quasar | 4fb412dc8e1f77e2b47b1a677ca0475e5d25361d68e9e486c8aaf5148d635dfd

Analysis

max time kernel
43s
max time network
44s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
07/01/2025, 21:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fuckfxscanner.exe
Size

3.5MB
MD5

1e0a2e8cc5ce58715fc43c44004f637c
SHA1

f85ba3c4bd766e12ac11840939f5773ecc2f90f3
SHA256

4fb412dc8e1f77e2b47b1a677ca0475e5d25361d68e9e486c8aaf5148d635dfd
SHA512

75852941b8033d7f58e3819d5c7117f0f0cad5bb9b95aefef2e24eee63d2237c98072e823905e0d084659324bb54f020e163fd3310f3ee344a245051ac214859
SSDEEP

49152:Pv4t62XlaSFNWPjljiFa2RoUYIdZRJ65bR3LoGd6THHB72eh2NTH:PvU62XlaSFNWPjljiFXRoUYIdZRJ677

Score

10^/10

quasar nmw discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

NMW

nm111-20223.portmap.host:20223

Mutex

0cf74134-5c38-42d6-bb49-4c83c1e37344

Attributes

encryption_key
F7F619EE7207F0CE79B19EAEA54D81315C5AE97B
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Exm Tweaks
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/3376-1-0x0000000000C10000-0x0000000000F9E000-memory.dmp	family_quasar
behavioral1/files/0x001a00000002ab0e-6.dat	family_quasar

Executes dropped EXE 5 IoCs

pid	Process
3496	Client.exe
3172	Client.exe
1804	Client.exe
4996	Client.exe
4496	Client.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3408	PING.EXE
32	PING.EXE
3924	PING.EXE
1540	PING.EXE
3528	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133807587425238721"	chrome.exe

Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery

T1018

pid	Process
3408	PING.EXE
32	PING.EXE
3924	PING.EXE
1540	PING.EXE
3528	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1416	schtasks.exe
4380	schtasks.exe
4300	schtasks.exe
3096	schtasks.exe
2108	schtasks.exe
1000	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2708	chrome.exe
2708	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	3376	fuckfxscanner.exe
Token: SeDebugPrivilege	3496	Client.exe
Token: SeDebugPrivilege	3172	Client.exe
Token: SeDebugPrivilege	1804	Client.exe
Token: SeDebugPrivilege	4996	Client.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeCreatePagefilePrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeCreatePagefilePrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeCreatePagefilePrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeCreatePagefilePrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeCreatePagefilePrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeCreatePagefilePrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeCreatePagefilePrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeCreatePagefilePrivilege	2708	chrome.exe
Token: SeDebugPrivilege	4496	Client.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeCreatePagefilePrivilege	2708	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3376 wrote to memory of 1416	3376	fuckfxscanner.exe	77
PID 3376 wrote to memory of 1416	3376	fuckfxscanner.exe	77
PID 3376 wrote to memory of 3496	3376	fuckfxscanner.exe	79
PID 3376 wrote to memory of 3496	3376	fuckfxscanner.exe	79
PID 3496 wrote to memory of 4380	3496	Client.exe	80
PID 3496 wrote to memory of 4380	3496	Client.exe	80
PID 3496 wrote to memory of 3612	3496	Client.exe	82
PID 3496 wrote to memory of 3612	3496	Client.exe	82
PID 3612 wrote to memory of 2828	3612	cmd.exe	84
PID 3612 wrote to memory of 2828	3612	cmd.exe	84
PID 3612 wrote to memory of 3408	3612	cmd.exe	85
PID 3612 wrote to memory of 3408	3612	cmd.exe	85
PID 3612 wrote to memory of 3172	3612	cmd.exe	86
PID 3612 wrote to memory of 3172	3612	cmd.exe	86
PID 3172 wrote to memory of 4300	3172	Client.exe	87
PID 3172 wrote to memory of 4300	3172	Client.exe	87
PID 3172 wrote to memory of 760	3172	Client.exe	89
PID 3172 wrote to memory of 760	3172	Client.exe	89
PID 760 wrote to memory of 4804	760	cmd.exe	91
PID 760 wrote to memory of 4804	760	cmd.exe	91
PID 760 wrote to memory of 32	760	cmd.exe	92
PID 760 wrote to memory of 32	760	cmd.exe	92
PID 760 wrote to memory of 1804	760	cmd.exe	93
PID 760 wrote to memory of 1804	760	cmd.exe	93
PID 1804 wrote to memory of 3096	1804	Client.exe	94
PID 1804 wrote to memory of 3096	1804	Client.exe	94
PID 1804 wrote to memory of 3908	1804	Client.exe	96
PID 1804 wrote to memory of 3908	1804	Client.exe	96
PID 3908 wrote to memory of 3124	3908	cmd.exe	98
PID 3908 wrote to memory of 3124	3908	cmd.exe	98
PID 3908 wrote to memory of 3924	3908	cmd.exe	99
PID 3908 wrote to memory of 3924	3908	cmd.exe	99
PID 3908 wrote to memory of 4996	3908	cmd.exe	100
PID 3908 wrote to memory of 4996	3908	cmd.exe	100
PID 4996 wrote to memory of 2108	4996	Client.exe	101
PID 4996 wrote to memory of 2108	4996	Client.exe	101
PID 4996 wrote to memory of 4196	4996	Client.exe	103
PID 4996 wrote to memory of 4196	4996	Client.exe	103
PID 4196 wrote to memory of 2260	4196	cmd.exe	105
PID 4196 wrote to memory of 2260	4196	cmd.exe	105
PID 4196 wrote to memory of 1540	4196	cmd.exe	106
PID 4196 wrote to memory of 1540	4196	cmd.exe	106
PID 2708 wrote to memory of 684	2708	chrome.exe	110
PID 2708 wrote to memory of 684	2708	chrome.exe	110
PID 2708 wrote to memory of 1408	2708	chrome.exe	111
PID 2708 wrote to memory of 1408	2708	chrome.exe	111
PID 2708 wrote to memory of 1408	2708	chrome.exe	111
PID 2708 wrote to memory of 1408	2708	chrome.exe	111
PID 2708 wrote to memory of 1408	2708	chrome.exe	111
PID 2708 wrote to memory of 1408	2708	chrome.exe	111
PID 2708 wrote to memory of 1408	2708	chrome.exe	111
PID 2708 wrote to memory of 1408	2708	chrome.exe	111
PID 2708 wrote to memory of 1408	2708	chrome.exe	111
PID 2708 wrote to memory of 1408	2708	chrome.exe	111
PID 2708 wrote to memory of 1408	2708	chrome.exe	111
PID 2708 wrote to memory of 1408	2708	chrome.exe	111
PID 2708 wrote to memory of 1408	2708	chrome.exe	111
PID 2708 wrote to memory of 1408	2708	chrome.exe	111
PID 2708 wrote to memory of 1408	2708	chrome.exe	111
PID 2708 wrote to memory of 1408	2708	chrome.exe	111
PID 2708 wrote to memory of 1408	2708	chrome.exe	111
PID 2708 wrote to memory of 1408	2708	chrome.exe	111
PID 2708 wrote to memory of 1408	2708	chrome.exe	111
PID 2708 wrote to memory of 1408	2708	chrome.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\fuckfxscanner.exe
"C:\Users\Admin\AppData\Local\Temp\fuckfxscanner.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3376
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1416
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3496
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5Sb1plBnLK2f.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3612
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2828
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3408
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3172
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4300
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dxgEDzsbxuQM.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:760
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4804
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:32
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3096
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DfPzjrGLa2a7.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3908
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:3124
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3924
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2108
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\je4WZGrYXCod.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2260
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1540
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4496
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1000
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZsCf8AQGqVId.bat" "
        11⤵
        
        PID:3400
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2012
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb1bf7cc40,0x7ffb1bf7cc4c,0x7ffb1bf7cc58
  2⤵
  PID:684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1864,i,3426783362583006285,3892376608643113788,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1860 /prefetch:2
  2⤵
  PID:1408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2104,i,3426783362583006285,3892376608643113788,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2116 /prefetch:3
  2⤵
  PID:1192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2188,i,3426783362583006285,3892376608643113788,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2204 /prefetch:8
  2⤵
  PID:1368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3080,i,3426783362583006285,3892376608643113788,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:2644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3160,i,3426783362583006285,3892376608643113788,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:1172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3528,i,3426783362583006285,3892376608643113788,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3564 /prefetch:1
  2⤵
  PID:4636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4800,i,3426783362583006285,3892376608643113788,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4824 /prefetch:8
  2⤵
  PID:3000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4852,i,3426783362583006285,3892376608643113788,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4848 /prefetch:8
  2⤵
  PID:4584
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Windows directory
  PID:4160
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff715534698,0x7ff7155346a4,0x7ff7155346b0
    3⤵
    - Drops file in Windows directory
    PID:4872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5020,i,3426783362583006285,3892376608643113788,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5088 /prefetch:8
  2⤵
  PID:3336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5052,i,3426783362583006285,3892376608643113788,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5116 /prefetch:8
  2⤵
  PID:4224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5100,i,3426783362583006285,3892376608643113788,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5040 /prefetch:8
  2⤵
  PID:240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5012,i,3426783362583006285,3892376608643113788,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5060 /prefetch:8
  2⤵
  PID:2532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5312,i,3426783362583006285,3892376608643113788,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5284 /prefetch:2
  2⤵
  PID:1880

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
4988f6a90a3303bec3a36a0052a2461d

SHA1
db1fe88568896a4de5bd6963ac790c58f5387662

SHA256
e050a3740bd7e5d8787cce4d1bd98426b2768dbc92f31b6287e1d9bcbccc1a1a

SHA512
860b3f3676aff266fa9d92a9fecca78d3083d438ac3bdfdbef69c0988eee894aee7389da96f719e0918b0b59fc45c4067f009cf5d0b5054136addc357d63aa7f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
15eab799098760706ed95d314e75449d

SHA1
273fb07e40148d5c267ca53f958c5075d24c4444

SHA256
45030bd997f50bb52c481f7bc86fac5f375d08911bcc106b98d9d8f0c2ce9778

SHA512
50c125e2a98740db0a0122d7f4de97c50d84623e800b3d3e173049c8e28ff0fbe4add7677bc56cb2228f78ed17522f67ae8f1b85f62824012414ce38ce0b500c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5Sb1plBnLK2f.bat

Filesize
207B

MD5
9ae3d2564a8c51be6aad9fde7e36c3c1

SHA1
973b01e4becb6de3c95fd6b3bb07b34694c4fb7d

SHA256
3d429451b3f51339af84e321a05833c16322f988b166f1ca94d63a47fbb7ebeb

SHA512
dfa14794eb432c61c14eddfe1765265db4b27c836d1c63d9f8926288260eef9e4319eddbca1b0c2c6492614361603e31d3b8e8bd478ff1f98eb42ecf35ada382

Download Submit
C:\Users\Admin\AppData\Local\Temp\DfPzjrGLa2a7.bat

Filesize
207B

MD5
5197c473d2626d7ea2f19317bee97779

SHA1
677fed7cc0e647ecc130aaea72ecbddf33b91110

SHA256
40bfa8d8bf2290a1676a1048378f31e457baefd972b0c5df6568ae7a8c834fb7

SHA512
9d432fb2e9e5bb1bc330dd02764b89b66f65e2d6a05bfd0a20984700b30392162c0d13325afc1a9e117e3a7a174b537367b2fdd91cec15b86fa0d1d65abaf41a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZsCf8AQGqVId.bat

Filesize
207B

MD5
7332fd18592f79c7fa2d7bc2dffecd34

SHA1
31d062291507e48b38a6bbca213d15a1dd8ef61a

SHA256
31c4675e3b8806d197fc9522aac33bf692dab3ef5f1f8fa7038a4058ec6aed7d

SHA512
382ed4c368ee68b458b8166c65959f473e5921f7e79c0b58b72bb0e914c154803bc57ad69d3f4ba82e4351b090d0a1deb548c8a786d1514953b3f3d7f950c80f

Download Submit
C:\Users\Admin\AppData\Local\Temp\dxgEDzsbxuQM.bat

Filesize
207B

MD5
d28dc0831793099e771bf100eac794c8

SHA1
1b803e97c58cbc4b5956fe5d09a82cf8c82a3b6c

SHA256
7cb8baae96f5dbdce163dcb5200635ecd0e28b2115622c4496e8d4d415efbd0d

SHA512
1e2843ab4ad4f92e38bd3bdf65d18fd654c963aa06af2e86f644f3924b6c8ab334a14d82fbc0108c3380cf3684bbdfc2bd807850561e9de03f63cd9b8dab5fa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\je4WZGrYXCod.bat

Filesize
207B

MD5
6b68d5e0ef32a5a1b77eb5ef49847332

SHA1
21306ee3c4e139a146e7a632dd5573a9a539acaf

SHA256
774c874a790a2d4ec0f3b33f3b0a2db4649150a75105299413b7ed3d03301813

SHA512
e7ca1f446730dc9ee9e7b8d2f812879ca64ebce70ef3fafac40a343ccd166500be080fa1d3a3649652c950d996bac7f8b0e6bad6b0f9c10356283c0aa75e5381

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2708_1267894839\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2708_1267894839\bdf759bd-2f4f-4c40-81b3-5b895b17ff24.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.5MB

MD5
1e0a2e8cc5ce58715fc43c44004f637c

SHA1
f85ba3c4bd766e12ac11840939f5773ecc2f90f3

SHA256
4fb412dc8e1f77e2b47b1a677ca0475e5d25361d68e9e486c8aaf5148d635dfd

SHA512
75852941b8033d7f58e3819d5c7117f0f0cad5bb9b95aefef2e24eee63d2237c98072e823905e0d084659324bb54f020e163fd3310f3ee344a245051ac214859

Download Submit
memory/3376-9-0x00007FFB0A760000-0x00007FFB0B222000-memory.dmp

Filesize
10.8MB

Download
memory/3376-0-0x00007FFB0A763000-0x00007FFB0A765000-memory.dmp

Filesize
8KB

Download
memory/3376-2-0x00007FFB0A760000-0x00007FFB0B222000-memory.dmp

Filesize
10.8MB

Download
memory/3376-1-0x0000000000C10000-0x0000000000F9E000-memory.dmp

Filesize
3.6MB

Download
memory/3496-19-0x00007FFB0A760000-0x00007FFB0B222000-memory.dmp

Filesize
10.8MB

Download
memory/3496-13-0x000000001BD20000-0x000000001BDD2000-memory.dmp

Filesize
712KB

Download
memory/3496-12-0x000000001B0D0000-0x000000001B120000-memory.dmp

Filesize
320KB

Download
memory/3496-11-0x00007FFB0A760000-0x00007FFB0B222000-memory.dmp

Filesize
10.8MB

Download
memory/3496-10-0x00007FFB0A760000-0x00007FFB0B222000-memory.dmp

Filesize
10.8MB

Download