quasar | hxxps://gofile[.]io/d/4We37C

Analysis

max time kernel
104s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
25-06-2024 20:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/4We37C

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.1.3:4782

Mutex

06d14704-07e5-47ef-8e8b-bbcf6675ee50

Attributes

encryption_key
76BEAC60C771AFA1F9BCE67D882EA6489CE45AB4
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar payload 2 IoCs

Processes:

resource yara_rule

C:\Users\Admin\Downloads\Unconfirmed 163277.crdownload family_quasar
behavioral1/memory/4188-111-0x0000000000C90000-0x0000000000FB4000-memory.dmp family_quasar
Downloads MZ/PE file

resource	yara_rule
C:\Users\Admin\Downloads\Unconfirmed 163277.crdownload	family_quasar
behavioral1/memory/4188-111-0x0000000000C90000-0x0000000000FB4000-memory.dmp	family_quasar

Executes dropped EXE 8 IoCs

Processes:

NovaBootstrapper.exeClient.exeNovaBootstrapper.exeNovaBootstrapper (1).exeNovaBootstrapper (2).exeNovaBootstrapper (1).exeNovaBootstrapper (1).exeNovaBootstrapper (2).exe

pid	process
4188	NovaBootstrapper.exe
4296	Client.exe
736	NovaBootstrapper.exe
2900	NovaBootstrapper (1).exe
1116	NovaBootstrapper (2).exe
264	NovaBootstrapper (1).exe
2776	NovaBootstrapper (1).exe
2696	NovaBootstrapper (2).exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133638213372646492"	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

3632 schtasks.exe
2100 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

4364 chrome.exe
4364 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

chrome.exe

pid process

4364 chrome.exe
4364 chrome.exe
4364 chrome.exe
4364 chrome.exe
4364 chrome.exe
4364 chrome.exe

pid	process
3632	schtasks.exe
2100	schtasks.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe

Suspicious use of FindShellTrayWindow 51 IoCs

Processes:

chrome.exe

pid	process
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Client.exe

pid process

4296 Client.exe

pid	process
4296	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4364 wrote to memory of 2944	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 2944	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 1956	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 1956	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 1956	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 1956	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 1956	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 1956	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 1956	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 1956	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 1956	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 1956	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 1956	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 1956	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 1956	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 1956	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 1956	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 1956	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 1956	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 1956	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 1956	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 1956	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 1956	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 1956	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 1956	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 1956	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 1956	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 1956	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 1956	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 1956	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 1956	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 1956	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 1956	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 3436	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 3436	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 4512	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 4512	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 4512	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 4512	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 4512	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 4512	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 4512	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 4512	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 4512	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 4512	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 4512	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 4512	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 4512	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 4512	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 4512	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 4512	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 4512	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 4512	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 4512	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 4512	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 4512	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 4512	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 4512	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 4512	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 4512	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 4512	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 4512	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 4512	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 4512	4364	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://gofile.io/d/4We37C
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8966cab58,0x7ff8966cab68,0x7ff8966cab78
2⤵
PID:2944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1592 --field-trial-handle=1900,i,5232889076047165412,4472343821842009188,131072 /prefetch:2
2⤵
PID:1956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1900,i,5232889076047165412,4472343821842009188,131072 /prefetch:8
2⤵
PID:3436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2248 --field-trial-handle=1900,i,5232889076047165412,4472343821842009188,131072 /prefetch:8
2⤵
PID:4512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3056 --field-trial-handle=1900,i,5232889076047165412,4472343821842009188,131072 /prefetch:1
2⤵
PID:4048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3060 --field-trial-handle=1900,i,5232889076047165412,4472343821842009188,131072 /prefetch:1
2⤵
PID:4212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3668 --field-trial-handle=1900,i,5232889076047165412,4472343821842009188,131072 /prefetch:1
2⤵
PID:4768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3068 --field-trial-handle=1900,i,5232889076047165412,4472343821842009188,131072 /prefetch:8
2⤵
PID:3044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4660 --field-trial-handle=1900,i,5232889076047165412,4472343821842009188,131072 /prefetch:8
2⤵
PID:4296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4656 --field-trial-handle=1900,i,5232889076047165412,4472343821842009188,131072 /prefetch:1
2⤵
PID:4964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4396 --field-trial-handle=1900,i,5232889076047165412,4472343821842009188,131072 /prefetch:8
2⤵
PID:4148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4484 --field-trial-handle=1900,i,5232889076047165412,4472343821842009188,131072 /prefetch:8
2⤵
PID:1500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4936 --field-trial-handle=1900,i,5232889076047165412,4472343821842009188,131072 /prefetch:8
2⤵
PID:2256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 --field-trial-handle=1900,i,5232889076047165412,4472343821842009188,131072 /prefetch:8
2⤵
PID:2100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4984 --field-trial-handle=1900,i,5232889076047165412,4472343821842009188,131072 /prefetch:8
2⤵
PID:3516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4968 --field-trial-handle=1900,i,5232889076047165412,4472343821842009188,131072 /prefetch:8
2⤵
PID:3752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 --field-trial-handle=1900,i,5232889076047165412,4472343821842009188,131072 /prefetch:8
2⤵
PID:3980

C:\Users\Admin\Downloads\NovaBootstrapper.exe
"C:\Users\Admin\Downloads\NovaBootstrapper.exe"
2⤵
- Executes dropped EXE
PID:4188

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Scheduled Task/Job: Scheduled Task
PID:3632

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4296

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
4⤵
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Users\Admin\Downloads\NovaBootstrapper.exe
"C:\Users\Admin\Downloads\NovaBootstrapper.exe"
2⤵
- Executes dropped EXE
PID:736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=740 --field-trial-handle=1900,i,5232889076047165412,4472343821842009188,131072 /prefetch:1
2⤵
PID:232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5080 --field-trial-handle=1900,i,5232889076047165412,4472343821842009188,131072 /prefetch:8
2⤵
PID:3260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5052 --field-trial-handle=1900,i,5232889076047165412,4472343821842009188,131072 /prefetch:8
2⤵
PID:1880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 --field-trial-handle=1900,i,5232889076047165412,4472343821842009188,131072 /prefetch:8
2⤵
PID:1152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5252 --field-trial-handle=1900,i,5232889076047165412,4472343821842009188,131072 /prefetch:8
2⤵
PID:4252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4656 --field-trial-handle=1900,i,5232889076047165412,4472343821842009188,131072 /prefetch:8
2⤵
PID:4240

C:\Users\Admin\Downloads\NovaBootstrapper (1).exe
"C:\Users\Admin\Downloads\NovaBootstrapper (1).exe"
2⤵
- Executes dropped EXE
PID:2900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=5024 --field-trial-handle=1900,i,5232889076047165412,4472343821842009188,131072 /prefetch:1
2⤵
PID:4380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5164 --field-trial-handle=1900,i,5232889076047165412,4472343821842009188,131072 /prefetch:8
2⤵
PID:3240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4916 --field-trial-handle=1900,i,5232889076047165412,4472343821842009188,131072 /prefetch:8
2⤵
PID:404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4668 --field-trial-handle=1900,i,5232889076047165412,4472343821842009188,131072 /prefetch:8
2⤵
PID:1404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4356 --field-trial-handle=1900,i,5232889076047165412,4472343821842009188,131072 /prefetch:8
2⤵
PID:4360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4996 --field-trial-handle=1900,i,5232889076047165412,4472343821842009188,131072 /prefetch:8
2⤵
PID:4184

C:\Users\Admin\Downloads\NovaBootstrapper (2).exe
"C:\Users\Admin\Downloads\NovaBootstrapper (2).exe"
2⤵
- Executes dropped EXE
PID:1116

C:\Users\Admin\Downloads\NovaBootstrapper (1).exe
"C:\Users\Admin\Downloads\NovaBootstrapper (1).exe"
2⤵
- Executes dropped EXE
PID:264

C:\Users\Admin\Downloads\NovaBootstrapper (1).exe
"C:\Users\Admin\Downloads\NovaBootstrapper (1).exe"
2⤵
- Executes dropped EXE
PID:2776

C:\Users\Admin\Downloads\NovaBootstrapper (2).exe
"C:\Users\Admin\Downloads\NovaBootstrapper (2).exe"
2⤵
- Executes dropped EXE
PID:2696

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1200

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
288B

MD5
8a1c4a4d6bc2dcc466473f8ae4e84fbb

SHA1
becf91c6dc52f1cfb7b6b37086c6fb2bbbdfa48e

SHA256
4944aba6b6dba2485337c9595c1ebaee0cc5c717cce030c51813df1fe23157fb

SHA512
d391523a3da4ce06ed8da81adb8fb7a872494ba507b0fbcca35aeee02774b4972174de1054e444c98e7796af883338641e37456a7080906dae12a528108b6e08

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
49abcd51be85ee2c4cfc8c7c613adb80

SHA1
240ddf1481aadbc3aef3ef3a7559f7fa0dcfc8e3

SHA256
3defebc26361e0a9c28a698bb1f1880435d7d7daa89aac919e6887821d5aba7b

SHA512
be1507e45a047cb64064599db513434225123245795521d8a768c9a92e1c49f72e1eea7b3f58781f7e65592ac8220e5c2e00e550211446b7d293b53663aa7ff6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
688B

MD5
e0a60bd3f36c1ecd0a32ada91e0e059d

SHA1
863974656631eb02e0039ba3384083eaa8dbc4af

SHA256
efc749474d054d58704099c29c599789db9a6714ab8cf53bc079d5b92171e419

SHA512
1149d0328826532e4e52766766d2aae159af6581446d1eb9cf371800d491363bcd06acfdcd86da88f7893c7b73ef8df421610e61da78436e4737eb8c9f030f74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
14d79bda6b8c5f28fc19dfe4e8bdb201

SHA1
08fcab94805b5aab1303fae68698f1fc98ebbfc7

SHA256
7b6ae8a7d8c2c6de356795b37965779d89da32c7f850762da6165d28601f2cb6

SHA512
914bc667b74587eb4537dd95a4fb7295ac6a61685029a95cbc780775198c8643e39b0117b35bfbdd10ca2c942ca43dff37573edcc43043bcd1eefd4b16835608

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
37025b2a31b6922e0de919a309ea3db2

SHA1
71a70a57aac7757a883589115643d921367775dc

SHA256
cb413b95d004f6be9bcd4c210dd68a9ef53abc090ba9a284adbc47befaf8f4b7

SHA512
ba7ab0006dab99a804af34e767d19dc5a1984a249a30223ee16c5b036e3a1d83071171ee54041c943ca97906fc2da5114c25d11ccfc9eda002259b21b9a6bf48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
2e9209e27a2ec85e844ea4a45c5708ed

SHA1
7f23c615673c20699f15c49e9e748cc8492df174

SHA256
36d0cb3f3e0dccfacca5215a64a93f0e54b25a2d218e95d5974b880fe4561a07

SHA512
812dcdc7196ab941b7c06dfd09bf2dbe0880425daf8c167ba55d27bf8e611b228c0a485bdf8f9cb38e2b4b844290c6f215dc7a0607297a7135e565ab31816a4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\da0ccac0-2d4b-4a83-9de8-1151832b4a1d.tmp
Filesize
7KB

MD5
db89eaa666f1aaacd9ed6b30b9e8fcec

SHA1
ac406f544db7a4331faf60f6f8c80da2ef62dec3

SHA256
34c8f8cd7b26992826f8f92840d0d13757ab33cf3f6ea2cc4f70ac8b00d6d40b

SHA512
321a87fba55044c771b752091e5acc599801f84608fc69bd8fd31086e79516183fd72c95dd1f47fde6cb81d46f450d3855dd549cac5bc274ac6e78c8ebcbcc77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
138KB

MD5
d28a8eaf4c2a2500711d1b3fcf7e60c7

SHA1
ee2e5aab01a0ac1e2499729bad82a4e968f2f564

SHA256
a12b6f0ed9cca20c89bcf33effc6e1768a4d88b57aefcf5d7a8f7dfbafb064d3

SHA512
a2c66db5f4428d9cea4cd10cd26426d78ec440a0042eb4e8751dc83b40a50105c65c3057592bd28210ec94ae21d6ea91530e8f858c94aadbd64f6c78e42290b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
101KB

MD5
28638527c0e674826037814a1c827076

SHA1
18788a014096c1bd7b33c6ee003a017d2ecadfc0

SHA256
3fbf619be678c9956611558759e5d96f68ef2d49fbcbc0c35a30048f11710632

SHA512
b731144be82577a098a26f0ff1c9481ed7c38faa522cbe37813076abff748825a30956a4572adda243edb6d72e9dacc197a392f92022f5da8cefe80a9906b5ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe580a4c.TMP
Filesize
88KB

MD5
fa155e92346452a9b9c776dc2bc89f31

SHA1
4980eb318f764e3c22ba7fed517f6ce79763e54a

SHA256
9e932a1f94a7f56b08c9bd4a76d5093778d5d352ee0b98e41a1fda733e244523

SHA512
90de12a7f469ad0a9c084b1277908ac59fdfb95ac533d92e90a9561f2bfe04d183e2cc6047919ff98032835250ecfec38c50fc0c6e640f69ddc182006f619619

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\NovaBootstrapper.exe.log
Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 163277.crdownload
Filesize
3.1MB

MD5
79dfd864355f1dcdc619cb0a052d1a0d

SHA1
69a7574419c2b5ef07acf6ca80cb7f78f786da94

SHA256
30c2df30c2fad08e6bfb7c73c9c89ee99bbeca73ccf94fa539130562e53385e8

SHA512
c281fcd8f0a79340f33e3a5da3062add6b9ac3b706b8b91fbf84b47d8bbe629dde4672edd0deb5f2a59a30ce2af150376c6f228b496847cba1c48e57ac67e1c9

Download Submit
\??\pipe\crashpad_4364_RTEKGRBJHSCOSKTW
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4188-119-0x00007FF882FB0000-0x00007FF883A71000-memory.dmp

Filesize
10.8MB

Download
memory/4188-112-0x00007FF882FB0000-0x00007FF883A71000-memory.dmp

Filesize
10.8MB

Download
memory/4188-111-0x0000000000C90000-0x0000000000FB4000-memory.dmp

Filesize
3.1MB

Download
memory/4188-110-0x00007FF882FB3000-0x00007FF882FB5000-memory.dmp

Filesize
8KB

Download
memory/4296-122-0x0000000002880000-0x00000000028D0000-memory.dmp

Filesize
320KB

Download
memory/4296-123-0x000000001B990000-0x000000001BA42000-memory.dmp

Filesize
712KB

Download
memory/4296-121-0x00007FF882FB0000-0x00007FF883A71000-memory.dmp

Filesize
10.8MB

Download
memory/4296-120-0x00007FF882FB0000-0x00007FF883A71000-memory.dmp

Filesize
10.8MB

Download
memory/4296-147-0x00007FF882FB0000-0x00007FF883A71000-memory.dmp

Filesize
10.8MB

Download
memory/4296-179-0x000000001C2C0000-0x000000001C7E8000-memory.dmp

Filesize
5.2MB

Download