quasar | hxxp://github[.]com

Analysis

max time kernel
106s
max time network
104s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
01-01-2025 01:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://github.com

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.0.67:4782

Mutex

374a6c95-555a-4901-bd06-e5367e7cb823

Attributes

encryption_key
742DB9D880F7E908B52B7865C98867C12FC7EE2E
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x002800000004629a-531.dat	family_quasar
behavioral1/memory/2988-563-0x0000000000040000-0x0000000000364000-memory.dmp	family_quasar

Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
2988	SolaraBootstrapperV3.exe
3308	Client.exe
1632	SolaraBootstrapperV3.exe
4916	SolaraBootstrapperV3.exe
2716	SolaraBootstrapperV3.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
71	raw.githubusercontent.com
72	raw.githubusercontent.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133801696613187036"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3600	schtasks.exe
1448	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2512	chrome.exe
2512	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3308	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 2352	2512	chrome.exe	83
PID 2512 wrote to memory of 2352	2512	chrome.exe	83
PID 2512 wrote to memory of 3844	2512	chrome.exe	84
PID 2512 wrote to memory of 3844	2512	chrome.exe	84
PID 2512 wrote to memory of 3844	2512	chrome.exe	84
PID 2512 wrote to memory of 3844	2512	chrome.exe	84
PID 2512 wrote to memory of 3844	2512	chrome.exe	84
PID 2512 wrote to memory of 3844	2512	chrome.exe	84
PID 2512 wrote to memory of 3844	2512	chrome.exe	84
PID 2512 wrote to memory of 3844	2512	chrome.exe	84
PID 2512 wrote to memory of 3844	2512	chrome.exe	84
PID 2512 wrote to memory of 3844	2512	chrome.exe	84
PID 2512 wrote to memory of 3844	2512	chrome.exe	84
PID 2512 wrote to memory of 3844	2512	chrome.exe	84
PID 2512 wrote to memory of 3844	2512	chrome.exe	84
PID 2512 wrote to memory of 3844	2512	chrome.exe	84
PID 2512 wrote to memory of 3844	2512	chrome.exe	84
PID 2512 wrote to memory of 3844	2512	chrome.exe	84
PID 2512 wrote to memory of 3844	2512	chrome.exe	84
PID 2512 wrote to memory of 3844	2512	chrome.exe	84
PID 2512 wrote to memory of 3844	2512	chrome.exe	84
PID 2512 wrote to memory of 3844	2512	chrome.exe	84
PID 2512 wrote to memory of 3844	2512	chrome.exe	84
PID 2512 wrote to memory of 3844	2512	chrome.exe	84
PID 2512 wrote to memory of 3844	2512	chrome.exe	84
PID 2512 wrote to memory of 3844	2512	chrome.exe	84
PID 2512 wrote to memory of 3844	2512	chrome.exe	84
PID 2512 wrote to memory of 3844	2512	chrome.exe	84
PID 2512 wrote to memory of 3844	2512	chrome.exe	84
PID 2512 wrote to memory of 3844	2512	chrome.exe	84
PID 2512 wrote to memory of 3844	2512	chrome.exe	84
PID 2512 wrote to memory of 3844	2512	chrome.exe	84
PID 2512 wrote to memory of 4716	2512	chrome.exe	85
PID 2512 wrote to memory of 4716	2512	chrome.exe	85
PID 2512 wrote to memory of 2816	2512	chrome.exe	86
PID 2512 wrote to memory of 2816	2512	chrome.exe	86
PID 2512 wrote to memory of 2816	2512	chrome.exe	86
PID 2512 wrote to memory of 2816	2512	chrome.exe	86
PID 2512 wrote to memory of 2816	2512	chrome.exe	86
PID 2512 wrote to memory of 2816	2512	chrome.exe	86
PID 2512 wrote to memory of 2816	2512	chrome.exe	86
PID 2512 wrote to memory of 2816	2512	chrome.exe	86
PID 2512 wrote to memory of 2816	2512	chrome.exe	86
PID 2512 wrote to memory of 2816	2512	chrome.exe	86
PID 2512 wrote to memory of 2816	2512	chrome.exe	86
PID 2512 wrote to memory of 2816	2512	chrome.exe	86
PID 2512 wrote to memory of 2816	2512	chrome.exe	86
PID 2512 wrote to memory of 2816	2512	chrome.exe	86
PID 2512 wrote to memory of 2816	2512	chrome.exe	86
PID 2512 wrote to memory of 2816	2512	chrome.exe	86
PID 2512 wrote to memory of 2816	2512	chrome.exe	86
PID 2512 wrote to memory of 2816	2512	chrome.exe	86
PID 2512 wrote to memory of 2816	2512	chrome.exe	86
PID 2512 wrote to memory of 2816	2512	chrome.exe	86
PID 2512 wrote to memory of 2816	2512	chrome.exe	86
PID 2512 wrote to memory of 2816	2512	chrome.exe	86
PID 2512 wrote to memory of 2816	2512	chrome.exe	86
PID 2512 wrote to memory of 2816	2512	chrome.exe	86
PID 2512 wrote to memory of 2816	2512	chrome.exe	86
PID 2512 wrote to memory of 2816	2512	chrome.exe	86
PID 2512 wrote to memory of 2816	2512	chrome.exe	86
PID 2512 wrote to memory of 2816	2512	chrome.exe	86
PID 2512 wrote to memory of 2816	2512	chrome.exe	86
PID 2512 wrote to memory of 2816	2512	chrome.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://github.com
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ff825b8cc40,0x7ff825b8cc4c,0x7ff825b8cc58
  2⤵
  PID:2352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1948,i,10987644124618188044,6130632448851750181,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=1944 /prefetch:2
  2⤵
  PID:3844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2180,i,10987644124618188044,6130632448851750181,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2196 /prefetch:3
  2⤵
  PID:4716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2256,i,10987644124618188044,6130632448851750181,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2272 /prefetch:8
  2⤵
  PID:2816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3064,i,10987644124618188044,6130632448851750181,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3088 /prefetch:1
  2⤵
  PID:4864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3068,i,10987644124618188044,6130632448851750181,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3116 /prefetch:1
  2⤵
  PID:4920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3872,i,10987644124618188044,6130632448851750181,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3672 /prefetch:1
  2⤵
  PID:2884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4352,i,10987644124618188044,6130632448851750181,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4728 /prefetch:8
  2⤵
  PID:4816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4980,i,10987644124618188044,6130632448851750181,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4988 /prefetch:8
  2⤵
  PID:1996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5212,i,10987644124618188044,6130632448851750181,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5244 /prefetch:8
  2⤵
  PID:2712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5232,i,10987644124618188044,6130632448851750181,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5268 /prefetch:8
  2⤵
  PID:1692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5532,i,10987644124618188044,6130632448851750181,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5552 /prefetch:8
  2⤵
  PID:3840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5692,i,10987644124618188044,6130632448851750181,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5704 /prefetch:8
  2⤵
  PID:408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5740,i,10987644124618188044,6130632448851750181,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5732 /prefetch:8
  2⤵
  PID:60
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5536,i,10987644124618188044,6130632448851750181,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5396 /prefetch:8
  2⤵
  PID:2908
- C:\Users\Admin\Downloads\SolaraBootstrapperV3.exe
  "C:\Users\Admin\Downloads\SolaraBootstrapperV3.exe"
  2⤵
  - Executes dropped EXE
  PID:2988
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3600
- - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3308
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1448
- C:\Users\Admin\Downloads\SolaraBootstrapperV3.exe
  "C:\Users\Admin\Downloads\SolaraBootstrapperV3.exe"
  2⤵
  - Executes dropped EXE
  PID:1632

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5020

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1416

C:\Users\Admin\Downloads\SolaraBootstrapperV3.exe
"C:\Users\Admin\Downloads\SolaraBootstrapperV3.exe"
1⤵
- Executes dropped EXE
PID:4916

C:\Users\Admin\Downloads\SolaraBootstrapperV3.exe
"C:\Users\Admin\Downloads\SolaraBootstrapperV3.exe"
1⤵
- Executes dropped EXE
PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
8187dc728d0aac9a54350a8247d1e70e

SHA1
2dac761fa116d10bf58da5db541ced1cb58b3fcd

SHA256
7d8a3bbd42c00ec21127193a9804cf8b9764d4dfa02e51cce5c4336f067070c3

SHA512
29cd4547c57f6d47bcde48295cd6d4199bc41a604be15240beb72dfee8e709edd04a8f01cebb3b8e0d85386d8969cf9a019f9d73ddee630a9d17a87d5eab3dba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002b

Filesize
20KB

MD5
b9cc0ef4a29635e419fcb41bb1d2167b

SHA1
541b72c6f924baacea552536391d0f16f76e06c4

SHA256
6fded6ba2dd0fc337db3615f6c19065af5c62fcd092e19ca2c398d9b71cd84bf

SHA512
f0f1a0f4f8df4268732946d4d720da1f5567660d31757d0fc5e44bf1264dfa746092a557417d56c8a167e30b461b8d376b92fbe0931012121fac2558d52c662e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\350893b1ec258edf_0

Filesize
54KB

MD5
44db9677722103e49295b447b8aa2043

SHA1
735320933b5adc1bca6d280135186ca00051261a

SHA256
3d4804e8f730ef087f5c9b5943ad002f29819a3ca4c545c5cfa45e820556ee78

SHA512
ec61e891d9f6bea31bdeb606d150fca8a70d169c2005de3f6323f13d84ecbbf0a66bc0482a2dde18da9c7ba7ee6dff1e693a532b9159fc2a7219919d6cfa9499

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\67978ba7df192b35_0

Filesize
286B

MD5
850f403ae0f7d9c54272cf75bc414ef3

SHA1
163577aebe4238322eab117226f3fa1e524b2372

SHA256
e3ef7573ae2e231a71be8de27f69fd5392b1cdaca245771d15c6d36b8a58bcd7

SHA512
0b79ca04dedb5bb6e3aa7a4ee72cac3056ad3d21235bc0fabb4172a7135acd83777b75d35c305db53187f3416fe2aecc2226af98713ee838fbf546b4899fc18a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
950b5f48b5d8ebb9639c414ba28c10e2

SHA1
9b29812e547ae1552dd6390f6211da0810b4bf54

SHA256
2f5f33a11a5a0ebe8aefde3570ede6c0d75272e71eb0cd97149beb6f5db33714

SHA512
d5127481362b68eb1bc43c25c42515c86f8f21bd4f4460253b67ab47703050fffc846a6fed4ccd7c5834062b56045910576aaf78d44dd4d60c3123511541ef47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
efe645d6756d1024775dea658c5b8ab8

SHA1
5f2b0b0b5b1fcbb9c8513dc18395ef03bff574e2

SHA256
b8d56037177572492113216ad93301331d9c1f455c5a66faf9ed9c0f36b03d8a

SHA512
f0a1fbf77148728c47f90cd0b2d30ec9efcbee6070e4bba121a53424b1635e618660f6bb231042014e72e1b4362783985dbc1281eaa3e82d1307831259931369

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
8537122c24f27d8a8f4af4f15769e754

SHA1
abfac49b5eb951fbcc2d754d937a315f85aa47c8

SHA256
4da0cf049d8b8a5578cf4abd02f8b07c28cf0f5fc569ed84f12d9f139c7f0bd8

SHA512
05830b762d67e790d35487f28720c6fb9240e1e84a8178d15c7ef0153544f6e94cc5302818ced270ec1f87e533b06095c736bc23e75a19f0d3143fbb73c331e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
aa859aa614ce67711752ad6e8af625aa

SHA1
2aa6dc8e08149dfa575927b818e264d828a5407c

SHA256
593cd4430edeb6f6d6488def0e83a1f195c6a25a24859baeac5741fce980f53b

SHA512
e150375509ba3f731289dd9f1cfad28828e6eb351a80ed5ef13495148fe351f05a0fff3af350a7bfd0a74c391b68a319b0ad6725944c76378ff88ba3a68624a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
0565eb025753a80691992dc12888aff2

SHA1
f0119c9a67ff8bd2d7c75fbae145a9d8dd03c85a

SHA256
d99a3b81db82bf3fa681424e2efac0b6a24ba2a2400129f5e9c9b6ba43127149

SHA512
dcb27c6091d81c33be17bbad457ff638c606847d513d3200f58d656aae8c74025b3cc8c9a6811ac3ee0e7c87f0e20f7c15b27c321693fc0b7f1425403639de03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
51abfeaf99b4bd8ba2f0233ab7c35bd1

SHA1
5b33848b57509bd63c11059e85fd194e8cf1373b

SHA256
d86503b367df2c6bdf84072381738dd381110885145a9f778bf8b60ee0ac5ee5

SHA512
d0c03bdf3ef12ba06b87be52f1a3a45e8a5236c25a8e621e1f0e6767e89898a99f1fb6069d210a12a3065658f6309c422084dbde3e90c63d7c3ecede9f35312d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
8dc1f01cfc560a5efdd41afdcc4c1a49

SHA1
e5cf12a0e1c859064ae6c2f87aff8da3333d229e

SHA256
fa0c32a6bbc1534633fde195d148e989a7853fb91a62447d7d72080fef9b5f23

SHA512
f86e9fb181ddfc857cad26f0a51526b29f1777737254c78f98957e85e1dbe430dae16fc39e1920766d76f259c43534dac62f761898f99833a03cbc468532f477

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
46629501667e4f0832a01b7622699da1

SHA1
ab94855b8a5004dff56599b22085a2d12337361f

SHA256
ecf9ce91451e35c358a6140c8d6900fa7c16f2d7a0d02064572f29f14ef3b165

SHA512
72c701ac53496143cb4e9f2a8207de8d20c7256dccd9de2755c90662b8b8bb14c093361d6da5505f85c8272df6d51ee60f9cfe39d8d252a077760b97d3f5ff7e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
db9c3467ae1dd8c565c2081a787c534b

SHA1
6360682da337af2823d5338a01e29c626c274277

SHA256
eb259f7257e1e2a810ffd6879edf330157c3667fa8d1ba20018f8bb927379f05

SHA512
bf01d53f2504be2fb94042a9d557ad70b2434113d0b7eadce149b3fd33ec542ee58d87fc9c701afb078423511d7044988be9315c9816023881375b0cf57a53e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
309f8bfbd9dd452f508f236792bef965

SHA1
97305c189d65a73cf6b7e02bc87b04235d8579fa

SHA256
def866991be756a2ea663689959be050059f8962e21b510bab315a6449e82550

SHA512
5813d97fead5eee2bdaf0e7fd3013bfc28dbcec3fcb2411215bb761708abb8777af72012cef1cbbeed3a47d03bbbb96554bac9ac715d6c9ef493d96e9200e557

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fd87eda20cf7ec4d88a5a10ea768f5f4

SHA1
16a3db4fbdd87eb1aa30b23125c10a77b3eed75e

SHA256
9fe869bff0f3c19336636e883214e64cd81107aa24ff3e11d25838ed16ab3d86

SHA512
32a7a66778343f06e7a1e30fae132577aa3f4068b9178b1d86a3e0adfa5f7451ed7395f43a309e1c9f810f3a6e80e001a1f061140771d1689384bba4a97a0265

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d2118af8ee38c7d508037f43fb60e78a

SHA1
c5d4a95ede67b8526d4ae31d1478cb8b5fb86be7

SHA256
d1fd0fdb1bd757a3ab6946ba8dd12ee8ff5e9149e32a79610c6b3e10c019a08a

SHA512
d1dfbabdcfb67e4a075d573b4a73efc17d5311e90911628c9a132839c1ef6cbe803da2dd7e73dc522abda49fd96fca2ce6cfee443e44121a1eb2694e1ddbfbf1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6bf795a33af5b7893e4f1cb20b929dc6

SHA1
00f89205e7a2bd21926825413b471e52f4cafc80

SHA256
1d1e28a0a9eb52d3f813cf3201bdd33de49a8b09e7d92f9cb7cf6e576aa3d18e

SHA512
297c3750df578bdc54641034b43bb83c044297d2b8d00f2c35d4b50129c2aabb3a03b65504452759c153fbb783947294b027ab940635ccb5865a1736e13bdb5c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
13cd75eb760c052bd4f6c0c683f28ee6

SHA1
2d6998a9d2cb9b06867df7c91e3b36cdbc3d9dfd

SHA256
89ec4769e10a88ec727def2d9b6b5de04500182865e42c725806d983e4365277

SHA512
6031563fcbce4ea4e2b2c9f505c5da2ae6380b8f0ce1e5163c877bbf4ca5cd1d25864cf6666778737b59f5e6fbede45c8354d6456b08d93c5b619c4a2f0db40d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
5f38b23d28c4388423552e770e261187

SHA1
2e05f0acf4eee6484b5980feb71b71cf39697cc2

SHA256
3ff32821bbb5e7bde1614ba06d174bf9946c35d44226b24035172a3a5a66cd97

SHA512
8e2798bee299f20423d8364c719caf993d39be31fcaf6bd02cd5b83757126b4a8d07157b1c9768898e9aa92fe31d67b0d1d128f1b7735ddf0e24b35a75b43a97

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c5667c72a15b253a6c721331fab3ad79

SHA1
4ce435d2a489e1a19e2171443a1401eb6f680dba

SHA256
b2e284c3517a716db79f9fed41d4ea239c81051f437da5d25212841cd9f94666

SHA512
be906c6148b9e60ad3ccccd911dc1515dd523d8461b9e0d949ee9f29c7f66306e6049bd92a45f3f212f4e8dffe56b4e4b42a642b75c82f6e1240678b50a32513

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
044010f17fff221a968e960480f530e8

SHA1
f48c9abf5113ddbf63d3d0a14ce2285d434d7904

SHA256
38ec8df4d548034b09d0d805ba8e5214a87be593293199d74290387b1e5a5126

SHA512
a6d3374fe3471c1bf6edad3dc6a90c42fe3b1f074287bb83a613579fd25ef7d5b8c322f11fa7960f7d7beca7f5c18044ab8683bc6d89be19319e152fbc5915a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
118KB

MD5
046c867ba404133f6a722e6ffb43cf5b

SHA1
d962f9e5f2de2c02b9d57e746c16d2149538781c

SHA256
cd5abdf24868436acef49fd5c7287381d8e65fd65bdc01a5d527ce66d9c40f1e

SHA512
090cbf276f13a6512eefb486fef22f701f843ca87cd111f4322bd50dd44c698afcbdba48650ca4f4ca9b2315582c47d7e0aeb079d9f2b6ae9e08abbd5e915c36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
118KB

MD5
547f969118a71ce71dbbb503a77e4c37

SHA1
b9a01322e947ecbd3d448959818a17b9bf01aa81

SHA256
cfef8d945699a6e3db938f34221e321b7064672d1d75596a84849da26e3be582

SHA512
a1ee68d9ecc3f2fe89832f9a70fc8624bd78751603a040da4d25e9b7fa4f0f2135caa7d11420f30c8f15568143166e358b0c9f216f30114bfe90dbac019bf55c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SolaraBootstrapperV3.exe.log

Filesize
1KB

MD5
b08c36ce99a5ed11891ef6fc6d8647e9

SHA1
db95af417857221948eb1882e60f98ab2914bf1d

SHA256
cc9248a177495f45ec70b86c34fc5746c56730af36ace98ac7eb365dbafda674

SHA512
07e62581eace395b0a9699d727761648103180c21155d84ea09140f9e1c9690705c419118545aa67a564334bbde32710225fe3aa92b0b4b4210cb91f0058b1ea

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 220025.crdownload

Filesize
3.1MB

MD5
f343329602171f5113bbbfa16e241d26

SHA1
4a39419d74af08c76dd0e682bfde1717025c4b13

SHA256
de15026ca0c8d16cfca79aaf409320dedcc8318047157b7d769a9ca8adf612f6

SHA512
2244ada0f82260bb6241996dcd70137f45473e7a01e71ddae076c19ef9611cf1f0d65d450305b219910512e0f5c6e919e101aaacff169b676a699ac273e0de87

Download Submit
memory/2988-563-0x0000000000040000-0x0000000000364000-memory.dmp

Filesize
3.1MB

Download
memory/2988-576-0x00007FF813280000-0x00007FF813D42000-memory.dmp

Filesize
10.8MB

Download
memory/2988-564-0x00007FF813280000-0x00007FF813D42000-memory.dmp

Filesize
10.8MB

Download
memory/2988-562-0x00007FF813283000-0x00007FF813285000-memory.dmp

Filesize
8KB

Download
memory/3308-577-0x0000000002A60000-0x0000000002AB0000-memory.dmp

Filesize
320KB

Download
memory/3308-578-0x000000001C460000-0x000000001C512000-memory.dmp

Filesize
712KB

Download