quasar | 8ddc45e76a22fea557868cc10562e4b63bc7c824dad9fcccdbaa5a813b679acc

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-01-2025 01:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

7678d644944930e21d507388397b58e9
SHA1

d4e6ccc7799dcddcca125f693332fa0d2eaec633
SHA256

8ddc45e76a22fea557868cc10562e4b63bc7c824dad9fcccdbaa5a813b679acc
SHA512

2767f9a907d2936d17e5e91ef8d86728e1b9a5fc26eb94206958bf3820ec5cf2704e6c2f05bfbc5717afb382dd908ba6cbd8b0a7fb3720770e57e57b41664871
SSDEEP

49152:ev9t62XlaSFNWPjljiFa2RoUYIaxmriMfbLoGd6THHB72eh2NT:ev/62XlaSFNWPjljiFXRoUYIaxmrV

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.0.19:4782

Mutex

661876a4-75f0-45b4-b622-5207e929a109

Attributes

encryption_key
CA0623419E058E855A1DFBA27E90975947AE225F
install_name
Client.exe
log_directory
Logs
reconnect_delay
50
startup_key
SubDir
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/4788-1-0x0000000000540000-0x0000000000864000-memory.dmp	family_quasar
behavioral1/files/0x0007000000023ca0-6.dat	family_quasar

Downloads MZ/PE file

Executes dropped EXE 13 IoCs

pid	Process
4512	Client.exe
3484	Client-built.exe
1528	Client-built.exe
4676	Client-built.exe
4908	Client-built.exe
2912	Client-built.exe
4260	Client-built.exe
1632	Client-built.exe
1044	Client-built.exe
2028	Client-built.exe
4932	Client-built.exe
4864	Client-built.exe
4484	Client-built.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File created	C:\Windows\system32\SubDir\Client.exe	Client-built.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client-built.exe
File opened for modification	C:\Windows\system32\SubDir	Client-built.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133803405272963931"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4648	schtasks.exe
3792	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2208	chrome.exe
2208	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4788	Client-built.exe
Token: SeDebugPrivilege	4512	Client.exe
Token: SeShutdownPrivilege	2208	chrome.exe
Token: SeCreatePagefilePrivilege	2208	chrome.exe
Token: SeShutdownPrivilege	2208	chrome.exe
Token: SeCreatePagefilePrivilege	2208	chrome.exe
Token: SeShutdownPrivilege	2208	chrome.exe
Token: SeCreatePagefilePrivilege	2208	chrome.exe
Token: SeShutdownPrivilege	2208	chrome.exe
Token: SeCreatePagefilePrivilege	2208	chrome.exe
Token: SeShutdownPrivilege	2208	chrome.exe
Token: SeCreatePagefilePrivilege	2208	chrome.exe
Token: SeShutdownPrivilege	2208	chrome.exe
Token: SeCreatePagefilePrivilege	2208	chrome.exe
Token: SeShutdownPrivilege	2208	chrome.exe
Token: SeCreatePagefilePrivilege	2208	chrome.exe
Token: SeShutdownPrivilege	2208	chrome.exe
Token: SeCreatePagefilePrivilege	2208	chrome.exe
Token: SeShutdownPrivilege	2208	chrome.exe
Token: SeCreatePagefilePrivilege	2208	chrome.exe
Token: SeShutdownPrivilege	2208	chrome.exe
Token: SeCreatePagefilePrivilege	2208	chrome.exe
Token: SeShutdownPrivilege	2208	chrome.exe
Token: SeCreatePagefilePrivilege	2208	chrome.exe
Token: SeShutdownPrivilege	2208	chrome.exe
Token: SeCreatePagefilePrivilege	2208	chrome.exe
Token: SeShutdownPrivilege	2208	chrome.exe
Token: SeCreatePagefilePrivilege	2208	chrome.exe
Token: SeShutdownPrivilege	2208	chrome.exe
Token: SeCreatePagefilePrivilege	2208	chrome.exe
Token: SeShutdownPrivilege	2208	chrome.exe
Token: SeCreatePagefilePrivilege	2208	chrome.exe
Token: SeShutdownPrivilege	2208	chrome.exe
Token: SeCreatePagefilePrivilege	2208	chrome.exe
Token: SeShutdownPrivilege	2208	chrome.exe
Token: SeCreatePagefilePrivilege	2208	chrome.exe
Token: SeShutdownPrivilege	2208	chrome.exe
Token: SeCreatePagefilePrivilege	2208	chrome.exe
Token: SeShutdownPrivilege	2208	chrome.exe
Token: SeCreatePagefilePrivilege	2208	chrome.exe
Token: SeShutdownPrivilege	2208	chrome.exe
Token: SeCreatePagefilePrivilege	2208	chrome.exe
Token: SeShutdownPrivilege	2208	chrome.exe
Token: SeCreatePagefilePrivilege	2208	chrome.exe
Token: SeShutdownPrivilege	2208	chrome.exe
Token: SeCreatePagefilePrivilege	2208	chrome.exe
Token: SeShutdownPrivilege	2208	chrome.exe
Token: SeCreatePagefilePrivilege	2208	chrome.exe
Token: SeShutdownPrivilege	2208	chrome.exe
Token: SeCreatePagefilePrivilege	2208	chrome.exe
Token: SeShutdownPrivilege	2208	chrome.exe
Token: SeCreatePagefilePrivilege	2208	chrome.exe
Token: SeShutdownPrivilege	2208	chrome.exe
Token: SeCreatePagefilePrivilege	2208	chrome.exe
Token: SeShutdownPrivilege	2208	chrome.exe
Token: SeCreatePagefilePrivilege	2208	chrome.exe
Token: SeShutdownPrivilege	2208	chrome.exe
Token: SeCreatePagefilePrivilege	2208	chrome.exe
Token: SeShutdownPrivilege	2208	chrome.exe
Token: SeCreatePagefilePrivilege	2208	chrome.exe
Token: SeShutdownPrivilege	2208	chrome.exe
Token: SeCreatePagefilePrivilege	2208	chrome.exe
Token: SeShutdownPrivilege	2208	chrome.exe
Token: SeCreatePagefilePrivilege	2208	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
4512	Client.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
4512	Client.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4512	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4788 wrote to memory of 4648	4788	Client-built.exe	82
PID 4788 wrote to memory of 4648	4788	Client-built.exe	82
PID 4788 wrote to memory of 4512	4788	Client-built.exe	84
PID 4788 wrote to memory of 4512	4788	Client-built.exe	84
PID 4512 wrote to memory of 3792	4512	Client.exe	86
PID 4512 wrote to memory of 3792	4512	Client.exe	86
PID 2208 wrote to memory of 4784	2208	chrome.exe	99
PID 2208 wrote to memory of 4784	2208	chrome.exe	99
PID 2208 wrote to memory of 3552	2208	chrome.exe	100
PID 2208 wrote to memory of 3552	2208	chrome.exe	100
PID 2208 wrote to memory of 3552	2208	chrome.exe	100
PID 2208 wrote to memory of 3552	2208	chrome.exe	100
PID 2208 wrote to memory of 3552	2208	chrome.exe	100
PID 2208 wrote to memory of 3552	2208	chrome.exe	100
PID 2208 wrote to memory of 3552	2208	chrome.exe	100
PID 2208 wrote to memory of 3552	2208	chrome.exe	100
PID 2208 wrote to memory of 3552	2208	chrome.exe	100
PID 2208 wrote to memory of 3552	2208	chrome.exe	100
PID 2208 wrote to memory of 3552	2208	chrome.exe	100
PID 2208 wrote to memory of 3552	2208	chrome.exe	100
PID 2208 wrote to memory of 3552	2208	chrome.exe	100
PID 2208 wrote to memory of 3552	2208	chrome.exe	100
PID 2208 wrote to memory of 3552	2208	chrome.exe	100
PID 2208 wrote to memory of 3552	2208	chrome.exe	100
PID 2208 wrote to memory of 3552	2208	chrome.exe	100
PID 2208 wrote to memory of 3552	2208	chrome.exe	100
PID 2208 wrote to memory of 3552	2208	chrome.exe	100
PID 2208 wrote to memory of 3552	2208	chrome.exe	100
PID 2208 wrote to memory of 3552	2208	chrome.exe	100
PID 2208 wrote to memory of 3552	2208	chrome.exe	100
PID 2208 wrote to memory of 3552	2208	chrome.exe	100
PID 2208 wrote to memory of 3552	2208	chrome.exe	100
PID 2208 wrote to memory of 3552	2208	chrome.exe	100
PID 2208 wrote to memory of 3552	2208	chrome.exe	100
PID 2208 wrote to memory of 3552	2208	chrome.exe	100
PID 2208 wrote to memory of 3552	2208	chrome.exe	100
PID 2208 wrote to memory of 3552	2208	chrome.exe	100
PID 2208 wrote to memory of 3552	2208	chrome.exe	100
PID 2208 wrote to memory of 3852	2208	chrome.exe	101
PID 2208 wrote to memory of 3852	2208	chrome.exe	101
PID 2208 wrote to memory of 4448	2208	chrome.exe	102
PID 2208 wrote to memory of 4448	2208	chrome.exe	102
PID 2208 wrote to memory of 4448	2208	chrome.exe	102
PID 2208 wrote to memory of 4448	2208	chrome.exe	102
PID 2208 wrote to memory of 4448	2208	chrome.exe	102
PID 2208 wrote to memory of 4448	2208	chrome.exe	102
PID 2208 wrote to memory of 4448	2208	chrome.exe	102
PID 2208 wrote to memory of 4448	2208	chrome.exe	102
PID 2208 wrote to memory of 4448	2208	chrome.exe	102
PID 2208 wrote to memory of 4448	2208	chrome.exe	102
PID 2208 wrote to memory of 4448	2208	chrome.exe	102
PID 2208 wrote to memory of 4448	2208	chrome.exe	102
PID 2208 wrote to memory of 4448	2208	chrome.exe	102
PID 2208 wrote to memory of 4448	2208	chrome.exe	102
PID 2208 wrote to memory of 4448	2208	chrome.exe	102
PID 2208 wrote to memory of 4448	2208	chrome.exe	102
PID 2208 wrote to memory of 4448	2208	chrome.exe	102
PID 2208 wrote to memory of 4448	2208	chrome.exe	102
PID 2208 wrote to memory of 4448	2208	chrome.exe	102
PID 2208 wrote to memory of 4448	2208	chrome.exe	102
PID 2208 wrote to memory of 4448	2208	chrome.exe	102
PID 2208 wrote to memory of 4448	2208	chrome.exe	102
PID 2208 wrote to memory of 4448	2208	chrome.exe	102
PID 2208 wrote to memory of 4448	2208	chrome.exe	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4788
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "SubDir" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4648
- C:\Windows\system32\SubDir\Client.exe
  "C:\Windows\system32\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4512
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "SubDir" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffb6072cc40,0x7ffb6072cc4c,0x7ffb6072cc58
  2⤵
  PID:4784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1836,i,18115985368290084682,5559763711383641271,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1832 /prefetch:2
  2⤵
  PID:3552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1956,i,18115985368290084682,5559763711383641271,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1948 /prefetch:3
  2⤵
  PID:3852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2164,i,18115985368290084682,5559763711383641271,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2360 /prefetch:8
  2⤵
  PID:4448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3152,i,18115985368290084682,5559763711383641271,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:4920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3208,i,18115985368290084682,5559763711383641271,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:2136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4564,i,18115985368290084682,5559763711383641271,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4552 /prefetch:1
  2⤵
  PID:3904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4796,i,18115985368290084682,5559763711383641271,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4836 /prefetch:8
  2⤵
  PID:1812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4768,i,18115985368290084682,5559763711383641271,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4864 /prefetch:8
  2⤵
  PID:540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4856,i,18115985368290084682,5559763711383641271,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5176 /prefetch:8
  2⤵
  PID:4936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4836,i,18115985368290084682,5559763711383641271,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5300 /prefetch:8
  2⤵
  PID:1492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5192,i,18115985368290084682,5559763711383641271,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5144 /prefetch:8
  2⤵
  PID:1744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5316,i,18115985368290084682,5559763711383641271,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4808 /prefetch:8
  2⤵
  PID:4116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5612,i,18115985368290084682,5559763711383641271,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5492 /prefetch:2
  2⤵
  PID:4420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5568,i,18115985368290084682,5559763711383641271,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4672 /prefetch:1
  2⤵
  PID:2220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4732,i,18115985368290084682,5559763711383641271,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5344 /prefetch:1
  2⤵
  PID:2028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5464,i,18115985368290084682,5559763711383641271,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5432 /prefetch:1
  2⤵
  PID:736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3176,i,18115985368290084682,5559763711383641271,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5148 /prefetch:8
  2⤵
  PID:2756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3172,i,18115985368290084682,5559763711383641271,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3228 /prefetch:8
  2⤵
  PID:4732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4068,i,18115985368290084682,5559763711383641271,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4520 /prefetch:8
  2⤵
  PID:180
- C:\Users\Admin\Downloads\Client-built.exe
  "C:\Users\Admin\Downloads\Client-built.exe"
  2⤵
  - Executes dropped EXE
  PID:3484

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4256

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1176

C:\Users\Admin\Downloads\Client-built.exe
"C:\Users\Admin\Downloads\Client-built.exe"
1⤵
- Executes dropped EXE
PID:1528

C:\Users\Admin\Downloads\Client-built.exe
"C:\Users\Admin\Downloads\Client-built.exe"
1⤵
- Executes dropped EXE
PID:4676

C:\Users\Admin\Downloads\Client-built.exe
"C:\Users\Admin\Downloads\Client-built.exe"
1⤵
- Executes dropped EXE
PID:4908

C:\Users\Admin\Downloads\Client-built.exe
"C:\Users\Admin\Downloads\Client-built.exe"
1⤵
- Executes dropped EXE
PID:2912

C:\Users\Admin\Downloads\Client-built.exe
"C:\Users\Admin\Downloads\Client-built.exe"
1⤵
- Executes dropped EXE
PID:4260

C:\Users\Admin\Downloads\Client-built.exe
"C:\Users\Admin\Downloads\Client-built.exe"
1⤵
- Executes dropped EXE
PID:1632

C:\Users\Admin\Downloads\Client-built.exe
"C:\Users\Admin\Downloads\Client-built.exe"
1⤵
- Executes dropped EXE
PID:1044

C:\Users\Admin\Downloads\Client-built.exe
"C:\Users\Admin\Downloads\Client-built.exe"
1⤵
- Executes dropped EXE
PID:2028

C:\Users\Admin\Downloads\Client-built.exe
"C:\Users\Admin\Downloads\Client-built.exe"
1⤵
- Executes dropped EXE
PID:4932

C:\Users\Admin\Downloads\Client-built.exe
"C:\Users\Admin\Downloads\Client-built.exe"
1⤵
- Executes dropped EXE
PID:4864

C:\Users\Admin\Downloads\Client-built.exe
"C:\Users\Admin\Downloads\Client-built.exe"
1⤵
- Executes dropped EXE
PID:4484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
7ed29ef998d751d735bcd434e1562c74

SHA1
35c7fa5c6a4e3ad41aa5d1017e7d0837177d5ad0

SHA256
95b8fe2fe056475890382722b347908a968cc9f28664b2a567f6cf1131b6c980

SHA512
a20f261810b7ceafefe01814bc0044235fd77b2ad6aa224e26065972441fad6b1254fac6b17636d1bcb1e17ca3c9f5c0f68720640f411e2585dc98b8572412d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
4ac98d302153d469863fa3c6dbb28dc6

SHA1
dab08d302cf3227453a0e46c04d01e32c6f18884

SHA256
2e7a6ef8caefdc8fd00c7c43e95870d2c355ab7d5c57ce7a06977ae1f5602e7c

SHA512
56c5d1089bfd703cecf3b7867a0674023ffdd766d9da233802527439fd37a5091bdbf97dae91c2b4a9601c6eac40c151ca9f1c8a9d01ee4a1d194bdd7baf33e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
5876381ae4544ce6acda5b203e4d8169

SHA1
6aa747a822f4f42a24a9db8689d4d7de98a6fcfe

SHA256
a75142ba1ab24c2ea88062012712d6fd98dfecd163607c5d26d405dc35746dc6

SHA512
537cfc27283ba7de654bb4da43cd2056b6498fbf38cdfd17cdf7b9971d7f4e37cd07ec464e3c34fda32974db433025ed7be04b230098715111d977e20dc7753e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
684B

MD5
6b385063b2ffede1dafa175323c535fa

SHA1
1379c2968414e24fa1aa053bf28034fd21f7c521

SHA256
ce85cc9cbac83ab3bacab454dd4ab9916225bfae5c50b5686a8b17f5ff6e0058

SHA512
4ed655da01c66a12e111c7e259d0c69ed9b53b2a70769feb38a6fabc89b9cc45c01f90023416dc7ebf1cff59dfe670d13ef437f103d0f5c362a8c4bf004a7b26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
684B

MD5
aff1ceb62a530f89db96ce7db7fed4b4

SHA1
f8bcc4d1acf4985cab07697f6cdbc89fe3805c09

SHA256
d92a9bb4bf5c436f6c0302527fe920bdf98724e9c817c53c89a283830c3500e9

SHA512
7943b4650d29c275edee7e8cf89cc5ebb7e78fabefc4c08f68385aa8dd4e725b7e4eee9f8cf637269d9d106aa1a92e0132c40ef4bf9c13ce279ea156558833fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
21cfd453ee3a55bd29b79a726ee98142

SHA1
e1eca39a6cf0c623be0ce9408098a79a58da7dbc

SHA256
0ba98ba92d6026720c761041104dde8ed72dda7fe69ab80f656fdad72934fe78

SHA512
68bf6e198d6d6910b23a8309dadb70aabf7a33ffa032032b3174b6b1d691f4c56165e4fc4623bb8691b41a1bfa28b49809785772345161d57479dbace0921f91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7dd40dd3fbec12620221b98e775844da

SHA1
fb7ea1bb7620423fe4d81acd70272a269ead1212

SHA256
28443a3bb6d199b01f70f9664d5937208483f9b10d9202c4c8b6d5862c55f290

SHA512
f4f42f007c717719db3ee50f0fbbf4b32ca3328e41ccf40b17303b7c55d3c166ed326164b8670e0ccad5846d9765d33bb4b8e0e1999224c7b6342d442df2e149

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
df027770c0668e8c444d337885974b95

SHA1
bcdd3a48720b6c0b800091f283b85f6bfee678a3

SHA256
3934269af826c847e5e7e889e9dd576d95afc3980ad7f387ad4f38fc56224218

SHA512
052c06445688084ffd81da6e2d6ea3fea13c63c9a4beef0a004091083281e87aedf1836fe6f0f7adc9057403e75672d46805829eb05882f51daf29b888713cef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f5a4fe7c4a21e830bdecd1986b87fa1c

SHA1
c0e9427f0c58e6584c206523e6eabb418ba7cee0

SHA256
ffe51649f5644b25e22e83fe918e01cf0c66a841dfa91b3f0bef84e2f1475901

SHA512
95ee0471fb8ae3ad67618f4c2d2e56d3a307d79586a5c9726c217a5004ff418c483d4bfb8385809d9150f9282cffe94676677b1b856fa836595bc70a7a55e4a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a041d752183bde31f14ef719fb7494c7

SHA1
bd5cc137242b9cb86d31e447471d1012e6be6f17

SHA256
e48675279ec88f74360984e5b30f6fc5abfad8a85748b6b3f1b8c70747a68bdd

SHA512
84ce17be271d7d0c12596320ba649774d130afed335f3af144ff1889b34aca27be416f2d39995f17b4b0ffdb22f72b36df5841aaeb0364f28a7cf0905c8f292a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
28cf35e0555fbded7ba5275729864f6a

SHA1
3151e5d30eed7ae772cceab36e7a9a89905dcbae

SHA256
94da34a91d0f2d625257b2de9bae4f41e2ccc98c995f1483bd6e26a9f2594676

SHA512
0060ee99858d4ab29a63484f239d9a3d6bc76d6123a403a1995ec2f8bf5c232f5cb422f713fa9ccf48cfb091967c9c71dc2764b08c80f6bd32c28046bf02b268

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8fc34ccd4ecddd5e01682d58eeacccef

SHA1
c5cdec734a8203e98a61fd15ef8e9ee6e3153915

SHA256
992484f5e37e4bb6e9405b2cda56f52761e59c9be5bc6902774c12b0a3329cad

SHA512
5a598c5575135d94a99faf13c3bef7554646ea8a4c3d891927227f4c5074c983946c94887008401b22dd01d469e92f290d7fbd74a343716ca6f88eaae6ca7c67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e5297587f9b313543fd3ba431aecc1e9

SHA1
5cfa05c2d94eefdf157e8bef5eb0cb9344ea46f2

SHA256
00b254e19fa6846c9e51d75c247e2823765297ad7f29ee9b82b32b1f0b0b02eb

SHA512
48e6ef2b36b2f478c14d7257f8fef69553772e16f709aae6cf5a2ac83fc0c6e32de34b1d38b775bb54d7727758cd1192b75d57c0b036a9fca5a0900afa67b695

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
ca52a5f17db604c85a7d2bb72f47625c

SHA1
a805406be71cdc47b10fab443b309c9e0d48fb63

SHA256
91a91cbbd30dec467eb7063a92e4b345e3303945c56befa71e651c89b2412470

SHA512
b78217ec421b6d1b891c3236d3ef5309bce18dd98929aab8882d313d7a868a280705b4a570cbf46795d42cc22e19ca1ef85e405e9ed6e2b3e02faec3e0a2f097

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
92d8d8e53a6bcb426da4f3fd1a5ad133

SHA1
7f1dd6707e3ab331caae820dfd48529d8348f27e

SHA256
27690e917d430aaa85ce2ad56a93f7e15b63dbac3733c860831a016c16411697

SHA512
fcfcad8cbaf38978b69f6e9b9692e1a563f781e5c57061e56ae386068aeeeb23d187b0fa1af55c882fc7833a72efbb945a8b79af482add6e98d2d116a3d0a2fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
ab039d2cf432a0a61e18bd878a1dffc4

SHA1
3fa6adeef9a0dc78d22578a84ef8ebfa50284797

SHA256
6dc506f067fe28012931174c8994fe239260116318ba36f27ec6e27b4901fbf7

SHA512
e42bf1411e86f082d966b5b905590da348152d06dca2e55b6b407c76e24a4e8e4e473cfeb6e0bcf6c0f676165850ef4b7b7b8a3e6047af3a182a6f7eb05ec710

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
17eb0db665beb69916b10c23fc5e6cc7

SHA1
ac6da5ebb8f2d27e6d7d74882963e9ce5f6d22b1

SHA256
7292493c4b42fedc1a6ff0100b7858272e2fee2a00843479da735a07e784411c

SHA512
c20e06f5b5dd46389027f1f8eef805c72a55e30cb99b880534a60cbf9abf4b43dea306b387dbc646a6aeac58fc497fe01f49c0e5c69d9495bab33b8914e564d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client-built.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Temp\944983d2-3b4e-434b-8be8-85f39116a7f3.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2208_792566377\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 114146.crdownload

Filesize
4KB

MD5
bd2baa3a394a42cd5c7b8ddb2b5ae248

SHA1
f6bccf4eb3a2ffd9291c3d8581bd73f8ff58b2de

SHA256
7334509d220069f88db0c6118423eb24702d16b67a83bb14a2a9eb133003700f

SHA512
996da7933e0d2832b36601fcdcc1f3e09e38fb49e8160d55ef03570004dc6245d031ee8d5ac00c64a7374d940b3a1991e6cd1f2efc0351b415235c5a2eb26c96

Download Submit
C:\Windows\System32\SubDir\Client.exe

Filesize
3.1MB

MD5
7678d644944930e21d507388397b58e9

SHA1
d4e6ccc7799dcddcca125f693332fa0d2eaec633

SHA256
8ddc45e76a22fea557868cc10562e4b63bc7c824dad9fcccdbaa5a813b679acc

SHA512
2767f9a907d2936d17e5e91ef8d86728e1b9a5fc26eb94206958bf3820ec5cf2704e6c2f05bfbc5717afb382dd908ba6cbd8b0a7fb3720770e57e57b41664871

Download Submit
memory/4512-432-0x000000001E9A0000-0x000000001EEC8000-memory.dmp

Filesize
5.2MB

Download
memory/4512-14-0x00007FFB69680000-0x00007FFB6A141000-memory.dmp

Filesize
10.8MB

Download
memory/4512-13-0x000000001E070000-0x000000001E122000-memory.dmp

Filesize
712KB

Download
memory/4512-12-0x000000001DF60000-0x000000001DFB0000-memory.dmp

Filesize
320KB

Download
memory/4512-11-0x00007FFB69680000-0x00007FFB6A141000-memory.dmp

Filesize
10.8MB

Download
memory/4512-9-0x00007FFB69680000-0x00007FFB6A141000-memory.dmp

Filesize
10.8MB

Download
memory/4788-0-0x00007FFB69683000-0x00007FFB69685000-memory.dmp

Filesize
8KB

Download
memory/4788-10-0x00007FFB69680000-0x00007FFB6A141000-memory.dmp

Filesize
10.8MB

Download
memory/4788-2-0x00007FFB69680000-0x00007FFB6A141000-memory.dmp

Filesize
10.8MB

Download
memory/4788-1-0x0000000000540000-0x0000000000864000-memory.dmp

Filesize
3.1MB

Download