quasar | 733436d5bc6464c09757584b8609fa28898f2622412e55421ebdab550e02e4ea

Analysis

max time kernel
83s
max time network
149s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-04-2024 20:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

c9732d408949b3d82ac9a957d399e0bb
SHA1

413c3d019088c910fd0bf9566c970bbe6757c33b
SHA256

733436d5bc6464c09757584b8609fa28898f2622412e55421ebdab550e02e4ea
SHA512

1f3d9b8cc4e04fdc6e56f687e7dd69a964581adf5f3f6b2ee03484d33d70f6487005046ff07cc2fbccb9be9ac80fc2c20906da07b4f0afcbb54581c42a9da45d
SSDEEP

49152:avUt62XlaSFNWPjljiFa2RoUYIocRJ6UbR3LoGdW01THHB72eh2NT:avI62XlaSFNWPjljiFXRoUYIocRJ6e

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

ZE:4782

Mutex

911e182a-c76f-4c94-979c-4ba6b3b24941

Attributes

encryption_key
EFF71D9D44DB5A6D9B14E191FC8CC16A1F4043B2
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 11 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2992-0-0x0000000000DB0000-0x00000000010D4000-memory.dmp	family_quasar
behavioral1/memory/2476-13-0x0000000000090000-0x00000000003B4000-memory.dmp	family_quasar
behavioral1/memory/292-26-0x00000000008F0000-0x0000000000C14000-memory.dmp	family_quasar
behavioral1/memory/1284-39-0x0000000000EB0000-0x00000000011D4000-memory.dmp	family_quasar
behavioral1/memory/1432-52-0x0000000001130000-0x0000000001454000-memory.dmp	family_quasar
behavioral1/memory/864-134-0x0000000000340000-0x0000000000664000-memory.dmp	family_quasar
behavioral1/memory/864-135-0x000000001B440000-0x000000001B4C0000-memory.dmp	family_quasar
behavioral1/memory/1860-162-0x0000000000990000-0x0000000000CB4000-memory.dmp	family_quasar
behavioral1/memory/1864-174-0x0000000000E00000-0x0000000001124000-memory.dmp	family_quasar
behavioral1/memory/2108-194-0x0000000000F60000-0x0000000001284000-memory.dmp	family_quasar
behavioral1/memory/1616-209-0x00000000010A0000-0x00000000013C4000-memory.dmp	family_quasar

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Runs ping.exe 1 TTPs 11 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

2648 PING.EXE
2304 PING.EXE
380 PING.EXE
2936 PING.EXE
580 PING.EXE
1320 PING.EXE
2052 PING.EXE
1552 PING.EXE
2776 PING.EXE
2768 PING.EXE
2420 PING.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

2376 chrome.exe
2376 chrome.exe

pid	process
2648	PING.EXE
2304	PING.EXE
380	PING.EXE
2936	PING.EXE
580	PING.EXE
1320	PING.EXE
2052	PING.EXE
1552	PING.EXE
2776	PING.EXE
2768	PING.EXE
2420	PING.EXE

pid	process
2376	chrome.exe
2376	chrome.exe

Suspicious use of AdjustPrivilegeToken 61 IoCs

Processes:

Client-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exechrome.exeClient-built.exeClient-built.exe

description	pid	process
Token: SeDebugPrivilege	2992	Client-built.exe
Token: SeDebugPrivilege	2476	Client-built.exe
Token: SeDebugPrivilege	292	Client-built.exe
Token: SeDebugPrivilege	1284	Client-built.exe
Token: SeDebugPrivilege	1432	Client-built.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeDebugPrivilege	864	Client-built.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeDebugPrivilege	1860	Client-built.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe

Suspicious use of FindShellTrayWindow 41 IoCs

Processes:

Client-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exechrome.exeClient-built.exeClient-built.exe

pid	process
2992	Client-built.exe
2476	Client-built.exe
292	Client-built.exe
1284	Client-built.exe
1432	Client-built.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
864	Client-built.exe
1860	Client-built.exe

Suspicious use of SendNotifyMessage 39 IoCs

Processes:

Client-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exechrome.exeClient-built.exeClient-built.exe

pid	process
2992	Client-built.exe
2476	Client-built.exe
292	Client-built.exe
1284	Client-built.exe
1432	Client-built.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
864	Client-built.exe
1860	Client-built.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

Client-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exe

pid process

2992 Client-built.exe
2476 Client-built.exe
292 Client-built.exe
1284 Client-built.exe
1432 Client-built.exe
864 Client-built.exe
1860 Client-built.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Client-built.execmd.exeClient-built.execmd.exeClient-built.execmd.exeClient-built.execmd.exeClient-built.execmd.exechrome.exe

description	pid	process	target process
PID 2992 wrote to memory of 2708	2992	Client-built.exe	cmd.exe
PID 2992 wrote to memory of 2708	2992	Client-built.exe	cmd.exe
PID 2992 wrote to memory of 2708	2992	Client-built.exe	cmd.exe
PID 2708 wrote to memory of 2824	2708	cmd.exe	chcp.com
PID 2708 wrote to memory of 2824	2708	cmd.exe	chcp.com
PID 2708 wrote to memory of 2824	2708	cmd.exe	chcp.com
PID 2708 wrote to memory of 2052	2708	cmd.exe	PING.EXE
PID 2708 wrote to memory of 2052	2708	cmd.exe	PING.EXE
PID 2708 wrote to memory of 2052	2708	cmd.exe	PING.EXE
PID 2708 wrote to memory of 2476	2708	cmd.exe	Client-built.exe
PID 2708 wrote to memory of 2476	2708	cmd.exe	Client-built.exe
PID 2708 wrote to memory of 2476	2708	cmd.exe	Client-built.exe
PID 2476 wrote to memory of 2644	2476	Client-built.exe	cmd.exe
PID 2476 wrote to memory of 2644	2476	Client-built.exe	cmd.exe
PID 2476 wrote to memory of 2644	2476	Client-built.exe	cmd.exe
PID 2644 wrote to memory of 2756	2644	cmd.exe	chcp.com
PID 2644 wrote to memory of 2756	2644	cmd.exe	chcp.com
PID 2644 wrote to memory of 2756	2644	cmd.exe	chcp.com
PID 2644 wrote to memory of 2768	2644	cmd.exe	PING.EXE
PID 2644 wrote to memory of 2768	2644	cmd.exe	PING.EXE
PID 2644 wrote to memory of 2768	2644	cmd.exe	PING.EXE
PID 2644 wrote to memory of 292	2644	cmd.exe	Client-built.exe
PID 2644 wrote to memory of 292	2644	cmd.exe	Client-built.exe
PID 2644 wrote to memory of 292	2644	cmd.exe	Client-built.exe
PID 292 wrote to memory of 2672	292	Client-built.exe	cmd.exe
PID 292 wrote to memory of 2672	292	Client-built.exe	cmd.exe
PID 292 wrote to memory of 2672	292	Client-built.exe	cmd.exe
PID 2672 wrote to memory of 2460	2672	cmd.exe	chcp.com
PID 2672 wrote to memory of 2460	2672	cmd.exe	chcp.com
PID 2672 wrote to memory of 2460	2672	cmd.exe	chcp.com
PID 2672 wrote to memory of 1552	2672	cmd.exe	PING.EXE
PID 2672 wrote to memory of 1552	2672	cmd.exe	PING.EXE
PID 2672 wrote to memory of 1552	2672	cmd.exe	PING.EXE
PID 2672 wrote to memory of 1284	2672	cmd.exe	Client-built.exe
PID 2672 wrote to memory of 1284	2672	cmd.exe	Client-built.exe
PID 2672 wrote to memory of 1284	2672	cmd.exe	Client-built.exe
PID 1284 wrote to memory of 2264	1284	Client-built.exe	cmd.exe
PID 1284 wrote to memory of 2264	1284	Client-built.exe	cmd.exe
PID 1284 wrote to memory of 2264	1284	Client-built.exe	cmd.exe
PID 2264 wrote to memory of 1740	2264	cmd.exe	chcp.com
PID 2264 wrote to memory of 1740	2264	cmd.exe	chcp.com
PID 2264 wrote to memory of 1740	2264	cmd.exe	chcp.com
PID 2264 wrote to memory of 2648	2264	cmd.exe	PING.EXE
PID 2264 wrote to memory of 2648	2264	cmd.exe	PING.EXE
PID 2264 wrote to memory of 2648	2264	cmd.exe	PING.EXE
PID 2264 wrote to memory of 1432	2264	cmd.exe	Client-built.exe
PID 2264 wrote to memory of 1432	2264	cmd.exe	Client-built.exe
PID 2264 wrote to memory of 1432	2264	cmd.exe	Client-built.exe
PID 1432 wrote to memory of 1160	1432	Client-built.exe	cmd.exe
PID 1432 wrote to memory of 1160	1432	Client-built.exe	cmd.exe
PID 1432 wrote to memory of 1160	1432	Client-built.exe	cmd.exe
PID 1160 wrote to memory of 1640	1160	cmd.exe	chcp.com
PID 1160 wrote to memory of 1640	1160	cmd.exe	chcp.com
PID 1160 wrote to memory of 1640	1160	cmd.exe	chcp.com
PID 1160 wrote to memory of 2304	1160	cmd.exe	PING.EXE
PID 1160 wrote to memory of 2304	1160	cmd.exe	PING.EXE
PID 1160 wrote to memory of 2304	1160	cmd.exe	PING.EXE
PID 2376 wrote to memory of 2828	2376	chrome.exe	chrome.exe
PID 2376 wrote to memory of 2828	2376	chrome.exe	chrome.exe
PID 2376 wrote to memory of 2828	2376	chrome.exe	chrome.exe
PID 2376 wrote to memory of 888	2376	chrome.exe	chrome.exe
PID 2376 wrote to memory of 888	2376	chrome.exe	chrome.exe
PID 2376 wrote to memory of 888	2376	chrome.exe	chrome.exe
PID 2376 wrote to memory of 888	2376	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2992

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\1v52en3f6Oid.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2708

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:2824

C:\Windows\system32\PING.EXE
ping -n 10 localhost
3⤵
- Runs ping.exe
PID:2052

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2476

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\H8z0VSlkf9bv.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:2644

C:\Windows\system32\chcp.com
chcp 65001
5⤵
PID:2756

C:\Windows\system32\PING.EXE
ping -n 10 localhost
5⤵
- Runs ping.exe
PID:2768

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:292

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\xd2RmpPriOch.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:2672

C:\Windows\system32\chcp.com
chcp 65001
7⤵
PID:2460

C:\Windows\system32\PING.EXE
ping -n 10 localhost
7⤵
- Runs ping.exe
PID:1552

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
7⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1284

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QYfewhhiLnfB.bat" "
8⤵
- Suspicious use of WriteProcessMemory
PID:2264

C:\Windows\system32\chcp.com
chcp 65001
9⤵
PID:1740

C:\Windows\system32\PING.EXE
ping -n 10 localhost
9⤵
- Runs ping.exe
PID:2648

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
9⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1432

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HnhAMKYxFd0d.bat" "
10⤵
- Suspicious use of WriteProcessMemory
PID:1160

C:\Windows\system32\chcp.com
chcp 65001
11⤵
PID:1640

C:\Windows\system32\PING.EXE
ping -n 10 localhost
11⤵
- Runs ping.exe
PID:2304

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
11⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:864

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\h7OuC3QcN87L.bat" "
12⤵
PID:1416

C:\Windows\system32\chcp.com
chcp 65001
13⤵
PID:1716

C:\Windows\system32\PING.EXE
ping -n 10 localhost
13⤵
- Runs ping.exe
PID:380

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
13⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1860

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZHXKkglVJ9kS.bat" "
14⤵
PID:2580

C:\Windows\system32\chcp.com
chcp 65001
15⤵
PID:2536

C:\Windows\system32\PING.EXE
ping -n 10 localhost
15⤵
- Runs ping.exe
PID:2420

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
15⤵
PID:1864

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\E3Ymf8PVppFz.bat" "
16⤵
PID:1796

C:\Windows\system32\chcp.com
chcp 65001
17⤵
PID:856

C:\Windows\system32\PING.EXE
ping -n 10 localhost
17⤵
- Runs ping.exe
PID:2936

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
17⤵
PID:2108

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mORXV9y4S9Ks.bat" "
18⤵
PID:2372

C:\Windows\system32\chcp.com
chcp 65001
19⤵
PID:1424

C:\Windows\system32\PING.EXE
ping -n 10 localhost
19⤵
- Runs ping.exe
PID:580

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
19⤵
PID:1616

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Mcn8joJQ4FDj.bat" "
20⤵
PID:2960

C:\Windows\system32\chcp.com
chcp 65001
21⤵
PID:1012

C:\Windows\system32\PING.EXE
ping -n 10 localhost
21⤵
- Runs ping.exe
PID:1320

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
21⤵
PID:1536

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Mrmzy93s4HlE.bat" "
22⤵
PID:1624

C:\Windows\system32\chcp.com
chcp 65001
23⤵
PID:2404

C:\Windows\system32\PING.EXE
ping -n 10 localhost
23⤵
- Runs ping.exe
PID:2776

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
23⤵
PID:1572

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef65f9758,0x7fef65f9768,0x7fef65f9778
2⤵
PID:2828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1140 --field-trial-handle=1340,i,12766151954315405713,1602260168084899491,131072 /prefetch:2
2⤵
PID:888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1520 --field-trial-handle=1340,i,12766151954315405713,1602260168084899491,131072 /prefetch:8
2⤵
PID:2324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1564 --field-trial-handle=1340,i,12766151954315405713,1602260168084899491,131072 /prefetch:8
2⤵
PID:1676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2256 --field-trial-handle=1340,i,12766151954315405713,1602260168084899491,131072 /prefetch:1
2⤵
PID:2808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2264 --field-trial-handle=1340,i,12766151954315405713,1602260168084899491,131072 /prefetch:1
2⤵
PID:1548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1480 --field-trial-handle=1340,i,12766151954315405713,1602260168084899491,131072 /prefetch:2
2⤵
PID:2728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2860 --field-trial-handle=1340,i,12766151954315405713,1602260168084899491,131072 /prefetch:1
2⤵
PID:2780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3472 --field-trial-handle=1340,i,12766151954315405713,1602260168084899491,131072 /prefetch:8
2⤵
PID:1472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3580 --field-trial-handle=1340,i,12766151954315405713,1602260168084899491,131072 /prefetch:8
2⤵
PID:1420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3472 --field-trial-handle=1340,i,12766151954315405713,1602260168084899491,131072 /prefetch:8
2⤵
PID:1248

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2684

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp
Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
898b51283f5815dd80b4482bb2c97293

SHA1
901c069d4c994af4d9991d1c137455381665f4c1

SHA256
0e2172419fce0a2557030b3d1676bc9095e96a4ae61a3db9e61927dd490f594c

SHA512
6593567343c7dfe4b2c2d7fd5b616e92e3bde340aa55ded30ac47c2a7f64658bf9a963e250bb5b5897f45c1666b505d763997acfcdd96010fea86ceae081c606

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
a06af27709c86a976b8a3df57ce95b02

SHA1
a4643c253f66ec7f7ed74c5e284b8ab00ec27706

SHA256
a1af327e91df8a726c41c398e90072556dcaf07848990629d4452cc3eaad113d

SHA512
2f962ebf9ba401d6422665487b8dcaffeb0e806a64813d56a6fa2ab7c2d6095d8d0bfed45ae0303db497f0914b1cc4d680c62da577628eb341d29c8137bdee65

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp
Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1v52en3f6Oid.bat
Filesize
209B

MD5
b1f71f8887fff0cbc26d62869a43fbd8

SHA1
4e7dfe024e2923b6bf08987a87c7bc2fa4e543d5

SHA256
25b8e3c2a44fee431b105461b0ced95958aaf8670625402b2e1d74b3438d9ea8

SHA512
f113baa6483b3d514aa2bdd4313230dcfd8f3d39e1003930d689b98d9d509eb5cff78e2426cbbf37c49eab7ec2ed26fb095209d3385e040a5be845be0f6e7791

Download Submit
C:\Users\Admin\AppData\Local\Temp\E3Ymf8PVppFz.bat
Filesize
209B

MD5
646198b71a4d1b83927f5c7855e16f79

SHA1
db11e0dc12f0a3a242f8e4230fc9e1820bd2b13f

SHA256
80e23537bd63e7d5b31f304916f1052c04048acbf1f55d5f9a8446b5f456e1ce

SHA512
0136e25aa751ed77b20fffa3f2a41acc60ca971151b939bc3c4cdb3258b77e3749ac2934bd2807338e88683d29bd632ce5aecc64347719d838af31184dacc31b

Download Submit
C:\Users\Admin\AppData\Local\Temp\H8z0VSlkf9bv.bat
Filesize
209B

MD5
4d7d17ffd2133e2ed9d1e7314a49b47b

SHA1
ff468b3cb7aa0e1d279fc0738996e9ed1fd42989

SHA256
509ec6aa5c04a0fa109c64e063f819df1a2b238d47534249b53f60ce974e701e

SHA512
8c534fe8e8eb4b0e40a3bd34d7613502357db28bfb9351c3df35d36b5a5a0a682a490f5a9f566c0864fa1d75848bd1cd56dd748806bd8297e60b0139e4136d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\HnhAMKYxFd0d.bat
Filesize
209B

MD5
2a57ac7700093a65f9163b7de85df366

SHA1
1144673a6d4fecfff395ccc4a8b5b6d71f8de196

SHA256
c88f6356e47cf34868327172aab4aa05057f6d4230219e44eb20db0d4776f8eb

SHA512
ab3e246c9637f4aa48cccfef8b65c1e4f4c803123fb8ba4bb6aea2f84c7fd674e63145f945ab55120f29c7d2bc20f697666ea183f09fcde579e2564012e9c8cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mcn8joJQ4FDj.bat
Filesize
209B

MD5
fbd8d9b09c7966213d48069a930a7f40

SHA1
6e8a9ab66d057f78cba957a3a537fd3185db25db

SHA256
31f15f073fe7f44c66649895b518a80d541420308734bc395f20d9b2aebe63cc

SHA512
15ad1e66b8e2fb7abeab147d09d69410580711c2ed2ec9d7ac8dae103c27af6c7d254c9f330a711270f2c2252f5ad7de4a6f2252a819012b666c29b226b05986

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mrmzy93s4HlE.bat
Filesize
209B

MD5
ed9c2a2bc0405eaa816acb6f1c63bf4b

SHA1
270663dc6c2f00a923fa4718e6863b370a9cf02b

SHA256
d49defad043ef362581af8835e72b4a7110b557e5647d2edae311b56851ac4a1

SHA512
1fa1646f9854bc056d535ec5f3893f7786be2f299bc9b99e95e20031fd9eed2856c05fbdbe1b3cc58ee850c78c21c97e1e24b822f5c5a8ab6b85d4ff649a3424

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYfewhhiLnfB.bat
Filesize
209B

MD5
c4c0fc98c209eeda37698123798b024d

SHA1
d5080ef394153f33a546e30e2754e37c8856654d

SHA256
5149775bc7d1b09d6e6488cea2ec41f7982894eeee9d9130844806e3378513c3

SHA512
901fa225d537798ecd28ddf87c47f63d4f3db70caa588160cb93fa7ce4e8cf045ac8ac3d83b18bc0e2cb60e095e358847696d1d10d36e889a13c2b5d3d031ab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZHXKkglVJ9kS.bat
Filesize
209B

MD5
20d43714e574b05450d8577e6c8050e2

SHA1
87e5bc5a9c770c4cb1bd54ab32c2bcb8c8405eae

SHA256
ea9717f507458d78cbb20cdf98e4c1e1939231a6ca098a388d825213169dd8ff

SHA512
e49928f58098fb6b441d274f0725c1894c3dc122b7c91b048ff600bfee85a7407da24cc71048a8e05b7b08bbb191f464543d213d2fb0d0ba1ab35bfaf8fd07f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\h7OuC3QcN87L.bat
Filesize
209B

MD5
69d77a1e305ca11caa537c3a9c7abb50

SHA1
a15c9a52907dc746d79ae2839b69d28fe6cb9837

SHA256
7108aefc46e395f6ecf5a1b8ff9ae971624fd365e87daa278e09619157441b4a

SHA512
21ccab97baf10d546bcf226d970a64028e6fb2125e2cd96c197922fbd48d79df8e8d015993d630193003f2f3698ce7ee60c3e42701325ce1d06fefdff9a42678

Download Submit
C:\Users\Admin\AppData\Local\Temp\mORXV9y4S9Ks.bat
Filesize
209B

MD5
2730d5a9756c5d5154123947dbd53533

SHA1
800954de718aebfbb13a50a678c1a98fcaa24135

SHA256
7b6fb2414d4d56ffc53701b33a7735c759e61fcae0fe181777c71803e4523664

SHA512
fda47ab78fd38d95f74cc91d6781b97c8bb217a8cd5c602e24fab15e84e48229da34594c83a12d9490d6139f5dbdc9cc06e75f99cf192e5fe3ac9d26957f43f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\xd2RmpPriOch.bat
Filesize
209B

MD5
f8bd3454006b616220ccb4ddd9c8b2f7

SHA1
14945278c0a354298bc4eee6f03082707fdb0977

SHA256
45a5d96311ce887c9c8c9e94f1e6fd5f660fa7d659d490f70caa4d55eba29c12

SHA512
7b038115711a72e3adfd291ea63118cf1abff38ae5482ca85d8cf52dffc3f7483743969035846cd2132d465d686a1e8847e0cd1d5b9689065515e94b701c9b81

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/292-27-0x000007FEF5240000-0x000007FEF5C2C000-memory.dmp

Filesize
9.9MB

Download
memory/292-28-0x000000001B430000-0x000000001B4B0000-memory.dmp

Filesize
512KB

Download
memory/292-26-0x00000000008F0000-0x0000000000C14000-memory.dmp

Filesize
3.1MB

Download
memory/292-38-0x000007FEF5240000-0x000007FEF5C2C000-memory.dmp

Filesize
9.9MB

Download
memory/864-135-0x000000001B440000-0x000000001B4C0000-memory.dmp

Filesize
512KB

Download
memory/864-134-0x0000000000340000-0x0000000000664000-memory.dmp

Filesize
3.1MB

Download
memory/864-133-0x000007FEF3830000-0x000007FEF421C000-memory.dmp

Filesize
9.9MB

Download
memory/864-152-0x000007FEF3830000-0x000007FEF421C000-memory.dmp

Filesize
9.9MB

Download
memory/1284-39-0x0000000000EB0000-0x00000000011D4000-memory.dmp

Filesize
3.1MB

Download
memory/1284-51-0x000007FEF5C30000-0x000007FEF661C000-memory.dmp

Filesize
9.9MB

Download
memory/1284-40-0x000007FEF5C30000-0x000007FEF661C000-memory.dmp

Filesize
9.9MB

Download
memory/1284-41-0x000000001B230000-0x000000001B2B0000-memory.dmp

Filesize
512KB

Download
memory/1432-64-0x000007FEF5B90000-0x000007FEF657C000-memory.dmp

Filesize
9.9MB

Download
memory/1432-53-0x000007FEF5B90000-0x000007FEF657C000-memory.dmp

Filesize
9.9MB

Download
memory/1432-52-0x0000000001130000-0x0000000001454000-memory.dmp

Filesize
3.1MB

Download
memory/1432-54-0x000000001B720000-0x000000001B7A0000-memory.dmp

Filesize
512KB

Download
memory/1536-243-0x000007FEF37C0000-0x000007FEF41AC000-memory.dmp

Filesize
9.9MB

Download
memory/1536-234-0x000000001B260000-0x000000001B2E0000-memory.dmp

Filesize
512KB

Download
memory/1536-233-0x000007FEF37C0000-0x000007FEF41AC000-memory.dmp

Filesize
9.9MB

Download
memory/1572-246-0x000000001B3F0000-0x000000001B470000-memory.dmp

Filesize
512KB

Download
memory/1572-245-0x000007FEF3940000-0x000007FEF432C000-memory.dmp

Filesize
9.9MB

Download
memory/1616-210-0x000007FEF3830000-0x000007FEF421C000-memory.dmp

Filesize
9.9MB

Download
memory/1616-220-0x000007FEF3830000-0x000007FEF421C000-memory.dmp

Filesize
9.9MB

Download
memory/1616-211-0x000000001B3C0000-0x000000001B440000-memory.dmp

Filesize
512KB

Download
memory/1616-209-0x00000000010A0000-0x00000000013C4000-memory.dmp

Filesize
3.1MB

Download
memory/1860-163-0x000007FEF37C0000-0x000007FEF41AC000-memory.dmp

Filesize
9.9MB

Download
memory/1860-172-0x000007FEF37C0000-0x000007FEF41AC000-memory.dmp

Filesize
9.9MB

Download
memory/1860-162-0x0000000000990000-0x0000000000CB4000-memory.dmp

Filesize
3.1MB

Download
memory/1864-175-0x000007FEF3830000-0x000007FEF421C000-memory.dmp

Filesize
9.9MB

Download
memory/1864-174-0x0000000000E00000-0x0000000001124000-memory.dmp

Filesize
3.1MB

Download
memory/1864-186-0x000007FEF3830000-0x000007FEF421C000-memory.dmp

Filesize
9.9MB

Download
memory/1864-176-0x000000001ACD0000-0x000000001AD50000-memory.dmp

Filesize
512KB

Download
memory/2108-195-0x000007FEF37C0000-0x000007FEF41AC000-memory.dmp

Filesize
9.9MB

Download
memory/2108-205-0x000007FEF37C0000-0x000007FEF41AC000-memory.dmp

Filesize
9.9MB

Download
memory/2108-194-0x0000000000F60000-0x0000000001284000-memory.dmp

Filesize
3.1MB

Download
memory/2108-196-0x000000001B290000-0x000000001B310000-memory.dmp

Filesize
512KB

Download
memory/2476-14-0x000007FEF5C30000-0x000007FEF661C000-memory.dmp

Filesize
9.9MB

Download
memory/2476-15-0x000000001B240000-0x000000001B2C0000-memory.dmp

Filesize
512KB

Download
memory/2476-25-0x000007FEF5C30000-0x000007FEF661C000-memory.dmp

Filesize
9.9MB

Download
memory/2476-13-0x0000000000090000-0x00000000003B4000-memory.dmp

Filesize
3.1MB

Download
memory/2992-2-0x00000000009D0000-0x0000000000A50000-memory.dmp

Filesize
512KB

Download
memory/2992-12-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

Filesize
9.9MB

Download
memory/2992-1-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

Filesize
9.9MB

Download
memory/2992-0-0x0000000000DB0000-0x00000000010D4000-memory.dmp

Filesize
3.1MB

Download