quasar | 7d74f4b82a1de0e876f2db74e9c0e306845c43b91282a8131999813b1704e8db

Analysis

max time kernel
150s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
06-12-2024 21:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CollosalLoader.exe
Size

3.4MB
MD5

8c38855e8217b6e6ba9726e9eb2e6dbc
SHA1

dd39141900c816d4afe09492076dd32f7a66053d
SHA256

7d74f4b82a1de0e876f2db74e9c0e306845c43b91282a8131999813b1704e8db
SHA512

2017b7baee3bca4462fe8f54de139c577342a4e615808ab37e486662b52d5a7062203dc99648cdfa9fa7fca004e4d557ca0c7971069c11a28bfe430042513784
SSDEEP

49152:XvDlL26AaNeWgPhlmVqvMQ7XSK0Nmf4ar27oGd9FeTHHB72eh2NT:Xv5L26AaNeWgPhlmVqkQ7XSKSmfA

Score

10^/10

quasar clslmw3 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

CLSLMW3

Fluxii-52940.portmap.host:52940

Mutex

94dacbda-c52c-4bca-bb33-6083baee5fc3

Attributes

encryption_key
FB0CEB9B14FB83E904EF6654FB1D7D8D8D43358F
install_name
CollosalLoader.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Win32
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/4476-1-0x00000000009A0000-0x0000000000D06000-memory.dmp	family_quasar
behavioral1/files/0x001a00000002aae5-5.dat	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
3788	CollosalLoader.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133779944437801912"	chrome.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2064	schtasks.exe
4240	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2372	vlc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2804	chrome.exe
2804	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2372	vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4476	CollosalLoader.exe
Token: SeDebugPrivilege	3788	CollosalLoader.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2372	vlc.exe
2372	vlc.exe
2372	vlc.exe

Suspicious use of SendNotifyMessage 14 IoCs

pid	Process
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2372	vlc.exe
2372	vlc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3788	CollosalLoader.exe
2372	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4476 wrote to memory of 2064	4476	CollosalLoader.exe	77
PID 4476 wrote to memory of 2064	4476	CollosalLoader.exe	77
PID 4476 wrote to memory of 3788	4476	CollosalLoader.exe	79
PID 4476 wrote to memory of 3788	4476	CollosalLoader.exe	79
PID 3788 wrote to memory of 4240	3788	CollosalLoader.exe	80
PID 3788 wrote to memory of 4240	3788	CollosalLoader.exe	80
PID 2804 wrote to memory of 1896	2804	chrome.exe	85
PID 2804 wrote to memory of 1896	2804	chrome.exe	85
PID 2804 wrote to memory of 1244	2804	chrome.exe	86
PID 2804 wrote to memory of 1244	2804	chrome.exe	86
PID 2804 wrote to memory of 1244	2804	chrome.exe	86
PID 2804 wrote to memory of 1244	2804	chrome.exe	86
PID 2804 wrote to memory of 1244	2804	chrome.exe	86
PID 2804 wrote to memory of 1244	2804	chrome.exe	86
PID 2804 wrote to memory of 1244	2804	chrome.exe	86
PID 2804 wrote to memory of 1244	2804	chrome.exe	86
PID 2804 wrote to memory of 1244	2804	chrome.exe	86
PID 2804 wrote to memory of 1244	2804	chrome.exe	86
PID 2804 wrote to memory of 1244	2804	chrome.exe	86
PID 2804 wrote to memory of 1244	2804	chrome.exe	86
PID 2804 wrote to memory of 1244	2804	chrome.exe	86
PID 2804 wrote to memory of 1244	2804	chrome.exe	86
PID 2804 wrote to memory of 1244	2804	chrome.exe	86
PID 2804 wrote to memory of 1244	2804	chrome.exe	86
PID 2804 wrote to memory of 1244	2804	chrome.exe	86
PID 2804 wrote to memory of 1244	2804	chrome.exe	86
PID 2804 wrote to memory of 1244	2804	chrome.exe	86
PID 2804 wrote to memory of 1244	2804	chrome.exe	86
PID 2804 wrote to memory of 1244	2804	chrome.exe	86
PID 2804 wrote to memory of 1244	2804	chrome.exe	86
PID 2804 wrote to memory of 1244	2804	chrome.exe	86
PID 2804 wrote to memory of 1244	2804	chrome.exe	86
PID 2804 wrote to memory of 1244	2804	chrome.exe	86
PID 2804 wrote to memory of 1244	2804	chrome.exe	86
PID 2804 wrote to memory of 1244	2804	chrome.exe	86
PID 2804 wrote to memory of 1244	2804	chrome.exe	86
PID 2804 wrote to memory of 1244	2804	chrome.exe	86
PID 2804 wrote to memory of 1244	2804	chrome.exe	86
PID 2804 wrote to memory of 2688	2804	chrome.exe	87
PID 2804 wrote to memory of 2688	2804	chrome.exe	87
PID 2804 wrote to memory of 2400	2804	chrome.exe	88
PID 2804 wrote to memory of 2400	2804	chrome.exe	88
PID 2804 wrote to memory of 2400	2804	chrome.exe	88
PID 2804 wrote to memory of 2400	2804	chrome.exe	88
PID 2804 wrote to memory of 2400	2804	chrome.exe	88
PID 2804 wrote to memory of 2400	2804	chrome.exe	88
PID 2804 wrote to memory of 2400	2804	chrome.exe	88
PID 2804 wrote to memory of 2400	2804	chrome.exe	88
PID 2804 wrote to memory of 2400	2804	chrome.exe	88
PID 2804 wrote to memory of 2400	2804	chrome.exe	88
PID 2804 wrote to memory of 2400	2804	chrome.exe	88
PID 2804 wrote to memory of 2400	2804	chrome.exe	88
PID 2804 wrote to memory of 2400	2804	chrome.exe	88
PID 2804 wrote to memory of 2400	2804	chrome.exe	88
PID 2804 wrote to memory of 2400	2804	chrome.exe	88
PID 2804 wrote to memory of 2400	2804	chrome.exe	88
PID 2804 wrote to memory of 2400	2804	chrome.exe	88
PID 2804 wrote to memory of 2400	2804	chrome.exe	88
PID 2804 wrote to memory of 2400	2804	chrome.exe	88
PID 2804 wrote to memory of 2400	2804	chrome.exe	88
PID 2804 wrote to memory of 2400	2804	chrome.exe	88
PID 2804 wrote to memory of 2400	2804	chrome.exe	88
PID 2804 wrote to memory of 2400	2804	chrome.exe	88
PID 2804 wrote to memory of 2400	2804	chrome.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\CollosalLoader.exe
"C:\Users\Admin\AppData\Local\Temp\CollosalLoader.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4476
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Win32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CollosalLoader.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2064
- C:\Users\Admin\AppData\Roaming\SubDir\CollosalLoader.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\CollosalLoader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3788
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Win32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CollosalLoader.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcf558cc40,0x7ffcf558cc4c,0x7ffcf558cc58
  2⤵
  PID:1896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1808,i,15871903403822975212,17938392400675916989,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1804 /prefetch:2
  2⤵
  PID:1244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2108,i,15871903403822975212,17938392400675916989,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2124 /prefetch:3
  2⤵
  PID:2688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2208,i,15871903403822975212,17938392400675916989,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2224 /prefetch:8
  2⤵
  PID:2400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,15871903403822975212,17938392400675916989,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:4508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3108,i,15871903403822975212,17938392400675916989,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:1036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4404,i,15871903403822975212,17938392400675916989,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4380 /prefetch:1
  2⤵
  PID:2576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4744,i,15871903403822975212,17938392400675916989,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4772 /prefetch:8
  2⤵
  PID:4476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4304,i,15871903403822975212,17938392400675916989,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4940 /prefetch:8
  2⤵
  PID:3572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5068,i,15871903403822975212,17938392400675916989,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3720 /prefetch:8
  2⤵
  PID:2872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4984,i,15871903403822975212,17938392400675916989,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5040 /prefetch:8
  2⤵
  PID:3204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4640,i,15871903403822975212,17938392400675916989,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4804 /prefetch:8
  2⤵
  PID:5024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3680,i,15871903403822975212,17938392400675916989,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4972 /prefetch:8
  2⤵
  PID:3636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3528,i,15871903403822975212,17938392400675916989,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3752 /prefetch:2
  2⤵
  PID:2172

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4776

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:484

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4796

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\UndoCheckpoint.m4v"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
a5946124f97dd7680e41e668cc53bf44

SHA1
c952c061d564c055961662aaaad094ab7f98740a

SHA256
df8a46290cac1e75536c8dbab0640e8cb96c92d5867bebb2f15839dbaa003075

SHA512
7d2fbb4aa79f7eff3515f1ce3e9a6c04c35da3102729a9c407e4735d4a8fbf40ddf40152a4d3a43fde32aa72c19b17ba3563c5e0a037c2e5168a0c16ee168957

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.84.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.84.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
de91e9fcb81701fc5cef7e4ac35fec0a

SHA1
61dcbab7b563f93ad8ac3448c472fc2f3db31db9

SHA256
3a9c9d1c36b9d5dd5fe49cdce9433091182eb9406c9d7ee27e1c47a64756a277

SHA512
6b1b74b41b281d5a770f8141b80528b598b65423e6ba9ec5ea576dc4849af7d78c4bab673aa6de7f11898b7accf3cf6ba357ebdcc5f75c926757c5f2d86861cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
dbfb6f753afd4ae815ba4e94e88aafe7

SHA1
6ff8b8b84f26a9f548aca49d36dcce60b700f745

SHA256
037083a156f895c97452373b36c820506d2a7b053dd6ae10756e59a1375de793

SHA512
6b8d5be44e62d02027ff2ef3f09d93317c3404365572dd036840189a48ea50dc23965ce5b574e2d5f36d15702273bdeb7c2a63bcb51f67a8ef0b9f01c46e5874

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fb5627ae95c9a1d9b336bb76d2e6bce0

SHA1
fa1d08b616aeafc6ea02dc6198d902918749eaa3

SHA256
9af9a832b5d5f239d8dd19ad8eb0ac4aacc274cffb1e28ab3306dfd617223684

SHA512
ba57933e4ab0ef0eb7482ce9b1bdfe7d50b64727ee1285745e5b00796f7530aeef5891e94911946b4e27cfa40ce8f778e59d6baa54ed075b8848336a8e0bddf9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
df21ca41ac717c58652ef808b28f7c9a

SHA1
6cc072d6e8807d01ad60388f727fb11f9de06ea4

SHA256
fd5101e21aff6abc53c6afb4c043a0b21d892ea8901fcc138e741af96f22ba4e

SHA512
ac058339973b49ac6f7116daf2e24157a50cf54e31d4a21eeb8f153a2a08e1e914d58c9b904702ae7fddc77408bc78f1ce892c51be2d17776cb2f1c2866ba100

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6a5013933d2ecd1ec3b5ea4c807daac8

SHA1
edcc3e7e64a315528a04880a666680dcce25b690

SHA256
9bd2dbd0e3e2dac02b018bb495076e79b7d49588aadda34ac3a80cee9bdf29ba

SHA512
246300ac4f2f2bcdffd33bbb1c20a1e6be1d8a7cd1147d575893bbacf234f62058d753d51adeacfbf192fcb150769a310d97a67a0d5df55ff80e3f6a3db0b849

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d05a101c96ae18ec42740fdee0fa24b0

SHA1
ce371d7b9b1f5dcd4445f065d192d493de3dca4b

SHA256
9c55ec113973debc03446b7f9d67298f9052bb946bc1b014dccdd057625185b4

SHA512
25f802c5408a5d81a38fde04467b0c749e20dbf821095eb809b0c306c32e6ffd114240b297553b29a1c1475687d0cfbcfee66f27764ae25ed7ed8fa03e774869

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ad278d015ec5a3052a3e1ae8eb58da7c

SHA1
b988236940ac82eec1a2fc95335622d4adf127e6

SHA256
0b723ed576abf2d71a2aa215b3bd94dcb337a08d37b4abb9dccc118963877b5e

SHA512
2b9552ecc65635d17d416b8d1af6d5321f5e8f4bc0b3d6aec6dce3aabbd1a4bcb5f18159ddca5561417a9b743e9616ccf25bab67b7f0929bdc71244b7f9ff423

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e1e3d60d534300112c18bf00f8ca93c8

SHA1
7a7d9b4b35e0fce0dc03e8c0c832e3777ea52945

SHA256
b992a2c61043fb93a6b9d2e5c9fee898cb5fd93c9844bc97555a85a68f4e389a

SHA512
91cddc23ee89889efe2937205339c659f491c26a1a41bced68ca8407d87332ea2bfbcbf7ad0f50f23f62ebe533c5cd7608ad0e7f1a2b96efc6b73cff19f46be6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
71477b32356bd1a69ace280f30d08f3f

SHA1
687189570342f6f7d4112d9a84a49110800e1b46

SHA256
9eabbe6fe74b059261989a805fb621e1ec5208fc2245a1ba34be5e17ab169294

SHA512
6b302641a39cce407c165306c6fca607c0da0940b77138afa33c4f1fdeec88bda81091a9e862a8f53baffea3c50972998a46aa6f72c4795e2280bf39d67b9f31

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
3958482c46fa613045543ca7a4c69a2d

SHA1
b734dad7107be1605d55abcf1f547cc55a005ae0

SHA256
03810721658d3a9ecb792042f0eabb0825f1bb2a1d2b212a862b1f527c1a8dd0

SHA512
ab19f57dcb2d84b86da8872d630e910fce57c282587f2d41b1ff78a40b39efafefc4c43f010af8aa1d89c9abe97e0dbc3046645c3102a804dd5c545611ba2861

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
174610786a22c9ee480857179977162e

SHA1
511863d2d8e31f471404df3a3e2136305212113b

SHA256
18f2937b0a5f6023a1350145c4cc6d66aab7fea827a54bb409768705dfca21e3

SHA512
d61cb4a4913ad6e4fab7c6dd22a8d0d8932c6c84640fef355b0107a23b48ddc6c92a89da9e2705707240146344db0db3ad7f4005bd096c7c1fef7208c72971ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
8585fbc2d8b1d22b4e4e302a50bf5eff

SHA1
ba37c98363b40659305ec115d7503cea26bc9cde

SHA256
831fc3b9a97e20113bff113764e82d0bf235df2a0810518b8868b9889ed4870c

SHA512
185e47c408cacd20afe583d997906f55cab7fd53015bbd8c0ef708befdf0dd8af1ba7d17c43a739e2f0e9fbb07d82f8b677aad94013b2a16313b2647223e889c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
513ae4304a31e524354f685d5999538d

SHA1
c42aaa81c5a06d48eb434e5d11437e8c9e9eb423

SHA256
982ffb92bc532f14ceebb9a6671ea07ceefa0051e6e743e75cb53f635fe0472d

SHA512
57ad196031f7cd60b2876d0f67f6ede9928e2bad469b311309cde06e93d72eb08448e2d5caa94a7d4dad0f2ceca0c62df26b791ec3baf396bddb933a964e0691

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\CollosalLoader.exe.log

Filesize
1KB

MD5
b4e91d2e5f40d5e2586a86cf3bb4df24

SHA1
31920b3a41aa4400d4a0230a7622848789b38672

SHA256
5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210

SHA512
968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\a41c3f81-52b9-4a6e-bd42-5e9b7201a793.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2804_302572425\20464454-9526-48a1-9a9c-d720ddabebef.tmp

Filesize
135KB

MD5
3f6f93c3dccd4a91c4eb25c7f6feb1c1

SHA1
9b73f46adfa1f4464929b408407e73d4535c6827

SHA256
19f05352cb4c6e231c1c000b6c8b7e9edcc1e8082caf46fff16b239d32aa7c9e

SHA512
d488fa67e3a29d0147e9eaf2eabc74d9a255f8470cf79a4aea60e3b3b5e48a3fcbc4fc3e9ce58dff8d7d0caa8ae749295f221e1fe1ba5d20deb2d97544a12ba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2804_302572425\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\CollosalLoader.exe

Filesize
3.4MB

MD5
8c38855e8217b6e6ba9726e9eb2e6dbc

SHA1
dd39141900c816d4afe09492076dd32f7a66053d

SHA256
7d74f4b82a1de0e876f2db74e9c0e306845c43b91282a8131999813b1704e8db

SHA512
2017b7baee3bca4462fe8f54de139c577342a4e615808ab37e486662b52d5a7062203dc99648cdfa9fa7fca004e4d557ca0c7971069c11a28bfe430042513784

Download Submit
memory/2372-481-0x00007FFCF4AB0000-0x00007FFCF4AC1000-memory.dmp

Filesize
68KB

Download
memory/2372-490-0x00007FFCF4790000-0x00007FFCF47A8000-memory.dmp

Filesize
96KB

Download
memory/2372-484-0x00007FFCF4840000-0x00007FFCF485D000-memory.dmp

Filesize
116KB

Download
memory/2372-485-0x00007FFCF47B0000-0x00007FFCF47C1000-memory.dmp

Filesize
68KB

Download
memory/2372-478-0x00007FFCEFC90000-0x00007FFCEFF46000-memory.dmp

Filesize
2.7MB

Download
memory/2372-483-0x00007FFCF4860000-0x00007FFCF4871000-memory.dmp

Filesize
68KB

Download
memory/2372-482-0x00007FFCF4A90000-0x00007FFCF4AA7000-memory.dmp

Filesize
92KB

Download
memory/2372-477-0x00007FFD02570000-0x00007FFD025A4000-memory.dmp

Filesize
208KB

Download
memory/2372-480-0x00007FFD037D0000-0x00007FFD037E7000-memory.dmp

Filesize
92KB

Download
memory/2372-479-0x00007FFD0CF00000-0x00007FFD0CF18000-memory.dmp

Filesize
96KB

Download
memory/2372-486-0x00007FFCEFA80000-0x00007FFCEFC8B000-memory.dmp

Filesize
2.0MB

Download
memory/2372-502-0x00007FFCEE400000-0x00007FFCEE411000-memory.dmp

Filesize
68KB

Download
memory/2372-501-0x00007FFCEE8F0000-0x00007FFCEE947000-memory.dmp

Filesize
348KB

Download
memory/2372-500-0x00007FFCF2D20000-0x00007FFCF2D31000-memory.dmp

Filesize
68KB

Download
memory/2372-493-0x00007FFCF30E0000-0x00007FFCF30F1000-memory.dmp

Filesize
68KB

Download
memory/2372-487-0x00007FFCEE9D0000-0x00007FFCEFA80000-memory.dmp

Filesize
16.7MB

Download
memory/2372-499-0x00007FFCEE950000-0x00007FFCEE9CC000-memory.dmp

Filesize
496KB

Download
memory/2372-492-0x00007FFCF3100000-0x00007FFCF3111000-memory.dmp

Filesize
68KB

Download
memory/2372-491-0x00007FFCF3120000-0x00007FFCF3131000-memory.dmp

Filesize
68KB

Download
memory/2372-476-0x00007FF6CAB80000-0x00007FF6CAC78000-memory.dmp

Filesize
992KB

Download
memory/2372-489-0x00007FFCF46C0000-0x00007FFCF46E1000-memory.dmp

Filesize
132KB

Download
memory/2372-488-0x00007FFCF3140000-0x00007FFCF3181000-memory.dmp

Filesize
260KB

Download
memory/2372-498-0x00007FFCF2D40000-0x00007FFCF2DA7000-memory.dmp

Filesize
412KB

Download
memory/2372-497-0x00007FFCF2DB0000-0x00007FFCF2DE0000-memory.dmp

Filesize
192KB

Download
memory/2372-496-0x00007FFCF2DE0000-0x00007FFCF2DF8000-memory.dmp

Filesize
96KB

Download
memory/2372-495-0x00007FFCF30A0000-0x00007FFCF30B1000-memory.dmp

Filesize
68KB

Download
memory/2372-494-0x00007FFCF30C0000-0x00007FFCF30DB000-memory.dmp

Filesize
108KB

Download
memory/3788-15-0x000000001CCF0000-0x000000001D218000-memory.dmp

Filesize
5.2MB

Download
memory/3788-14-0x00007FFCFBEF0000-0x00007FFCFC9B2000-memory.dmp

Filesize
10.8MB

Download
memory/3788-13-0x000000001C3B0000-0x000000001C462000-memory.dmp

Filesize
712KB

Download
memory/3788-12-0x0000000002F20000-0x0000000002F70000-memory.dmp

Filesize
320KB

Download
memory/3788-11-0x00007FFCFBEF0000-0x00007FFCFC9B2000-memory.dmp

Filesize
10.8MB

Download
memory/3788-10-0x00007FFCFBEF0000-0x00007FFCFC9B2000-memory.dmp

Filesize
10.8MB

Download
memory/4476-0-0x00007FFCFBEF3000-0x00007FFCFBEF5000-memory.dmp

Filesize
8KB

Download
memory/4476-1-0x00000000009A0000-0x0000000000D06000-memory.dmp

Filesize
3.4MB

Download
memory/4476-2-0x00007FFCFBEF0000-0x00007FFCFC9B2000-memory.dmp

Filesize
10.8MB

Download
memory/4476-9-0x00007FFCFBEF0000-0x00007FFCFC9B2000-memory.dmp

Filesize
10.8MB

Download