babylonrat | hxxps://mega[.]nz/file/5mA1mIKR#ixf6HKrMhPjTwe7xdyNjXZFHsngSitbZQTOYxr_ZTfw

Analysis

max time kernel
81s
max time network
82s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2024 21:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/5mA1mIKR#ixf6HKrMhPjTwe7xdyNjXZFHsngSitbZQTOYxr_ZTfw

Score

10^/10

babylonrat quasar spyware trojan upx

Malware Config

Extracted

Family

babylonrat

5.2.67.66

Signatures

Babylon RAT
Babylon RAT is remote access trojan written in C++.
trojan babylonrat
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000700000002344f-213.dat	family_quasar
behavioral1/files/0x0007000000023587-746.dat	family_quasar

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Quasar.v1.3.0.0.exe

Executes dropped EXE 3 IoCs

pid	Process
4776	Quasar.v1.3.0.0.exe
2308	File.exe
3324	Quasar.v1.3.0.0.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3324-2127-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/3324-2129-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/3324-2132-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/3324-2130-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/3324-2128-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/3324-2125-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/3324-2145-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/3324-2159-0x0000000000400000-0x00000000004C9000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4776 set thread context of 3324	4776	Quasar.v1.3.0.0.exe	121

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3068	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133594198511373827"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\usrData\svchost.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2108	chrome.exe
2108	chrome.exe
4776	Quasar.v1.3.0.0.exe
4776	Quasar.v1.3.0.0.exe
4776	Quasar.v1.3.0.0.exe
4776	Quasar.v1.3.0.0.exe
4776	Quasar.v1.3.0.0.exe
4776	Quasar.v1.3.0.0.exe
4776	Quasar.v1.3.0.0.exe
4776	Quasar.v1.3.0.0.exe
2108	chrome.exe
2108	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2308	File.exe
3324	Quasar.v1.3.0.0.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeCreatePagefilePrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeCreatePagefilePrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeCreatePagefilePrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeCreatePagefilePrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeCreatePagefilePrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeCreatePagefilePrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeCreatePagefilePrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeCreatePagefilePrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeCreatePagefilePrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeCreatePagefilePrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeCreatePagefilePrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeCreatePagefilePrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeCreatePagefilePrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeCreatePagefilePrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeCreatePagefilePrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeCreatePagefilePrivilege	2108	chrome.exe
Token: 33	1956	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1956	AUDIODG.EXE
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeCreatePagefilePrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeCreatePagefilePrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeCreatePagefilePrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeCreatePagefilePrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeCreatePagefilePrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeCreatePagefilePrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeCreatePagefilePrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeCreatePagefilePrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeCreatePagefilePrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeCreatePagefilePrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeCreatePagefilePrivilege	2108	chrome.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeCreatePagefilePrivilege	2108	chrome.exe
Token: SeRestorePrivilege	1628	7zG.exe
Token: 35	1628	7zG.exe
Token: SeSecurityPrivilege	1628	7zG.exe
Token: SeSecurityPrivilege	1628	7zG.exe
Token: SeShutdownPrivilege	2108	chrome.exe
Token: SeCreatePagefilePrivilege	2108	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
1628	7zG.exe
2308	File.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2108	chrome.exe
2308	File.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3324	Quasar.v1.3.0.0.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 2912	2108	chrome.exe	82
PID 2108 wrote to memory of 2912	2108	chrome.exe	82
PID 2108 wrote to memory of 2976	2108	chrome.exe	83
PID 2108 wrote to memory of 2976	2108	chrome.exe	83
PID 2108 wrote to memory of 2976	2108	chrome.exe	83
PID 2108 wrote to memory of 2976	2108	chrome.exe	83
PID 2108 wrote to memory of 2976	2108	chrome.exe	83
PID 2108 wrote to memory of 2976	2108	chrome.exe	83
PID 2108 wrote to memory of 2976	2108	chrome.exe	83
PID 2108 wrote to memory of 2976	2108	chrome.exe	83
PID 2108 wrote to memory of 2976	2108	chrome.exe	83
PID 2108 wrote to memory of 2976	2108	chrome.exe	83
PID 2108 wrote to memory of 2976	2108	chrome.exe	83
PID 2108 wrote to memory of 2976	2108	chrome.exe	83
PID 2108 wrote to memory of 2976	2108	chrome.exe	83
PID 2108 wrote to memory of 2976	2108	chrome.exe	83
PID 2108 wrote to memory of 2976	2108	chrome.exe	83
PID 2108 wrote to memory of 2976	2108	chrome.exe	83
PID 2108 wrote to memory of 2976	2108	chrome.exe	83
PID 2108 wrote to memory of 2976	2108	chrome.exe	83
PID 2108 wrote to memory of 2976	2108	chrome.exe	83
PID 2108 wrote to memory of 2976	2108	chrome.exe	83
PID 2108 wrote to memory of 2976	2108	chrome.exe	83
PID 2108 wrote to memory of 2976	2108	chrome.exe	83
PID 2108 wrote to memory of 2976	2108	chrome.exe	83
PID 2108 wrote to memory of 2976	2108	chrome.exe	83
PID 2108 wrote to memory of 2976	2108	chrome.exe	83
PID 2108 wrote to memory of 2976	2108	chrome.exe	83
PID 2108 wrote to memory of 2976	2108	chrome.exe	83
PID 2108 wrote to memory of 2976	2108	chrome.exe	83
PID 2108 wrote to memory of 2976	2108	chrome.exe	83
PID 2108 wrote to memory of 2976	2108	chrome.exe	83
PID 2108 wrote to memory of 2976	2108	chrome.exe	83
PID 2108 wrote to memory of 4888	2108	chrome.exe	84
PID 2108 wrote to memory of 4888	2108	chrome.exe	84
PID 2108 wrote to memory of 4536	2108	chrome.exe	85
PID 2108 wrote to memory of 4536	2108	chrome.exe	85
PID 2108 wrote to memory of 4536	2108	chrome.exe	85
PID 2108 wrote to memory of 4536	2108	chrome.exe	85
PID 2108 wrote to memory of 4536	2108	chrome.exe	85
PID 2108 wrote to memory of 4536	2108	chrome.exe	85
PID 2108 wrote to memory of 4536	2108	chrome.exe	85
PID 2108 wrote to memory of 4536	2108	chrome.exe	85
PID 2108 wrote to memory of 4536	2108	chrome.exe	85
PID 2108 wrote to memory of 4536	2108	chrome.exe	85
PID 2108 wrote to memory of 4536	2108	chrome.exe	85
PID 2108 wrote to memory of 4536	2108	chrome.exe	85
PID 2108 wrote to memory of 4536	2108	chrome.exe	85
PID 2108 wrote to memory of 4536	2108	chrome.exe	85
PID 2108 wrote to memory of 4536	2108	chrome.exe	85
PID 2108 wrote to memory of 4536	2108	chrome.exe	85
PID 2108 wrote to memory of 4536	2108	chrome.exe	85
PID 2108 wrote to memory of 4536	2108	chrome.exe	85
PID 2108 wrote to memory of 4536	2108	chrome.exe	85
PID 2108 wrote to memory of 4536	2108	chrome.exe	85
PID 2108 wrote to memory of 4536	2108	chrome.exe	85
PID 2108 wrote to memory of 4536	2108	chrome.exe	85
PID 2108 wrote to memory of 4536	2108	chrome.exe	85
PID 2108 wrote to memory of 4536	2108	chrome.exe	85
PID 2108 wrote to memory of 4536	2108	chrome.exe	85
PID 2108 wrote to memory of 4536	2108	chrome.exe	85
PID 2108 wrote to memory of 4536	2108	chrome.exe	85
PID 2108 wrote to memory of 4536	2108	chrome.exe	85
PID 2108 wrote to memory of 4536	2108	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://mega.nz/file/5mA1mIKR#ixf6HKrMhPjTwe7xdyNjXZFHsngSitbZQTOYxr_ZTfw
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc634aab58,0x7ffc634aab68,0x7ffc634aab78
  2⤵
  PID:2912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1696 --field-trial-handle=1948,i,8672018905405844719,17261818054501155408,131072 /prefetch:2
  2⤵
  PID:2976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1948,i,8672018905405844719,17261818054501155408,131072 /prefetch:8
  2⤵
  PID:4888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2288 --field-trial-handle=1948,i,8672018905405844719,17261818054501155408,131072 /prefetch:8
  2⤵
  PID:4536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3016 --field-trial-handle=1948,i,8672018905405844719,17261818054501155408,131072 /prefetch:1
  2⤵
  PID:2176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3024 --field-trial-handle=1948,i,8672018905405844719,17261818054501155408,131072 /prefetch:1
  2⤵
  PID:4312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4804 --field-trial-handle=1948,i,8672018905405844719,17261818054501155408,131072 /prefetch:8
  2⤵
  PID:5348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4616 --field-trial-handle=1948,i,8672018905405844719,17261818054501155408,131072 /prefetch:8
  2⤵
  PID:4480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4384 --field-trial-handle=1948,i,8672018905405844719,17261818054501155408,131072 /prefetch:8
  2⤵
  PID:4472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4524 --field-trial-handle=1948,i,8672018905405844719,17261818054501155408,131072 /prefetch:8
  2⤵
  PID:5992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5080 --field-trial-handle=1948,i,8672018905405844719,17261818054501155408,131072 /prefetch:8
  2⤵
  PID:5784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5408 --field-trial-handle=1948,i,8672018905405844719,17261818054501155408,131072 /prefetch:1
  2⤵
  PID:5524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 --field-trial-handle=1948,i,8672018905405844719,17261818054501155408,131072 /prefetch:8
  2⤵
  PID:2756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 --field-trial-handle=1948,i,8672018905405844719,17261818054501155408,131072 /prefetch:8
  2⤵
  PID:3220

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:5776

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4a8 0x2fc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1956

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5484

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Quasar_Gold\" -spe -an -ai#7zMap31317:84:7zEvent10151
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1628

C:\Users\Admin\Downloads\Quasar_Gold\Quasar.v1.3.0.0.exe
"C:\Users\Admin\Downloads\Quasar_Gold\Quasar.v1.3.0.0.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4776
- C:\Users\Admin\AppData\Local\Temp\File.exe
  "C:\Users\Admin\AppData\Local\Temp\File.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2308
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe"
  2⤵
  - NTFS ADS
  PID:5484
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\usrData\svchost.exe.lnk" /f
    3⤵
    PID:5180
- C:\Users\Admin\Downloads\Quasar_Gold\Quasar.v1.3.0.0.exe
  "C:\Users\Admin\Downloads\Quasar_Gold\Quasar.v1.3.0.0.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:3324
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\usrData\svchost.exe.bat
  2⤵
  PID:2580
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 300
    3⤵
    - Delays execution with timeout.exe
    PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
8a7b86c7b79eac734070b9d10a165f58

SHA1
3daaaac1aa7994faef99e0a2984e58d05470ae35

SHA256
a46a1b3bc628f36e8fa6f2765b49ef186197ddd34994f5a73f3cc6f31d59c710

SHA512
482c200a4c82ff0c1eef653d98d01138428f9eff8e9a3ea3b2a32093775676fac373f88121db4836607fa7e67f69ddab8efb6f364e788bff209fb504052f51e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\p\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
9953626e09acee59e46625e1da571b81

SHA1
43a047e9b71d8e8586058d233deb912394aa13be

SHA256
2dc8776ac78df8a87c2ef92e7ee3f255f539f361dbe13188da41fb244caf4ae6

SHA512
4c2eaacf294f49e5704c1ef1cdbe28852726ccc61b9d8fc47566980bc5978ebbd7e3a89df0604d15f78d42a5272f8572e6289e47967244e760c2639d7dfee4e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
a29566daee32afcca55c7705a2abc895

SHA1
6353c27ceffdb87dd9401be6baced13b24653e38

SHA256
3cd4655bb545f36ec61edab864dd59c3fb3bdb9c70264ebba7af660b14463a59

SHA512
909af3da7a8a10d15550832406f3a7865e4bd7e24328e51ccd3916649fdf9286905dd87beb15b568f8970acd810e774efd22a4f099d0f6facfe333058367fc64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
260f5082314331e7c36e7bd48e45e898

SHA1
af876632a8ccf5c4595c28c386639b551497e204

SHA256
aca7805ee035881e6a89c41f5049adf3ba5275eb94e76c68d09ce865f2264348

SHA512
d9dfbb7ed20780a01cacb8669b765e0fa323d02b255a5e7e42220f76df51d08abb229906e06b0abea870f8cc977d4db58c3bc9ce56544a370112ed508eb72dbb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
5c7c61b0f73c4515f3f4dd54d0a148bd

SHA1
cc7f1c90c537d7300415205f7f46b33a3a31372a

SHA256
e5dfc68ed6149e29af308dc0f54823849d6a1505d1e2549e56daa3e9bd52b428

SHA512
ada54160091337eacaff1b958a6a6604c51fe7ea0775232c480b076893353275ce2b1fa2e1538592db950213f7efb8bb94841b21bdeab69a23a02a3c0d7b4feb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
f2c021d077a558291abd15409269e88a

SHA1
f5d72e5433bd97d9296e978dece8784e98c84432

SHA256
8661df05be68f338c107b6d00ec21a7bd7190dd169226d8429997dfe7b1ebbac

SHA512
82fdd774c9a67a5bf19de6f83747b4489aad3c63edbee107f2d93801cfd42eba5ea48d709acbfb181a31975daa9cbe91a3419bf95746bc8f1ec9a23ea7bc2c82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
131KB

MD5
59c056996714aa369fcc525408517180

SHA1
702c5cb32c88c5537fe60ea56da4c4d8f54abce4

SHA256
144dfd5e19d57a3fc43936250b98c0bef6092ed38b5deb7dfa9a1d1b2600656d

SHA512
df334481d039ab751ceb383332bb47ced497f44dd74c5e4e5ff1127cfc1de806a87354715b279df646e6ac497903cdb72bd1bd0f52cbb3d6fd2561a75a06c727

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
132KB

MD5
e323ce53513326f9f6da1567d24f02df

SHA1
e09aeea5d1b3b5a2d24f89c6eebf0a54670db175

SHA256
ae6bfb792952bb8c9276ed608f1577397fb30f076bfa96098f6c3830a1385f0e

SHA512
f532e05f79851cdfd3f6fd72fd0f15e640d6fd97a8736ca7133ea46780ce644e659f4cee9e3a529ee0e0471c6b601f404d308466ad735eb7219e04d5248e3d07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
152KB

MD5
6fdaf4d9488f78fb0d15a92ed4af11e5

SHA1
bc92a86fa1977f4380a9ea294bc59f2a4c8e7c7e

SHA256
3b34d0355b700431f8679bacb5da80af650516906f69ec1a7c21a19062204139

SHA512
02235ae6d389bc36d3926e7e81c006dea292253c8e9fd29e0e3d1fc35c3d9233c2fc679ee9ce0982387ef4affbdfc20e364b75bd18ab3f2cab307d797189bf53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
132KB

MD5
4e2e91bba032f10e574e885f4e66cdc8

SHA1
748bb1a79b88a8bbcf2da3e1229da1efabd0103c

SHA256
59f3af8d5403c380fbe1c2299fa77cd266981ce66bb83eb5ce7917754b0d9dce

SHA512
9568db4c3cc61a615e53a7f9d09cef7e1faa4c5cf3734eaf2eb59dfced401b23f4dc484ed7fcc876d755d829e5f2f473bcdd4228944797c038cfe9ad031259d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
101KB

MD5
53a9eceaf84bde14ad0e2b8900ee0b1e

SHA1
4ef91f913e4332d65183f124d06c3f317e8438c1

SHA256
5c2bd2c3405db433d2003b23dfa355c2ad4d312762d321d2251596c6b7c62b89

SHA512
cc791dd87dec50ca517a7ec4072a3d454a0a0a6787ca373bb1e25705609219e1c2a258315625dd3eb69099fc2f732dfd5436400c1de53bbe4d488e491418acc6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57cb10.TMP

Filesize
88KB

MD5
cbda852fe45985d6bdd565ec756deb09

SHA1
cb0ef679d62b2671b91b276025e4a448302a7d7e

SHA256
44ac2312b3f0bef95209d650015b02bfae1caae13cb0a4ad2ccde5ca187788f6

SHA512
7235cec04decd62afd3877b95139d812dcfc69ed546c711ac24761ee62c19a165b31d8e85279e3ef5870cef83bc6a84a89b3e362ea1035840dcb266abeb2e1ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe

Filesize
1.4MB

MD5
f5b646636c590173e0fd121be94f0d11

SHA1
e7344d535b6741b8de1659de551733de2c47f04e

SHA256
fb66ee208986c19f46f473704cc37378f2cc78225ed76e4049f7b0332986b176

SHA512
f79444a79c4cff723da688df9799a24632c7545593e75b4ac8ecde94fbcaa358eeefa6b4423ebb54af45bef05fe4f1be1b75b28aa1abd047705a434f0d76e2c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\settings.xml

Filesize
51B

MD5
8af01757cc429d1347430084913566d1

SHA1
e4ec570a0b1a5c99e0613da232eeff4b42ffaa75

SHA256
f1a33cd5b1c9368f73b8ff144bed026664577317df27baff774b2bd2acbd52ef

SHA512
3edbca5a661d0fbdd0f8aac994b50e3f844e1d6ee6bfeadf0d8aa89fab1b7cec69b9f687a704c7a989726bb676604e2cdb75ca30441e94a05fdd4027ec9a494a

Download Submit
C:\Users\Admin\AppData\Roaming\usrData\svchost.exe.bat

Filesize
204B

MD5
1ab846549b578566306e3f01401ba84b

SHA1
24ac7aaa02c07ee593997f29bd79b44ac5a07bbf

SHA256
07590f1398f5a81ecf03c054063079beed7df8d0fc24d8b9199338600ae27e8a

SHA512
094a595779eb1fa501e8c5de21eb2258a50b6edbf0f3dca1cd68a3387752c1891dc45243da4f9b49b49a72471368f10b1c9ec66d5d63e3c8cb922ada52517ef2

Download Submit
C:\Users\Admin\Downloads\Quasar_Gold.rar

Filesize
3.2MB

MD5
6788cbd1cd11248d535e398b840ec337

SHA1
a55cea0f69be2334f7826c9a8d79ac440a3fbc7a

SHA256
6b526726b718489b2cdf315d2c8f5d6405b02e1cd6b0c32dc6c80970feae2ec2

SHA512
2a94a82f12ca95397d16f8c198f5e995a8c3f250f262eade13e0475e6d87418880c3284a3132c446e44c7ebbc60550b8a6b6233601de29283b418eacb5d8f01e

Download Submit
C:\Users\Admin\Downloads\Quasar_Gold\Client.exe

Filesize
270KB

MD5
b67c56ef6c03f9e108b860517bba4f4c

SHA1
3203003f975f6a77f90d41da3f061b727c0d639e

SHA256
7120fb60f26176e32da4c4d0bc57c9da8e667eb0c4a330e8cecb6f01e593774b

SHA512
00a497bc903eb73246b17a794dc7f8875b0e7bf9992e523168f048ca7a5ca36bf6de686157d27f574b4b4279b2938f45eacf5574c56153ca53e046d6f696c022

Download Submit
C:\Users\Admin\Downloads\Quasar_Gold\Quasar.v1.3.0.0.exe

Filesize
1.9MB

MD5
1459ff8e72abfa77593aa1b2bca6b52a

SHA1
f4071f509701bb94110d27bbb7487eb732d5295a

SHA256
cfd4666e871ca3152c1823ea26af468cbbbad5c78d5bc319613f639b40880b61

SHA512
efcaed7c5c0e73ed9bf5c8af4f8e73302c2dccb82ec1556daf402d864ff1d511e284fe32618589651775eb06a7a5eca86cb4e62c609de9a0e8ff040a09bde0d1

Download Submit
C:\Users\Admin\Downloads\Quasar_Gold\Server\Forms\FrmAddToAutostart.resx

Filesize
52KB

MD5
c5f785b9eabb7176dfa939efe4c59bfd

SHA1
809f7dc01d8ce8bd72ba5b546cf4ea1018634d53

SHA256
74205c2967bae78ef5d1f7b3e977eaa78bf0073962bbe4d16cdb7cc039d9a8a5

SHA512
f289122b3a1ac645abb903799be9a1ff50c58d58cd86baa9c247ca4ebca82d69e11d7b77225e9d3440dfede6ed44df5d148fe652259322e56b91b3f55b68e4e9

Download Submit
C:\Users\Admin\Downloads\Quasar_Gold\Server\flags\re.png

Filesize
545B

MD5
c1cf1874c3305e5663547a48f6ad2d8c

SHA1
0f67f12d76a0543772a3259a3b38935381349e01

SHA256
79a39793efbf8217efbbc840e1b2041fe995363a5f12f0c01dd4d1462e5eb842

SHA512
c00e202e083f703e39cafbb86f3e3f6b330359906e3a6c7a6a78364d6adeb489f8b8ab1b2d6a1b8d9ef1a17702cfc8fc17219cf1aae3e5a7c18833f028037843

Download Submit
C:\Users\Admin\Downloads\Quasar_Gold\Server\flags\sj.png

Filesize
512B

MD5
559ce5baaee373db8da150a5066c1062

SHA1
ee80e5f63c986d04f46bff10f639113c88107ced

SHA256
f8dc302371c809ebda3e9183c606264601f8dd851d2b1878fd25f0f6abe2988c

SHA512
c0ca7595cdd2dcef0385ccb1c0d15bb74accaea63b9531233bddf14c1791ffc9712dff660292706cfa269a975d29d7a189885cd09046ac6d8ed39a57ec9557ca

Download Submit
C:\Users\Admin\Downloads\Quasar_Gold\Server\obj\Release\xServer.Forms.FrmBuilder.resources

Filesize
31KB

MD5
6e3ba8b328ac9bf2a07b30159046d990

SHA1
b3809725e7e1d1e307b3763c3430c1ba6540ac9f

SHA256
f601a9675a4777fb08ba084f3aa04895b2d293629740ac29f2bd1dbe33e972ab

SHA512
d6ab0cbb1bdd61a6e2923109ae5ad41fb78f9c3093f45eec97c30210a32993356855a12d74274bbfeb2ea0c55052367c6bd7498874b308d3ed98bb838d257876

Download Submit
memory/2308-2119-0x00000000004C0000-0x000000000062E000-memory.dmp

Filesize
1.4MB

Download
memory/3324-2127-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/3324-2128-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/3324-2125-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/3324-2130-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/3324-2145-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/3324-2159-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/3324-2132-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/3324-2129-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4776-2107-0x00000000014A0000-0x00000000014B0000-memory.dmp

Filesize
64KB

Download