe	chrome.exe
PID 572 wrote to memory of 3420	572	chrome.exe	chrome.exe
PID 572 wrote to memory of 3420	572	chrome.exe	chrome.exe
PID 572 wrote to memory of 3420	572	chrome.exe	chrome.exe
PID 572 wrote to memory of 3420	572	chrome.exe	chrome.exe
PID 572 wrote to memory of 3420	572	chrome.exe	chrome.exe
PID 572 wrote to memory of 3420	572	chrome.exe	chrome.exe
PID 572 wrote to memory of 3420	572	chrome.exe	chrome.exe
PID 572 wrote to memory of 3420	572	chrome.exe	chrome.exe
PID 572 wrote to memory of 3420	572	chrome.exe	chrome.exe
PID 572 wrote to memory of 3420	572	chrome.exe	chrome.exe
PID 572 wrote to memory of 3420	572	chrome.exe	chrome.exe
PID 572 wrote to memory of 3420	572	chrome.exe	chrome.exe
PID 572 wrote to memory of 3420	572	chrome.exe	chrome.exe
PID 572 wrote to memory of 3420	572	chrome.exe	chrome.exe
PID 572 wrote to memory of 3420	572	chrome.exe	chrome.exe
PID 572 wrote to memory of 3420	572	chrome.exe	chrome.exe
PID 572 wrote to memory of 3420	572	chrome.exe	chrome.exe
PID 572 wrote to memory of 3420	572	chrome.exe	chrome.exe
PID 572 wrote to memory of 3420	572	chrome.exe	chrome.exe
PID 572 wrote to memory of 3420	572	chrome.exe	chrome.exe
PID 572 wrote to memory of 3420	572	chrome.exe	chrome.exe
PID 572 wrote to memory of 3420	572	chrome.exe	chrome.exe
PID 572 wrote to memory of 3608	572	chrome.exe	chrome.exe
PID 572 wrote to memory of 3608	572	chrome.exe	chrome.exe
PID 572 wrote to memory of 3112	572	chrome.exe	chrome.exe
PID 572 wrote to memory of 3112	572	chrome.exe	chrome.exe
PID 572 wrote to memory of 3112	572	chrome.exe	chrome.exe
PID 572 wrote to memory of 3112	572	chrome.exe	chrome.exe
PID 572 wrote to memory of 3112	572	chrome.exe	chrome.exe
PID 572 wrote to memory of 3112	572	chrome.exe	chrome.exe
PID 572 wrote to memory of 3112	572	chrome.exe	chrome.exe
PID 572 wrote to memory of 3112	572	chrome.exe	chrome.exe
PID 572 wrote to memory of 3112	572	chrome.exe	chrome.exe
PID 572 wrote to memory of 3112	572	chrome.exe	chrome.exe
PID 572 wrote to memory of 3112	572	chrome.exe	chrome.exe
PID 572 wrote to memory of 3112	572	chrome.exe	chrome.exe
PID 572 wrote to memory of 3112	572	chrome.exe	chrome.exe
PID 572 wrote to memory of 3112	572	chrome.exe	chrome.exe
PID 572 wrote to memory of 3112	572	chrome.exe	chrome.exe
PID 572 wrote to memory of 3112	572	chrome.exe	chrome.exe
PID 572 wrote to memory of 3112	572	chrome.exe	chrome.exe
PID 572 wrote to memory of 3112	572	chrome.exe	chrome.exe
PID 572 wrote to memory of 3112	572	chrome.exe	chrome.exe
PID 572 wrote to memory of 3112	572	chrome.exe	chrome.exe
PID 572 wrote to memory of 3112	572	chrome.exe	chrome.exe
PID 572 wrote to memory of 3112	572	chrome.exe	chrome.exe
PID 572 wrote to memory of 3112	572	chrome.exe	chrome.exe
PID 572 wrote to memory of 3112	572	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Huxer.exe
"C:\Users\Admin\AppData\Local\Temp\Huxer.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Key" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Huxer.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2788
- C:\Users\Admin\AppData\Roaming\SubDir\Huxer.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Huxer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Key" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Huxer.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2640

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5028

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:5036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9e50acc40,0x7ff9e50acc4c,0x7ff9e50acc58
  2⤵
  PID:880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1824,i,18406742002376487030,1445250723497989900,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1820 /prefetch:2
  2⤵
  PID:3420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2120,i,18406742002376487030,1445250723497989900,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2124 /prefetch:3
  2⤵
  PID:3608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2204,i,18406742002376487030,1445250723497989900,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2220 /prefetch:8
  2⤵
  PID:3112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,18406742002376487030,1445250723497989900,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3116 /prefetch:1
  2⤵
  PID:1712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,18406742002376487030,1445250723497989900,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:2360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4424,i,18406742002376487030,1445250723497989900,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4364 /prefetch:1
  2⤵
  PID:1448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4748,i,18406742002376487030,1445250723497989900,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4772 /prefetch:8
  2⤵
  PID:4504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4944,i,18406742002376487030,1445250723497989900,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4940 /prefetch:8
  2⤵
  PID:2380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4600,i,18406742002376487030,1445250723497989900,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4788 /prefetch:8
  2⤵
  PID:3676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4780,i,18406742002376487030,1445250723497989900,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4268 /prefetch:8
  2⤵
  PID:3264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5220,i,18406742002376487030,1445250723497989900,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5072 /prefetch:8
  2⤵
  PID:3292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4792,i,18406742002376487030,1445250723497989900,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4692 /prefetch:8
  2⤵
  PID:1940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5540,i,18406742002376487030,1445250723497989900,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5492 /prefetch:2
  2⤵
  PID:1780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4688,i,18406742002376487030,1445250723497989900,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4332 /prefetch:1
  2⤵
  PID:5112

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
b8c66ebd82fffc5fd8c43c4f96dca4b0

SHA1
6ef02ca1a7b27a802d1d369935323d8e1c897e39

SHA256
6e5630e2515db6f1bbd4e84bde3512c66db1d4586125cea869babc39e17255d4

SHA512
a6b39bc905c7a24b76f4cd416794e9050b8edefb4f10dba8b061edade84074c98ad868029338c3cb67a4b44d6f42d3410311f813828a45cd7784177656853fa0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
859B

MD5
e5997ba03b7e4c4afbb5cec3a7a1412e

SHA1
45075373b7e52738c92e6383239215532a6e2972

SHA256
77e5588265f4ff29c0b1f057fba3d9ce8a7dc23061a52ab5c1022be9de455b2b

SHA512
4ea9125ce9075d04236ff7d394307cc46ffb414945c0571b431fbf1cdb032cb1fc773fea5c4da8ae4250f050235d91d3cb17676a014b2b885cfe05be8d5cefcc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
91ee96fc6944f05e8f8a7e4236274c26

SHA1
090ecc4ccd857f6c0b06b43cc58022485b14b957

SHA256
56c5f8ce8238146265266265bbbd2c558c7314ffbc8c2fd6bae6336df9940201

SHA512
1deb302775ab385321cb0e1b1ea860e687a19141a459d74b4d1b8bb3754fd872fdd5ab6b3bcfeaf7f528fefd55e854016aeffa2ae7c2ab32e236e78b282e8e95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
22935683e62c97957d9a080a04a80eee

SHA1
d4ab9ea918c6e4927d93319bb3a94fcdfa2899c2

SHA256
e2b586b26f74cc5caafacdf4e96cf208be58d73c4118f59e21e521bf2e942a3e

SHA512
d83e7bc89eb2281bae1bc928f1515ed2ef8cbb98278bf3a35a8a0e8334cda3fb9f08f6199f33be1e748c9e39a1d42483f33b0384a86586a8d179563fa517068c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2cb834f3de6e13eca8bd96883fd96d4c

SHA1
2bdf2f28de66f3f64fbf6e2537ab69e3179c4e20

SHA256
5909f26c444cdd1667d037f106f74693838f74766b2a99acc3147296540d4a98

SHA512
72fc300bb76b0b406d1a938a2b27aab146b5571514173c640e25d18dd0e03e43482eb4d0c1676de5a8dad8a42b0fae7052042a99deeac9f747c4219d05082fb6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
3e59789720e115c827bba6cbab12352d

SHA1
0e4b57ec9368f77401b78d8ca2812bfc11272997

SHA256
9edfdcf9b59acf48357f060c339abb774ec50667b6efcf5444dbdabaf056571a

SHA512
d67413c912874f97efdebdeda6d0c95c845c5311c04a1c9e30140a02b4de7e9fba5c8c19edad35bd2d9eda4f35c0cac5dd8abc600cb41a180d2e668d4b56b0b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
39bac7d004d52e99304ed05e671dd52f

SHA1
abb337401b2b0ecc657263eba264c7a46ed8044d

SHA256
c9a742f56b4166ccee2ed40b71aa4e1d6b337521104440e59b01152216fd3634

SHA512
1d9442270d18dbc750dbd6105254b83af2eac1d7c36ffd2795919656995a5ebda950cebd97bfb74b36558bbb24c05c570899c4a658039d229030682c39284687

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
7705e3725c7c2cda684316bdc97e628e

SHA1
23af5fcc11505f449adfa5967a72f73e4a33c7a9

SHA256
73d1503db29153c2b501b96aac97a2be9050062bd579c099f10e51a9c42b2e87

SHA512
e737220ab720fb50c56abc5ea15ce66e0ada459cb8615e78716c405e2813c51171750871a2f41eeb5812477b9fbc4e5a49a85e08345a6140547aa6c29c2bd905

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Huxer.exe.log

Filesize
1KB

MD5
b4e91d2e5f40d5e2586a86cf3bb4df24

SHA1
31920b3a41aa4400d4a0230a7622848789b38672

SHA256
5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210

SHA512
968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\8c1bf174-255d-470c-b38d-7d6a3e2e43f6.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir572_616390327\50517895-59de-4dcd-bac3-ffb64aa61bac.tmp

Filesize
132KB

MD5
da75bb05d10acc967eecaac040d3d733

SHA1
95c08e067df713af8992db113f7e9aec84f17181

SHA256
33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2

SHA512
56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir572_616390327\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Huxer.exe

Filesize
3.1MB

MD5
9f9f5cccd13664c2dd5b286b272754b6

SHA1
38ed8cdc75fa4d46535d2816e9b0618a9239ced1

SHA256
fdac17a6a4d49e1086ea1b72f88c3861f62abffef217855ab5563a26031647bf

SHA512
e1d78c861f1780245aa0af647206a2fa40de33c96b3a5102f19e335e3f9e0873a42093409b7aba289f72b2079291af3aac4d2ff19bb83ee7acef7478f44f8006

Download Submit
\??\pipe\crashpad_572_IXKINKPMAXGEIHKX

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2620-14-0x000000001CA60000-0x000000001CB12000-memory.dmp

Filesize
712KB

Download
memory/2620-15-0x00007FF9EA880000-0x00007FF9EB342000-memory.dmp

Filesize
10.8MB

Download
memory/2620-16-0x000000001D250000-0x000000001D778000-memory.dmp

Filesize
5.2MB

Download
memory/2620-13-0x0000000003480000-0x00000000034D0000-memory.dmp

Filesize
320KB

Download
memory/2620-12-0x00007FF9EA880000-0x00007FF9EB342000-memory.dmp

Filesize
10.8MB

Download
memory/2620-11-0x00007FF9EA880000-0x00007FF9EB342000-memory.dmp

Filesize
10.8MB

Download
memory/2648-10-0x00007FF9EA880000-0x00007FF9EB342000-memory.dmp

Filesize
10.8MB

Download
memory/2648-0-0x00007FF9EA883000-0x00007FF9EA885000-memory.dmp

Filesize
8KB

Download
memory/2648-2-0x00007FF9EA880000-0x00007FF9EB342000-memory.dmp

Filesize
10.8MB

Download
memory/2648-1-0x0000000000A00000-0x0000000000D24000-memory.dmp

Filesize
3.1MB

Download