quasar | af09248cb756488850f9e6f9a7a00149005bf47a9b2087b792ff6bd937297ffb

Resubmissions

25-04-2024 16:38

240425-t5ctfacg48 10

25-04-2024 14:35

240425-ryg4gabf95 10

Analysis

max time kernel
1800s
max time network
1692s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
25-04-2024 16:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

advbattoexeconverter.exe
Size

804KB
MD5

83bb1b476c7143552853a2cf983c1142
SHA1

8ff8ed5c533d70a7d933ec45264dd700145acd8c
SHA256

af09248cb756488850f9e6f9a7a00149005bf47a9b2087b792ff6bd937297ffb
SHA512

6916c6c5addf43f56b9de217e1b640ab6f4d7e5a73cd33a7189f66c9b7f0b954c5aa635f92fcef5692ca0ca0c8767e97a678e90d545079b5e6d421555f5b761a
SSDEEP

24576:0xFkFHdJ8aT/iziXH6FGnYhqQuimKC6Qpor:0IdJ1KiBYhsl+r

Score

10^/10

quasar spyware trojan

Malware Config

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Win32.QuasarRAT (1).zip.crdownload	family_quasar

Loads dropped DLL 3 IoCs

Processes:

advbattoexeconverter.exe

pid process

4416 advbattoexeconverter.exe
4416 advbattoexeconverter.exe
4416 advbattoexeconverter.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

30 camo.githubusercontent.com
41 raw.githubusercontent.com
61 raw.githubusercontent.com
Drops file in Program Files directory 1 IoCs

Processes:

advbattoexeconverter.exe

description ioc process

File opened for modification C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\uninstall.ini advbattoexeconverter.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4416	advbattoexeconverter.exe
4416	advbattoexeconverter.exe
4416	advbattoexeconverter.exe

flow	ioc
30	camo.githubusercontent.com
41	raw.githubusercontent.com
61	raw.githubusercontent.com

description	ioc	process
File opened for modification	C:\Program Files (x86)\Advanced BAT to EXE Converter v4.61\uninstall.ini	advbattoexeconverter.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133585367325373326"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\Local Settings chrome.exe
NTFS ADS 1 IoCs

Processes:

chrome.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Win32.QuasarRAT (1).zip:Zone.Identifier chrome.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

3848 chrome.exe
3848 chrome.exe
3076 chrome.exe
3076 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

chrome.exe

pid process

3848 chrome.exe
3848 chrome.exe
3848 chrome.exe
3848 chrome.exe
3848 chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\Local Settings	chrome.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Win32.QuasarRAT (1).zip:Zone.Identifier	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	3848	chrome.exe
Token: SeCreatePagefilePrivilege	3848	chrome.exe
Token: SeShutdownPrivilege	3848	chrome.exe
Token: SeCreatePagefilePrivilege	3848	chrome.exe
Token: SeShutdownPrivilege	3848	chrome.exe
Token: SeCreatePagefilePrivilege	3848	chrome.exe
Token: SeShutdownPrivilege	3848	chrome.exe
Token: SeCreatePagefilePrivilege	3848	chrome.exe
Token: SeShutdownPrivilege	3848	chrome.exe
Token: SeCreatePagefilePrivilege	3848	chrome.exe
Token: SeShutdownPrivilege	3848	chrome.exe
Token: SeCreatePagefilePrivilege	3848	chrome.exe
Token: SeShutdownPrivilege	3848	chrome.exe
Token: SeCreatePagefilePrivilege	3848	chrome.exe
Token: SeShutdownPrivilege	3848	chrome.exe
Token: SeCreatePagefilePrivilege	3848	chrome.exe
Token: SeShutdownPrivilege	3848	chrome.exe
Token: SeCreatePagefilePrivilege	3848	chrome.exe
Token: SeShutdownPrivilege	3848	chrome.exe
Token: SeCreatePagefilePrivilege	3848	chrome.exe
Token: SeShutdownPrivilege	3848	chrome.exe
Token: SeCreatePagefilePrivilege	3848	chrome.exe
Token: SeShutdownPrivilege	3848	chrome.exe
Token: SeCreatePagefilePrivilege	3848	chrome.exe
Token: SeShutdownPrivilege	3848	chrome.exe
Token: SeCreatePagefilePrivilege	3848	chrome.exe
Token: SeShutdownPrivilege	3848	chrome.exe
Token: SeCreatePagefilePrivilege	3848	chrome.exe
Token: SeShutdownPrivilege	3848	chrome.exe
Token: SeCreatePagefilePrivilege	3848	chrome.exe
Token: SeShutdownPrivilege	3848	chrome.exe
Token: SeCreatePagefilePrivilege	3848	chrome.exe
Token: SeShutdownPrivilege	3848	chrome.exe
Token: SeCreatePagefilePrivilege	3848	chrome.exe
Token: SeShutdownPrivilege	3848	chrome.exe
Token: SeCreatePagefilePrivilege	3848	chrome.exe
Token: SeShutdownPrivilege	3848	chrome.exe
Token: SeCreatePagefilePrivilege	3848	chrome.exe
Token: SeShutdownPrivilege	3848	chrome.exe
Token: SeCreatePagefilePrivilege	3848	chrome.exe
Token: SeShutdownPrivilege	3848	chrome.exe
Token: SeCreatePagefilePrivilege	3848	chrome.exe
Token: SeShutdownPrivilege	3848	chrome.exe
Token: SeCreatePagefilePrivilege	3848	chrome.exe
Token: SeShutdownPrivilege	3848	chrome.exe
Token: SeCreatePagefilePrivilege	3848	chrome.exe
Token: SeShutdownPrivilege	3848	chrome.exe
Token: SeCreatePagefilePrivilege	3848	chrome.exe
Token: SeShutdownPrivilege	3848	chrome.exe
Token: SeCreatePagefilePrivilege	3848	chrome.exe
Token: SeShutdownPrivilege	3848	chrome.exe
Token: SeCreatePagefilePrivilege	3848	chrome.exe
Token: SeShutdownPrivilege	3848	chrome.exe
Token: SeCreatePagefilePrivilege	3848	chrome.exe
Token: SeShutdownPrivilege	3848	chrome.exe
Token: SeCreatePagefilePrivilege	3848	chrome.exe
Token: SeShutdownPrivilege	3848	chrome.exe
Token: SeCreatePagefilePrivilege	3848	chrome.exe
Token: SeShutdownPrivilege	3848	chrome.exe
Token: SeCreatePagefilePrivilege	3848	chrome.exe
Token: SeShutdownPrivilege	3848	chrome.exe
Token: SeCreatePagefilePrivilege	3848	chrome.exe
Token: SeShutdownPrivilege	3848	chrome.exe
Token: SeCreatePagefilePrivilege	3848	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

chrome.exe

pid	process
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe
3848	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3848 wrote to memory of 5016	3848	chrome.exe	chrome.exe
PID 3848 wrote to memory of 5016	3848	chrome.exe	chrome.exe
PID 3848 wrote to memory of 2628	3848	chrome.exe	chrome.exe
PID 3848 wrote to memory of 2628	3848	chrome.exe	chrome.exe
PID 3848 wrote to memory of 2628	3848	chrome.exe	chrome.exe
PID 3848 wrote to memory of 2628	3848	chrome.exe	chrome.exe
PID 3848 wrote to memory of 2628	3848	chrome.exe	chrome.exe
PID 3848 wrote to memory of 2628	3848	chrome.exe	chrome.exe
PID 3848 wrote to memory of 2628	3848	chrome.exe	chrome.exe
PID 3848 wrote to memory of 2628	3848	chrome.exe	chrome.exe
PID 3848 wrote to memory of 2628	3848	chrome.exe	chrome.exe
PID 3848 wrote to memory of 2628	3848	chrome.exe	chrome.exe
PID 3848 wrote to memory of 2628	3848	chrome.exe	chrome.exe
PID 3848 wrote to memory of 2628	3848	chrome.exe	chrome.exe
PID 3848 wrote to memory of 2628	3848	chrome.exe	chrome.exe
PID 3848 wrote to memory of 2628	3848	chrome.exe	chrome.exe
PID 3848 wrote to memory of 2628	3848	chrome.exe	chrome.exe
PID 3848 wrote to memory of 2628	3848	chrome.exe	chrome.exe
PID 3848 wrote to memory of 2628	3848	chrome.exe	chrome.exe
PID 3848 wrote to memory of 2628	3848	chrome.exe	chrome.exe
PID 3848 wrote to memory of 2628	3848	chrome.exe	chrome.exe
PID 3848 wrote to memory of 2628	3848	chrome.exe	chrome.exe
PID 3848 wrote to memory of 2628	3848	chrome.exe	chrome.exe
PID 3848 wrote to memory of 2628	3848	chrome.exe	chrome.exe
PID 3848 wrote to memory of 2628	3848	chrome.exe	chrome.exe
PID 3848 wrote to memory of 2628	3848	chrome.exe	chrome.exe
PID 3848 wrote to memory of 2628	3848	chrome.exe	chrome.exe
PID 3848 wrote to memory of 2628	3848	chrome.exe	chrome.exe
PID 3848 wrote to memory of 2628	3848	chrome.exe	chrome.exe
PID 3848 wrote to memory of 2628	3848	chrome.exe	chrome.exe
PID 3848 wrote to memory of 2628	3848	chrome.exe	chrome.exe
PID 3848 wrote to memory of 2628	3848	chrome.exe	chrome.exe
PID 3848 wrote to memory of 2628	3848	chrome.exe	chrome.exe
PID 3848 wrote to memory of 3040	3848	chrome.exe	chrome.exe
PID 3848 wrote to memory of 3040	3848	chrome.exe	chrome.exe
PID 3848 wrote to memory of 4028	3848	chrome.exe	chrome.exe
PID 3848 wrote to memory of 4028	3848	chrome.exe	chrome.exe
PID 3848 wrote to memory of 4028	3848	chrome.exe	chrome.exe
PID 3848 wrote to memory of 4028	3848	chrome.exe	chrome.exe
PID 3848 wrote to memory of 4028	3848	chrome.exe	chrome.exe
PID 3848 wrote to memory of 4028	3848	chrome.exe	chrome.exe
PID 3848 wrote to memory of 4028	3848	chrome.exe	chrome.exe
PID 3848 wrote to memory of 4028	3848	chrome.exe	chrome.exe
PID 3848 wrote to memory of 4028	3848	chrome.exe	chrome.exe
PID 3848 wrote to memory of 4028	3848	chrome.exe	chrome.exe
PID 3848 wrote to memory of 4028	3848	chrome.exe	chrome.exe
PID 3848 wrote to memory of 4028	3848	chrome.exe	chrome.exe
PID 3848 wrote to memory of 4028	3848	chrome.exe	chrome.exe
PID 3848 wrote to memory of 4028	3848	chrome.exe	chrome.exe
PID 3848 wrote to memory of 4028	3848	chrome.exe	chrome.exe
PID 3848 wrote to memory of 4028	3848	chrome.exe	chrome.exe
PID 3848 wrote to memory of 4028	3848	chrome.exe	chrome.exe
PID 3848 wrote to memory of 4028	3848	chrome.exe	chrome.exe
PID 3848 wrote to memory of 4028	3848	chrome.exe	chrome.exe
PID 3848 wrote to memory of 4028	3848	chrome.exe	chrome.exe
PID 3848 wrote to memory of 4028	3848	chrome.exe	chrome.exe
PID 3848 wrote to memory of 4028	3848	chrome.exe	chrome.exe
PID 3848 wrote to memory of 4028	3848	chrome.exe	chrome.exe
PID 3848 wrote to memory of 4028	3848	chrome.exe	chrome.exe
PID 3848 wrote to memory of 4028	3848	chrome.exe	chrome.exe
PID 3848 wrote to memory of 4028	3848	chrome.exe	chrome.exe
PID 3848 wrote to memory of 4028	3848	chrome.exe	chrome.exe
PID 3848 wrote to memory of 4028	3848	chrome.exe	chrome.exe
PID 3848 wrote to memory of 4028	3848	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\advbattoexeconverter.exe
"C:\Users\Admin\AppData\Local\Temp\advbattoexeconverter.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
PID:4416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa717fab58,0x7ffa717fab68,0x7ffa717fab78
2⤵
PID:5016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1528 --field-trial-handle=1796,i,15984395497572828293,14294324206988018027,131072 /prefetch:2
2⤵
PID:2628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1796,i,15984395497572828293,14294324206988018027,131072 /prefetch:8
2⤵
PID:3040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2200 --field-trial-handle=1796,i,15984395497572828293,14294324206988018027,131072 /prefetch:8
2⤵
PID:4028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3052 --field-trial-handle=1796,i,15984395497572828293,14294324206988018027,131072 /prefetch:1
2⤵
PID:2668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3144 --field-trial-handle=1796,i,15984395497572828293,14294324206988018027,131072 /prefetch:1
2⤵
PID:2184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4220 --field-trial-handle=1796,i,15984395497572828293,14294324206988018027,131072 /prefetch:1
2⤵
PID:1476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4740 --field-trial-handle=1796,i,15984395497572828293,14294324206988018027,131072 /prefetch:8
2⤵
PID:3988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4536 --field-trial-handle=1796,i,15984395497572828293,14294324206988018027,131072 /prefetch:8
2⤵
PID:3400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4736 --field-trial-handle=1796,i,15984395497572828293,14294324206988018027,131072 /prefetch:8
2⤵
PID:1520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4420 --field-trial-handle=1796,i,15984395497572828293,14294324206988018027,131072 /prefetch:8
2⤵
PID:4360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4356 --field-trial-handle=1796,i,15984395497572828293,14294324206988018027,131072 /prefetch:8
2⤵
PID:2656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4364 --field-trial-handle=1796,i,15984395497572828293,14294324206988018027,131072 /prefetch:1
2⤵
PID:4572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3444 --field-trial-handle=1796,i,15984395497572828293,14294324206988018027,131072 /prefetch:1
2⤵
PID:1216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 --field-trial-handle=1796,i,15984395497572828293,14294324206988018027,131072 /prefetch:8
2⤵
PID:3584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3864 --field-trial-handle=1796,i,15984395497572828293,14294324206988018027,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3852 --field-trial-handle=1796,i,15984395497572828293,14294324206988018027,131072 /prefetch:8
2⤵
- NTFS ADS
PID:2004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2808 --field-trial-handle=1796,i,15984395497572828293,14294324206988018027,131072 /prefetch:8
2⤵
PID:2040

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1784

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Temp1_Win32.QuasarRAT (1).zip\QuasarRAT\build-release.bat" "
1⤵
PID:1884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_Win32.QuasarRAT (1).zip\QuasarRAT\\QuasarRAT.sln" /t:Build /p:Configuration=Release
2⤵
PID:2416

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
d893627574b7802a78d022360ceb3659

SHA1
4c6f50cea53dcbed4d88fb0fd5a3e937504fad5b

SHA256
3bea8f441db5a2e47c30fb4101025f67321eece6f57eb9a6a6d6d1845fce98a6

SHA512
744fedb6b25036525a3503ed156156297c91b0106955d3f17242884b05759a977a1ba2b0fc6fd31859452f5f48dd9fdef17ed7592b53c0bf2eaa5cf904ab3def

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
5e2a3175ebadd262fd64ae4c80b6659b

SHA1
e026aad65ff86780c5eae19b18cc252496b1779a

SHA256
014a51935ad4992bbd7817225c57cd7fd3c51d5a5e6987ad915e2b12ebdb657c

SHA512
375cfedf6c541ee4fbc5325330640333aa6adcf4dccdc1622f90dd0ee08c9bf3d8a9ed846a532f9908b91e86a06701b24b1ec182ca1bff7e8fe2965edcf341b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
d05bb7c850eeb5a4e44985943b9f11a1

SHA1
54d75c1b55b1806838c3e0d70569dc2d656bc913

SHA256
7a687359b3c0284dfd2b00900205029556d975df6b6035478a78d23fd1eccb85

SHA512
c0dddc4ace6f34e4dd2bb29387c225bd41074538af1941835b2a011dfadeebaf8624c46ca4dd50880b2a252d31c586febfc3f4056398999c4d5025465610e0bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
d27334d24d7f2e0d82c6f5fc5fffdddd

SHA1
4382d52d2953bcc923617090625e0bb13227d1fd

SHA256
e375779949f91f41e9cbd5d29c7c3abd08814d7a3aee0c9d18475ec08ec8565f

SHA512
b538ce23f0a356ff57be7dd6219d2194208e62227f6352a8637c620c6d794548a26974bb5d0e4443006675411797ff7cde3672ee6597dd197a87ff1d7abb9a06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
02c7d8d2595bb5bfd36f3c278423672f

SHA1
8e78d0c5641ad49573598a18938b1fc4ac31cf3d

SHA256
ca9ca3c74c518965bf60f57f9025e78705d4b31766f1e03383752d6875a836df

SHA512
f1fe3aeea0a2e78fbbc80fbb46499c5ba3d7c382469a8a463516692ecc54bcb2573519253d23f932f60cb128958152963dcebfe1f25f8a2ae74565c016e9d731

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
354B

MD5
fa67be944e2852b1ab3310f1044455fe

SHA1
cd0296f413d2bd158a907ddfbe4a47e91afa0b29

SHA256
6a6e289ace7610d86356d169040fbebd61260ee37932060023e070f85a9f6e72

SHA512
63ed64558d553a9b84d41aa9dc3e27ec30d70ceb158afcf96424c79eb82f22a696e5d7b132b476b33a03437d3a69de12fcb7031bfa499fb0b83581e6fcf2135a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
4aec62557c4fd6e1e326c15fa61cc442

SHA1
140bcc983749e3d71a16bfd3e2ef555b63e9fac3

SHA256
8d326ba4c9312a0b0ea3b52357b0b8e31fc86c11f23d2a5075871bf958a8c2ed

SHA512
a4adbcc610a8dd17011274d09617d1af758d1f96f61baa0a72cf7ce54de55c99ebb76bc6e1dd0290f3e7ac1f48d82110364ca429d97a3c4fd8224f6c9a28c15c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
8dbc3d65cc40a6c05bc79d17a34830da

SHA1
df8fa59fb57b7793b2475592133e7db5b8ae01cd

SHA256
925b59b256769496bd3de66dab12fb8d15da852029403cb4fe368d33f04564db

SHA512
a2b6a20bd3cb71240bba867d2cc142691435d32b67545727a510e06e12cb3c9effb63c8069f75d461791f755e66e7500135b42119ea35a2f483b75cc9477a7a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
fb09394d2c0efcb51cad43114438e109

SHA1
8e04d462fac100cf843515e72e739dc251788720

SHA256
9df637fcb3b826c7a1b9e5103edfb4f0634dbd3fcb04c575bc0f5f98fdcdac89

SHA512
6396101d46e87e2882c2fa26a7aad3c36cdc257aed9385ca1f7e497bf4cbcec51f675901cf1f6f0e4a0f5859e6f164e1cd97190ef164c51706f422cdc21a02a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
2ec6b5b9608e6de0037823dbb9beccf7

SHA1
6bfce7ac98ea166ed563218bd599cb49f3a78506

SHA256
9b09f5003bdb44b025819edc490e540b75e33f220efc344b7558eb6bece9356f

SHA512
cad395677bfd1973b93923e29a10aeee6d18af856deb2f5874124d51ba854bb9046632e4ef4e1ef736a73ebae6942c674d73419d4f96c68644269c2a79a0b81c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
bf0014f4de4152364c3ead8aa1ff7fb5

SHA1
a6ddefc1e37d3dda89ae2eaf5d3b78401b9142d6

SHA256
10aa78b2472bfa74b760f5f7d483ea61759b9403e38bb186ae9d6ff7ad04e83c

SHA512
343f9cb9812bf7c213c4932c626d55d435bce5668072ba667b8aac7d9498e9a1e658d186ba7c9f36ce144c7f43d79df97faa74d0a2da83e0087351ffef8b3bc0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
c5f7f5776eebfb2c7955c6f7f4bba0e6

SHA1
c961962eb24fee21f1aeb4bdc95b0d088c4511c7

SHA256
a9af1f361ae45571b414088538161a71b300f3875f2b9990e31ec4f6cda0ce9b

SHA512
dafdb71d2cdd3361a550d7da4e8e40baca79f0b2d7b008d7962f03d9ab03badec46fed7072d5e9e3172f43f709229de392fc90ac085caf66973099a29c515840

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
214e2e5cc061596df7e313dd2189cfb2

SHA1
840513557657c67922fa7e7faf0a8ba2146e1774

SHA256
87f1345fa544a54cfe5b56f7c67bab354d319e879e80e92d9c7d44e850fbd629

SHA512
75077d0031f06e989b638205066b1c7b2bdeadbc0e941737609fd59fd422babd283d6a6633530f787bf1daaf228daefdbe3872294c850876fb8aa0e9ff30c7e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
878f8ace0410e169b044cdf78a91d482

SHA1
3cc8b5dd5e19d724c27718dad79b6b222eed5d8f

SHA256
348c5ee6e10aaa584cc7d117be28d49eb853c9e157861d50c026d10c6f6fe534

SHA512
f755a0eeb01bc7368198a9e55ffaf883c3199288d87146f57703221a15e975fa8f46b20f68b01a7dd89a9d072615f0310bd25635f70acfe96c5b271965cbb921

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
4eb441439fd56206b515dd1da15e55bd

SHA1
5e2e83ebe824fe2b83ccaebac40f9200602bb5c1

SHA256
fa76506b44b5e6f20468378b4efad44bbcc8a4b50a6a38739534de18da0c2b6a

SHA512
a230d75245438d57e4153d23f8725e2d43694e6739f0d39d1f7edf5a99d0587fd66a8a764b5dd4e301b135ea35655671e9082ce4d6876889b5dff86cc1ee892a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
bc6d36a3032ed0a2ecffef7efc137611

SHA1
168c23ffb43c42e81053a319ba6fd35df786ac1d

SHA256
cdd286ee57c83085a32e9ea70b3bd3e8855ecc72c4c9e8633cd7dd720610a3f4

SHA512
c3279041600ddc380b152f0567f4be20e23a621b624adc562c1676f5fb2a7ba0bc522112d33b43a55825f214ca157bb84eabcfc048296d708c56bcbc58e65d2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
3f95bff730c5ddc249100f3e43400a58

SHA1
0aea06daa76f2662daa11185b72d8a88fcae5fdc

SHA256
e2c30e95986a902244133d28f621a71e985331721dbe39981620f22ed466d525

SHA512
af4478a97f387cd872825aea3470cc322a299a07782cadb2231c082357ab321162dbbd8252d7072f516271016199bc20db1e6e70b476d2bcd34ea8b8b359d6d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
8fd5be7bf3ad010529c2359ce4a29dd2

SHA1
ee822e7d07eff8b6019940a9a10ca3d3c4820c64

SHA256
a887724ffc2fb49daa7a797a39a5bdecea1500d31ab16b852ba8fde1627a2561

SHA512
bad6f49acc9743f01f16a1cfd114ffcee579c1af8b541e67d0a5e7ba982cd4ad06715955695da3d4279403131d65f91ef0d4633f90d49d28dfa3f1cf93a57fcb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
79eaa2ca7a1b50437cb6b1a4e415a6b6

SHA1
298f918dc8a7d17af6f08bfee29e1a105b6aca75

SHA256
a34d5685e8d2d8aa31deade065a32901925dbd58d5b34e707ef0290cbcadd7e7

SHA512
03aeec87b5dd1f70711825e1c62765a2b64daca8df7ef00e9a68a3de6ded555088242c186045cf5c9f12c8f35ae35e29f2e106a91be808d2e4386ebe51929bc2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
0b85cf182f1b3f94126f118924d260e8

SHA1
34dbb87b065778e808831246839746426bb1723e

SHA256
39f7287a8c9cc3ee6a242ed2b532af3743381a0ab9498aec28daf5432a659707

SHA512
85d3c289445f57a1e8a808d360ea31a97e722b26d6da326aff34536ecf358a1fdc7419d994046f0ccd746a0b46955bb325867c6841c5c90b28cdbd2b82458a15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
cd4502b964db49bc2cb33084e7dc6d8e

SHA1
abf39c86b67ab80b15a4130bab3da48d80506648

SHA256
ab4dbaade254d4273f661ae8c1ea551b3ee904dd97c4580c973bab98431b960f

SHA512
b4f403e2462a3693a732eec0047b4e43ab24f757b6259512ab14fed839eecf7c2feaa9ff6cba1f73ad5bbc1c9eaca7a2e8306fb79d27a712e4593d967a79b339

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
253KB

MD5
1cf32a6264c2026caa1166af317c1949

SHA1
a82cb9314e79ce08f5d6c91fff4743720c372dc2

SHA256
1a095ce36b8bc10337fa0a1d71fb61d0ff90954ba6c2242c34952a04fa1ef667

SHA512
de8f5ae97b3b47379f0e5ce9bca779c2335f64a47615a383581af809987c186013bf5d9f33a75e78f215a4dab233ee3cdb49d7e6772181ac74b19762d7fd8f30

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
88KB

MD5
55f330409cd306da1d142487e33f1e71

SHA1
2e9a3a9f547af52cac30db51f441d39eab8e834f

SHA256
2e0c1c597efcf4be541917bd875657e445f40aa884995e8bd6655765dfa61f7f

SHA512
2372f89bbfb2aca7d659a65b5ac08f1aefdd42982c428e4489d555ed90e5887c0f3548d2b0277cc153ac25c9f64f0d315aca05dfa6f66aafb3fbc74c668abae6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
94KB

MD5
ba075d83a329075b543f141a8581cd56

SHA1
24a46b110cbd9a38e6ebbf8f67ca8005133f3921

SHA256
598aa3f6952071f8e634b19cc8143f540db5b7755872c5e024afb8c8a74a5f5f

SHA512
0ed58961f9865e2556726978915d41e0d68bb05e205609fa6da00376bfb861f4fdaa92603008f936283f413de7871ddec58ba060a551b8154b06488d2ca3f5b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe596845.TMP
Filesize
83KB

MD5
4fff29ac995b69b52e847c5bd941e2f6

SHA1
5e8fe57bd161fff2e6d3b7ab4d213cc75fc855d0

SHA256
b8739d17b95467fd1fe4a72f47a9117379e4819296471ff707e3e9eff23445e7

SHA512
9ca15c5d1e0f4da57cffde56218f005769e458d92468b40a8bebe0f68742e1c4466be7c948c38dec40a5cdf70a8a1229cbd7cf78fbbdbcceba1690938b05e0b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\gentee00\gentee.dll
Filesize
100KB

MD5
30439e079a3d603c461d2c2f4f8cb064

SHA1
aaf470f6bd8deadedbc31adf17035041176c6134

SHA256
d6d0535175fb2302e5b5a498119823c37f6bddff4ab24f551aa7e038c343077a

SHA512
607a81be02bde679aff45770e2fd5c2471d64439fdb23c3e494aed98970131e5d677e1eba3b7b36fca5b8d5b99580856bb8cf1806139c9f73693afb512126b9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gentee00\guig.dll
Filesize
20KB

MD5
f78ee6369ada1fb02b776498146cc903

SHA1
d5ba66acdab6a48327c76796d28be1e02643a129

SHA256
f1073319d4868d38e0ae983ad42a00cdc53be93b31275b4b55af676976c1aa3f

SHA512
88cff3e58cf66c3f2b5b3a65b8b9f9e8ac011e1bd6025cadadb0f765f062cb3d608c23c2d3832f89ada0b7681170dce1ee4a0b8b873e84135756d14ba8c69fa9

Download Submit
C:\Users\Admin\Downloads\Win32.QuasarRAT (1).zip.crdownload
Filesize
5.5MB

MD5
474f0dd9251ba99461f1a2a23b8f75f5

SHA1
89c29039f931e864799fbb70f389e42cf5ac5f77

SHA256
09379f107c3da4cee20e01972d5ae172aa7b283aab2d5bc7b35e933543dc33ce

SHA512
f6a4bdfbbec148f31e1a8d93df3996fa430c39d6071b5f8f4279f75157489d7886b37717299d09489e22c048bb6d297ea8eade3618614e6efd30d53d55b59e1d

Download Submit
C:\Users\Admin\Downloads\Win32.QuasarRAT (1).zip:Zone.Identifier
Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
\??\pipe\crashpad_3848_KVLEANZGRUJBSDBV
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2416-527-0x0000000074F90000-0x0000000075741000-memory.dmp

Filesize
7.7MB

Download
memory/2416-528-0x0000000002600000-0x000000000261A000-memory.dmp

Filesize
104KB

Download
memory/2416-529-0x0000000004C30000-0x0000000004D8A000-memory.dmp

Filesize
1.4MB

Download
memory/2416-531-0x0000000074F90000-0x0000000075741000-memory.dmp

Filesize
7.7MB

Download
memory/2416-526-0x0000000000050000-0x0000000000090000-memory.dmp

Filesize
256KB

Download