quasar | 175d2c313c08824712c3225985c2c166b93337ccb1cf1a7dffae3b284a7f3579

Analysis

max time kernel
103s
max time network
94s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
07-12-2024 13:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

8d2777f7a9541759b2d6a4d713a5e0db
SHA1

f99839b640dd713cde9515fe9962bb344ef65f4f
SHA256

175d2c313c08824712c3225985c2c166b93337ccb1cf1a7dffae3b284a7f3579
SHA512

544c55362443bf3f941319f84bae875db3ab9af29f31967a7cf2eb35aefba38e29ea2117c7dd43d7c6828cb0f37adee314aeefb7929e48a555e19138c3b15abf
SSDEEP

49152:PvelL26AaNeWgPhlmVqvMQ7XSKUc1oLoGdATHHB72eh2NT:PvOL26AaNeWgPhlmVqkQ7XSKUc1G

Score

10^/10

quasar roar discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

roar

fojeweb571-45302.portmap.host:45302

Mutex

703bfb38-0c01-48b6-b84b-a41889e3bcdd

Attributes

encryption_key
B42CE86AEBA4D8818352F4D811EA7BBB472E229A
install_name
windows defender.exe
log_directory
Logs
reconnect_delay
3000
startup_key
discord
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/3520-1-0x00000000001E0000-0x0000000000504000-memory.dmp	family_quasar
behavioral1/files/0x001c00000002aaa1-6.dat	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
3916	windows defender.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133780510857083565"	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4524	schtasks.exe
2368	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2652	chrome.exe
2652	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3916	windows defender.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3520	Client-built.exe
Token: SeDebugPrivilege	3916	windows defender.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeCreatePagefilePrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeCreatePagefilePrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeCreatePagefilePrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeCreatePagefilePrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeCreatePagefilePrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeCreatePagefilePrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeCreatePagefilePrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeCreatePagefilePrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeCreatePagefilePrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeCreatePagefilePrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeCreatePagefilePrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeCreatePagefilePrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeCreatePagefilePrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeCreatePagefilePrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeCreatePagefilePrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeCreatePagefilePrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeCreatePagefilePrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeCreatePagefilePrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeCreatePagefilePrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeCreatePagefilePrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeCreatePagefilePrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeCreatePagefilePrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeCreatePagefilePrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeCreatePagefilePrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeCreatePagefilePrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeCreatePagefilePrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeCreatePagefilePrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeCreatePagefilePrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeCreatePagefilePrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeCreatePagefilePrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeCreatePagefilePrivilege	2652	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3916	windows defender.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3520 wrote to memory of 4524	3520	Client-built.exe	77
PID 3520 wrote to memory of 4524	3520	Client-built.exe	77
PID 3520 wrote to memory of 3916	3520	Client-built.exe	79
PID 3520 wrote to memory of 3916	3520	Client-built.exe	79
PID 3916 wrote to memory of 2368	3916	windows defender.exe	80
PID 3916 wrote to memory of 2368	3916	windows defender.exe	80
PID 2652 wrote to memory of 3348	2652	chrome.exe	86
PID 2652 wrote to memory of 3348	2652	chrome.exe	86
PID 2652 wrote to memory of 3188	2652	chrome.exe	87
PID 2652 wrote to memory of 3188	2652	chrome.exe	87
PID 2652 wrote to memory of 3188	2652	chrome.exe	87
PID 2652 wrote to memory of 3188	2652	chrome.exe	87
PID 2652 wrote to memory of 3188	2652	chrome.exe	87
PID 2652 wrote to memory of 3188	2652	chrome.exe	87
PID 2652 wrote to memory of 3188	2652	chrome.exe	87
PID 2652 wrote to memory of 3188	2652	chrome.exe	87
PID 2652 wrote to memory of 3188	2652	chrome.exe	87
PID 2652 wrote to memory of 3188	2652	chrome.exe	87
PID 2652 wrote to memory of 3188	2652	chrome.exe	87
PID 2652 wrote to memory of 3188	2652	chrome.exe	87
PID 2652 wrote to memory of 3188	2652	chrome.exe	87
PID 2652 wrote to memory of 3188	2652	chrome.exe	87
PID 2652 wrote to memory of 3188	2652	chrome.exe	87
PID 2652 wrote to memory of 3188	2652	chrome.exe	87
PID 2652 wrote to memory of 3188	2652	chrome.exe	87
PID 2652 wrote to memory of 3188	2652	chrome.exe	87
PID 2652 wrote to memory of 3188	2652	chrome.exe	87
PID 2652 wrote to memory of 3188	2652	chrome.exe	87
PID 2652 wrote to memory of 3188	2652	chrome.exe	87
PID 2652 wrote to memory of 3188	2652	chrome.exe	87
PID 2652 wrote to memory of 3188	2652	chrome.exe	87
PID 2652 wrote to memory of 3188	2652	chrome.exe	87
PID 2652 wrote to memory of 3188	2652	chrome.exe	87
PID 2652 wrote to memory of 3188	2652	chrome.exe	87
PID 2652 wrote to memory of 3188	2652	chrome.exe	87
PID 2652 wrote to memory of 3188	2652	chrome.exe	87
PID 2652 wrote to memory of 3188	2652	chrome.exe	87
PID 2652 wrote to memory of 3188	2652	chrome.exe	87
PID 2652 wrote to memory of 1564	2652	chrome.exe	88
PID 2652 wrote to memory of 1564	2652	chrome.exe	88
PID 2652 wrote to memory of 1756	2652	chrome.exe	89
PID 2652 wrote to memory of 1756	2652	chrome.exe	89
PID 2652 wrote to memory of 1756	2652	chrome.exe	89
PID 2652 wrote to memory of 1756	2652	chrome.exe	89
PID 2652 wrote to memory of 1756	2652	chrome.exe	89
PID 2652 wrote to memory of 1756	2652	chrome.exe	89
PID 2652 wrote to memory of 1756	2652	chrome.exe	89
PID 2652 wrote to memory of 1756	2652	chrome.exe	89
PID 2652 wrote to memory of 1756	2652	chrome.exe	89
PID 2652 wrote to memory of 1756	2652	chrome.exe	89
PID 2652 wrote to memory of 1756	2652	chrome.exe	89
PID 2652 wrote to memory of 1756	2652	chrome.exe	89
PID 2652 wrote to memory of 1756	2652	chrome.exe	89
PID 2652 wrote to memory of 1756	2652	chrome.exe	89
PID 2652 wrote to memory of 1756	2652	chrome.exe	89
PID 2652 wrote to memory of 1756	2652	chrome.exe	89
PID 2652 wrote to memory of 1756	2652	chrome.exe	89
PID 2652 wrote to memory of 1756	2652	chrome.exe	89
PID 2652 wrote to memory of 1756	2652	chrome.exe	89
PID 2652 wrote to memory of 1756	2652	chrome.exe	89
PID 2652 wrote to memory of 1756	2652	chrome.exe	89
PID 2652 wrote to memory of 1756	2652	chrome.exe	89
PID 2652 wrote to memory of 1756	2652	chrome.exe	89
PID 2652 wrote to memory of 1756	2652	chrome.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3520
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4524
- C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3916
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff7d74cc40,0x7fff7d74cc4c,0x7fff7d74cc58
  2⤵
  PID:3348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1780,i,5408632636090251560,17704418336558791105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1776 /prefetch:2
  2⤵
  PID:3188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2056,i,5408632636090251560,17704418336558791105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2112 /prefetch:3
  2⤵
  PID:1564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2188,i,5408632636090251560,17704418336558791105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2200 /prefetch:8
  2⤵
  PID:1756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,5408632636090251560,17704418336558791105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:2404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3108,i,5408632636090251560,17704418336558791105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:4660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3556,i,5408632636090251560,17704418336558791105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3572 /prefetch:1
  2⤵
  PID:4844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4784,i,5408632636090251560,17704418336558791105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4796 /prefetch:8
  2⤵
  PID:4496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5020,i,5408632636090251560,17704418336558791105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5032 /prefetch:8
  2⤵
  PID:3208
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Windows directory
  PID:1600
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff7b7944698,0x7ff7b79446a4,0x7ff7b79446b0
    3⤵
    - Drops file in Windows directory
    PID:892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5048,i,5408632636090251560,17704418336558791105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5152 /prefetch:8
  2⤵
  PID:3456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5148,i,5408632636090251560,17704418336558791105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5140 /prefetch:8
  2⤵
  PID:4864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4984,i,5408632636090251560,17704418336558791105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4592 /prefetch:8
  2⤵
  PID:2024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4792,i,5408632636090251560,17704418336558791105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4832 /prefetch:8
  2⤵
  PID:3468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5224,i,5408632636090251560,17704418336558791105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5248 /prefetch:2
  2⤵
  PID:3372

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
c1878bf166bc9b7561fe22f41ffc123e

SHA1
3f31ad23d1f3ec352ca6a8a6aad7e3db8a8cea86

SHA256
a0b0a5652abd22400945efa97990b5245c7e6b4e126f581fbc2152e7e8cc5b59

SHA512
76c4fcbeb87cd720fc16e126755e747f6e9e66ed83e99ca4cae5333f4ec5b7119875e2c42cb4ec2a471b59e26133a1827660c4348b00c6c1c238ef2e1d4db7ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.84.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.84.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
a29420c2abd9943a119421da924515d6

SHA1
e116f61c4def1f2ed2a5f62ba76b3f114d8e277f

SHA256
f4bec0594834816936c4dadb2d596cbd7b8ac26c0249dab281ab9ea57ef873c7

SHA512
47e7528889660ee714faf5ab1f9c504160c47581824bd2cf6f09473d3e9eccbdd355453b9100ec80f4f3037b78605526d3eba059d2eb2bd06d603ae8c955e52a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
dc04b8dfb9739647b6c27d7df3d90305

SHA1
a35d9c5b26f11386c4b83ac6166d1580b11df108

SHA256
c42e22381b62ce5c2a47df6d2ea27e07ced421c619a5fd3cd34232f1443ea206

SHA512
c86c144b279682b37fa6bd393a295e21f72c4030dbd4084e0512590ac07733339ad9810bf1a0c53ab1e8306c64ea209e5f2c9a700c4d246da414b0a385d6deb8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f42fdf3c97e4726c843660cba73c2298

SHA1
afc9fee7508613f0dd56748da2860cf214931a93

SHA256
ba16b3a15adb49cdc7513508a8c394458a4d9a47da708d9af334e69b61fa2dd3

SHA512
86e50999626858c2e4ddc55fb6e8751411ec23dd2f7d06dfd4b25fc8ed36c3951958529fec6edb25d9844fc177869f07aae209b6d937806f7cd7287f4dda73ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
437f36fa516c08afd984ffc2c783d712

SHA1
50e204dfffdd42a86912250fe26347bf00cf0381

SHA256
d74b1edd86577b9a3e56a40a4d846fcc42085a80a8ca0e5d98cbefb3e2135238

SHA512
4894c57e56e404c097b39d9678f99722f12e773bcd50db41687bc72dd93369a0d8389ba633b42b46af2066067af64a98dba4d4e7d72f708cc2e59a230512edf2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\temp-index

Filesize
72B

MD5
076c3a43e9d518ac2323198951ed280e

SHA1
e4e7b328d92f65fbefeecfcfac3916f53b489b92

SHA256
6f8a72a220287df4324fb7c52d9a926e3eb79c9dee50641df6ffcae3f934d2ea

SHA512
50e38ae4c33f5bad440b437daeadb071ac96385f1cb696d8b50b99a8a5d5cbbca53f815787c30ec14d7f75ab550b54dad6d982af311464df132408834d7ee8ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
947cf2debcabef245802de2f61cec2c3

SHA1
7ad9c8d87d9df399a80e7ac230eb2e337c105a6f

SHA256
fdfd53116f5e66e35ae851deecee66ee05b56c75dffbc064fe7f8cdf5c35feff

SHA512
26cdace45837ff2f58ba989e26692e2b42793753aa24307b03373eba10e53c2b63657c30fee4fb4fe59639a626d569ad313f16d91572a0ef58b1fc665dd1c2bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2652_1116918876\9c1dd622-e9ca-463d-aff2-871f0ba6120b.tmp

Filesize
135KB

MD5
3f6f93c3dccd4a91c4eb25c7f6feb1c1

SHA1
9b73f46adfa1f4464929b408407e73d4535c6827

SHA256
19f05352cb4c6e231c1c000b6c8b7e9edcc1e8082caf46fff16b239d32aa7c9e

SHA512
d488fa67e3a29d0147e9eaf2eabc74d9a255f8470cf79a4aea60e3b3b5e48a3fcbc4fc3e9ce58dff8d7d0caa8ae749295f221e1fe1ba5d20deb2d97544a12ba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2652_1116918876\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe

Filesize
3.1MB

MD5
8d2777f7a9541759b2d6a4d713a5e0db

SHA1
f99839b640dd713cde9515fe9962bb344ef65f4f

SHA256
175d2c313c08824712c3225985c2c166b93337ccb1cf1a7dffae3b284a7f3579

SHA512
544c55362443bf3f941319f84bae875db3ab9af29f31967a7cf2eb35aefba38e29ea2117c7dd43d7c6828cb0f37adee314aeefb7929e48a555e19138c3b15abf

Download Submit
memory/3520-0-0x00007FFF94FD3000-0x00007FFF94FD5000-memory.dmp

Filesize
8KB

Download
memory/3520-9-0x00007FFF94FD0000-0x00007FFF95A92000-memory.dmp

Filesize
10.8MB

Download
memory/3520-2-0x00007FFF94FD0000-0x00007FFF95A92000-memory.dmp

Filesize
10.8MB

Download
memory/3520-1-0x00000000001E0000-0x0000000000504000-memory.dmp

Filesize
3.1MB

Download
memory/3916-43-0x000000001D0D0000-0x000000001D5F8000-memory.dmp

Filesize
5.2MB

Download
memory/3916-18-0x00007FFF94FD0000-0x00007FFF95A92000-memory.dmp

Filesize
10.8MB

Download
memory/3916-17-0x000000001BA20000-0x000000001BA5C000-memory.dmp

Filesize
240KB

Download
memory/3916-16-0x000000001B090000-0x000000001B0A2000-memory.dmp

Filesize
72KB

Download
memory/3916-13-0x000000001BAA0000-0x000000001BB52000-memory.dmp

Filesize
712KB

Download
memory/3916-12-0x000000001B010000-0x000000001B060000-memory.dmp

Filesize
320KB

Download
memory/3916-11-0x00007FFF94FD0000-0x00007FFF95A92000-memory.dmp

Filesize
10.8MB

Download
memory/3916-10-0x00007FFF94FD0000-0x00007FFF95A92000-memory.dmp

Filesize
10.8MB

Download