quasar | d91cfd3cae8c9fe75b7756d1fd986c1f952fbde751e2005cd8a1b44feec18100

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
02-06-2024 23:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e/Client-built.exe
Size

3.1MB
MD5

aa577b65aef014d53b006d781d104ef6
SHA1

318e06013bbfcfdd14f4e21aa2540f1f1dfe0039
SHA256

242351aa410188e74858d60f04973bf05071b98e82f6494d2ba1851d23fdf178
SHA512

45649bade97928524c7b1e6d456f7abe2036fe33775ac4308c786bd3a8d1ce68ce7ff12dbddb4c80b8d3c28324b13ec37e0ec72c856ce15c32e0724952deace5
SSDEEP

49152:Hv+lL26AaNeWgPhlmVqvMQ7XSKXXxNESEdk/iKLoGdYTHHB72eh2NT:HvuL26AaNeWgPhlmVqkQ7XSKnx80

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.1.1:4782

88.98.207.207:4782

Mutex

6d19d2f9-1235-4b10-a1dd-486dc3edd052

Attributes

encryption_key
12AE26995FE0F312DC3ADA3C8CD142053AD088CA
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3740-1-0x0000000000470000-0x0000000000794000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Executes dropped EXE 1 IoCs

Processes:

Client.exe

pid process

4584 Client.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2060 schtasks.exe
3628 schtasks.exe

pid	process
4584	Client.exe

pid	process
2060	schtasks.exe
3628	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133618443930603801"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings chrome.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

1892 chrome.exe
1892 chrome.exe
2332 chrome.exe
2332 chrome.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Client.exe

pid process

4584 Client.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

1892 chrome.exe
1892 chrome.exe
1892 chrome.exe
1892 chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings	chrome.exe

pid	process
4584	Client.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Client-built.exeClient.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	3740	Client-built.exe
Token: SeDebugPrivilege	4584	Client.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

Processes:

chrome.exe

pid	process
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Client.exe

pid process

4584 Client.exe

pid	process
4584	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Client-built.exeClient.exechrome.exe

description	pid	process	target process
PID 3740 wrote to memory of 2060	3740	Client-built.exe	schtasks.exe
PID 3740 wrote to memory of 2060	3740	Client-built.exe	schtasks.exe
PID 3740 wrote to memory of 4584	3740	Client-built.exe	Client.exe
PID 3740 wrote to memory of 4584	3740	Client-built.exe	Client.exe
PID 4584 wrote to memory of 3628	4584	Client.exe	schtasks.exe
PID 4584 wrote to memory of 3628	4584	Client.exe	schtasks.exe
PID 1892 wrote to memory of 1920	1892	chrome.exe	chrome.exe
PID 1892 wrote to memory of 1920	1892	chrome.exe	chrome.exe
PID 1892 wrote to memory of 3164	1892	chrome.exe	chrome.exe
PID 1892 wrote to memory of 3164	1892	chrome.exe	chrome.exe
PID 1892 wrote to memory of 3164	1892	chrome.exe	chrome.exe
PID 1892 wrote to memory of 3164	1892	chrome.exe	chrome.exe
PID 1892 wrote to memory of 3164	1892	chrome.exe	chrome.exe
PID 1892 wrote to memory of 3164	1892	chrome.exe	chrome.exe
PID 1892 wrote to memory of 3164	1892	chrome.exe	chrome.exe
PID 1892 wrote to memory of 3164	1892	chrome.exe	chrome.exe
PID 1892 wrote to memory of 3164	1892	chrome.exe	chrome.exe
PID 1892 wrote to memory of 3164	1892	chrome.exe	chrome.exe
PID 1892 wrote to memory of 3164	1892	chrome.exe	chrome.exe
PID 1892 wrote to memory of 3164	1892	chrome.exe	chrome.exe
PID 1892 wrote to memory of 3164	1892	chrome.exe	chrome.exe
PID 1892 wrote to memory of 3164	1892	chrome.exe	chrome.exe
PID 1892 wrote to memory of 3164	1892	chrome.exe	chrome.exe
PID 1892 wrote to memory of 3164	1892	chrome.exe	chrome.exe
PID 1892 wrote to memory of 3164	1892	chrome.exe	chrome.exe
PID 1892 wrote to memory of 3164	1892	chrome.exe	chrome.exe
PID 1892 wrote to memory of 3164	1892	chrome.exe	chrome.exe
PID 1892 wrote to memory of 3164	1892	chrome.exe	chrome.exe
PID 1892 wrote to memory of 3164	1892	chrome.exe	chrome.exe
PID 1892 wrote to memory of 3164	1892	chrome.exe	chrome.exe
PID 1892 wrote to memory of 3164	1892	chrome.exe	chrome.exe
PID 1892 wrote to memory of 3164	1892	chrome.exe	chrome.exe
PID 1892 wrote to memory of 3164	1892	chrome.exe	chrome.exe
PID 1892 wrote to memory of 3164	1892	chrome.exe	chrome.exe
PID 1892 wrote to memory of 3164	1892	chrome.exe	chrome.exe
PID 1892 wrote to memory of 3164	1892	chrome.exe	chrome.exe
PID 1892 wrote to memory of 3164	1892	chrome.exe	chrome.exe
PID 1892 wrote to memory of 3164	1892	chrome.exe	chrome.exe
PID 1892 wrote to memory of 3164	1892	chrome.exe	chrome.exe
PID 1892 wrote to memory of 2636	1892	chrome.exe	chrome.exe
PID 1892 wrote to memory of 2636	1892	chrome.exe	chrome.exe
PID 1892 wrote to memory of 1524	1892	chrome.exe	chrome.exe
PID 1892 wrote to memory of 1524	1892	chrome.exe	chrome.exe
PID 1892 wrote to memory of 1524	1892	chrome.exe	chrome.exe
PID 1892 wrote to memory of 1524	1892	chrome.exe	chrome.exe
PID 1892 wrote to memory of 1524	1892	chrome.exe	chrome.exe
PID 1892 wrote to memory of 1524	1892	chrome.exe	chrome.exe
PID 1892 wrote to memory of 1524	1892	chrome.exe	chrome.exe
PID 1892 wrote to memory of 1524	1892	chrome.exe	chrome.exe
PID 1892 wrote to memory of 1524	1892	chrome.exe	chrome.exe
PID 1892 wrote to memory of 1524	1892	chrome.exe	chrome.exe
PID 1892 wrote to memory of 1524	1892	chrome.exe	chrome.exe
PID 1892 wrote to memory of 1524	1892	chrome.exe	chrome.exe
PID 1892 wrote to memory of 1524	1892	chrome.exe	chrome.exe
PID 1892 wrote to memory of 1524	1892	chrome.exe	chrome.exe
PID 1892 wrote to memory of 1524	1892	chrome.exe	chrome.exe
PID 1892 wrote to memory of 1524	1892	chrome.exe	chrome.exe
PID 1892 wrote to memory of 1524	1892	chrome.exe	chrome.exe
PID 1892 wrote to memory of 1524	1892	chrome.exe	chrome.exe
PID 1892 wrote to memory of 1524	1892	chrome.exe	chrome.exe
PID 1892 wrote to memory of 1524	1892	chrome.exe	chrome.exe
PID 1892 wrote to memory of 1524	1892	chrome.exe	chrome.exe
PID 1892 wrote to memory of 1524	1892	chrome.exe	chrome.exe
PID 1892 wrote to memory of 1524	1892	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\e\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3740

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:2060

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4584

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:3628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa9db3ab58,0x7ffa9db3ab68,0x7ffa9db3ab78
2⤵
PID:1920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1704 --field-trial-handle=1896,i,17442916067286922074,13054484259846024546,131072 /prefetch:2
2⤵
PID:3164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 --field-trial-handle=1896,i,17442916067286922074,13054484259846024546,131072 /prefetch:8
2⤵
PID:2636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2228 --field-trial-handle=1896,i,17442916067286922074,13054484259846024546,131072 /prefetch:8
2⤵
PID:1524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3112 --field-trial-handle=1896,i,17442916067286922074,13054484259846024546,131072 /prefetch:1
2⤵
PID:3120

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3120 --field-trial-handle=1896,i,17442916067286922074,13054484259846024546,131072 /prefetch:1
2⤵
PID:4748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4064 --field-trial-handle=1896,i,17442916067286922074,13054484259846024546,131072 /prefetch:1
2⤵
PID:1768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4516 --field-trial-handle=1896,i,17442916067286922074,13054484259846024546,131072 /prefetch:8
2⤵
PID:3556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4656 --field-trial-handle=1896,i,17442916067286922074,13054484259846024546,131072 /prefetch:8
2⤵
PID:4652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4764 --field-trial-handle=1896,i,17442916067286922074,13054484259846024546,131072 /prefetch:8
2⤵
PID:3340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4676 --field-trial-handle=1896,i,17442916067286922074,13054484259846024546,131072 /prefetch:8
2⤵
PID:3272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4860 --field-trial-handle=1896,i,17442916067286922074,13054484259846024546,131072 /prefetch:8
2⤵
PID:2320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2648 --field-trial-handle=1896,i,17442916067286922074,13054484259846024546,131072 /prefetch:1
2⤵
PID:840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3372 --field-trial-handle=1896,i,17442916067286922074,13054484259846024546,131072 /prefetch:8
2⤵
PID:1972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4140 --field-trial-handle=1896,i,17442916067286922074,13054484259846024546,131072 /prefetch:8
2⤵
PID:5096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4972 --field-trial-handle=1896,i,17442916067286922074,13054484259846024546,131072 /prefetch:8
2⤵
PID:2796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1896,i,17442916067286922074,13054484259846024546,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2332

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:216

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5100

C:\Users\Admin\AppData\Local\Temp\Temp1_Hello.zip\e\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Hello.zip\e\Client-built.exe"
1⤵
PID:4804

C:\Users\Admin\AppData\Local\Temp\Temp1_Hello.zip\e\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Hello.zip\e\Client-built.exe"
1⤵
PID:1940

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
74c3766a831c5edac467e1ec57edfcfe

SHA1
c99d07817c6064e1164e748bf9fa21068f040945

SHA256
565d08ddde85528f62afa24632178b7a8e4d4c9272f8916bba282a0d3d283252

SHA512
b681a5416e9cf4f95d38f99db31f7b9d8315012cdddbd9aa025bbdf791540bf987cc9084227098afbe38793662388f2bc1c0103d53fdaf34ddd803ba3c192adc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
3c6567372e3b5e3769dfdc8cf112c313

SHA1
3be34a74a5297a37d8f6dd742c04786cf4909d54

SHA256
8769e24ac75349b3a7a58d46ba8ed096db337bcb6013da24eaf00e9750e0f43d

SHA512
06ffa03bdcc7cb996827e8a8649845b447a1f3e5b013f86ea4b309bdf098b34a528876e958387f4c43ebf8fb70bd0a48de3e3d063cebd7d438380ab5e91280f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
380d8ff1dbd41cbac73689f07153688e

SHA1
a48f09d40c954f27f1d98f24fb150215d8e0a454

SHA256
667b401898823eb0dd5d9ab7c4d87c8c67b7974a3699ee2ec5a15d12f0de887b

SHA512
2c9f9ea98a8fbe1437db2e08574e11a2cca53c00e99a1c341e19357ad3dfecb1833b5d629fb4a6e25e3c051c8e4db33f177b91fce530269d314cc88e7c31d38f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
081a92db9081378d0a00bfc7790d8b5a

SHA1
2d22373e0e29bd9ffa8e5273a5091c8564ac9507

SHA256
b6c1829d7ee3dc03a4f69c01347eac63d1fbf6fde62e4a6baaf2ce62b7da93e3

SHA512
7fbf93607ad290f588ec7eca28c4ddebb71642e02bbd81e3f0086e51a0636c333de03b3411a00cf6a1001e7fc3807e1b7fe172f171f3ddd6d510cd8c15e0a473

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
354B

MD5
06c67a92f247adf3a79e3c52039cc6e9

SHA1
3bbf5eedc41054d1e3c7395adcafa0ec8fe294bc

SHA256
0dec8182b7ddb75f3ace3ca067c58b3fab7239704e2b156b48591a2fa3a4a784

SHA512
b2b9d972b7d0bcf68ed730f72fcb03fd1d211c639aded37fe48c0b98a2735345f992449959500375395bd5eee8c39a97c1756bab06be6fdaaa765ef95c854ab5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1024B

MD5
9397737d9535f192879e1c30dc120676

SHA1
e1395198dfb0e7b4e6ebfa7392ad0cd066e96a04

SHA256
76cc9bef81b97c0658837d1e6f694750ed1e908e2e2d454b53d4772b2cdf815a

SHA512
7e89081803dff98534d7c4b97e6fd0032ef7ac7001b3349777dd73237b240e7fb4d5807d8c08da9ae47332f0c308d1ae9917c7f341e38a0c1f9fbc27b834d019

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
e69572b4003516b2e77941e1bd74d11d

SHA1
d038545f69929c1fac50f43647049932e8b89cf8

SHA256
4e11c3eff1d96a6f538b7e7870d224c3665dcddfcd273e6ec76adc366830c835

SHA512
c345e91c1da88172d2a88216440ecf094f98736cad00085e511124be47ae2da7989fb04855560ac54a2f1c22783621d3ffdbdc211b9ee763bd6a2cb712ab792f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
4b2667637e533f392c38becf173449d8

SHA1
c1d51648dc5f9959dcd6d00ec2050fd98cb1e227

SHA256
15df4152c05175880cf917cfb3e6b90b3715105ce9169f3fb44fe754c4fb45d6

SHA512
eeb89dc7f5a2d95d3c7f19d40a1bd0ca491b4a4e32d54d26ff95591ce297c6213c9cd7d6f61cc5706b076ccb3f613213469bbbe5b3dd0cb9d4a65e8fa761e7e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
96cf3ee14f849d2e84ddb9ff61aac1f9

SHA1
eb20f0353f1e25b951f94474b08fd7438c5043d0

SHA256
d7d18f872e579dd7d0d20dfb34aa16c30dc07ca3919c07811a8761523e13bc1e

SHA512
0d275741361d8e33e7ac328d3528c426e5dcd303768d1fa8a4dcaffaed045f790843ce5ee900f33aef3b87c9d77708b5ca27fdefa97e0e41a8d02d2a3963a296

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
e8e3061b9814f63c7f80d0fa578e3c46

SHA1
d002fbba9f2b0798e4938fcde14120a0ce3d7238

SHA256
021e7857b17fa44adb17eafd59f88b1afbccd9274f7ee1fc2c185c57e947721c

SHA512
ac542c300a59019fe3c5a70030083c49c2af5316e4aacb50753f18763444877613871473790d254e8bf12c2271e116f20d5aba1a90f0db83228040f399710879

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
25241f60fdbbf2cb01849d2084915cf1

SHA1
1c2dfb99423498c7be570a51db9eb3d978ce4070

SHA256
496a89112573c78662173f9fc3d7486ef53b495acbfa58b0835fcbae490bca31

SHA512
67b46bc2dd688f59cf1e402c7c655c6434d148dfc8775fc18b82809d10b93103ef842da5574b066b0175d9e9dc9703e364f402c829a5688b427f4522a62c4f87

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
261KB

MD5
3b9183aa428a245e8da4d05c55d11bfa

SHA1
a85c5e296aea2e13124cdb62730d11db60ea259e

SHA256
d39bdcb2334f0c5868499dce3be7ec07c09e68f8ee1eec180e0dd4c1ba249916

SHA512
4470aee8750b958cdb49f4b7ec24da75c79a70f512cbdd313614365b1265dc1c2b37f23d0d6653a112f6295c7bc240c2f52e65cdcb45a19190940bc174ca71ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
98KB

MD5
4e96137ae1e9df49949e5533e53a4f25

SHA1
dc021babd2a6744bc1998a56b3cba38c370661cb

SHA256
8931f126e47445550a47c6700538e8d49772c39f3a22a80ecb7e849ba761db76

SHA512
a17f45123062bd200c6fd1b123e853c217e8c5ebb594cba1c99170b79392a6b31082c63bea0bd252c3b296f6c2d85bfa294763f30a10910f2d1a4fe41930dfcc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
89KB

MD5
7ad5867aa9924cfb17428f1517b49d8e

SHA1
aa89a56bd3da40ac8b85419e36a0342ae4c229ce

SHA256
a3dfac30186502cf31e91a0d291ae6e33866d5e0f07d397ace0338a69bc8b4bd

SHA512
0ec39ec8e709a352f3199b91d9ba325536173bcdf49be14ff3867fb28297281ba26c1022ede661bec494b13de0ebd8c5cc9327fa2497921abe5a8f788b7d669c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe584031.TMP
Filesize
87KB

MD5
8067d541e77d9b496c946165fd083eb7

SHA1
e07985add60a72f74f6db2f2665bc9333dd0b521

SHA256
880692602a2102aed59e5879b88559b83a0679a202d36028aaa57c2a192be81c

SHA512
5a1a83eb0087cf78214529f4e2a3ada020308acdfd89e68b2a5f2f0cc19031615fcb089cd7c2289b426e0f468e90ee4441da7b8d79aaababa35d0f20c5fede31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client-built.exe.log
Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
3.1MB

MD5
aa577b65aef014d53b006d781d104ef6

SHA1
318e06013bbfcfdd14f4e21aa2540f1f1dfe0039

SHA256
242351aa410188e74858d60f04973bf05071b98e82f6494d2ba1851d23fdf178

SHA512
45649bade97928524c7b1e6d456f7abe2036fe33775ac4308c786bd3a8d1ce68ce7ff12dbddb4c80b8d3c28324b13ec37e0ec72c856ce15c32e0724952deace5

Download Submit
C:\Users\Admin\Downloads\Hello.zip.crdownload
Filesize
1.2MB

MD5
841effd0ddf0100acce68a802aca7400

SHA1
8f4b8c69e3371b13432271fc7a54df56a2dace4d

SHA256
d91cfd3cae8c9fe75b7756d1fd986c1f952fbde751e2005cd8a1b44feec18100

SHA512
0e55f6817c0b7e7d3e022275e002d36e84ca45157a585ac16bfa92e44bd283d2d7660bf932ecf6c4f829a373d41f42aadd17fbba0155024b3ee7f9e8ed0ee933

Download Submit
\??\pipe\crashpad_1892_XCDQQRKLNXHDFRKK
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3740-9-0x00007FFAA29F0000-0x00007FFAA34B1000-memory.dmp

Filesize
10.8MB

Download
memory/3740-1-0x0000000000470000-0x0000000000794000-memory.dmp

Filesize
3.1MB

Download
memory/3740-2-0x00007FFAA29F0000-0x00007FFAA34B1000-memory.dmp

Filesize
10.8MB

Download
memory/3740-0-0x00007FFAA29F3000-0x00007FFAA29F5000-memory.dmp

Filesize
8KB

Download
memory/4584-12-0x000000001BCF0000-0x000000001BD40000-memory.dmp

Filesize
320KB

Download
memory/4584-10-0x00007FFAA29F0000-0x00007FFAA34B1000-memory.dmp

Filesize
10.8MB

Download
memory/4584-11-0x00007FFAA29F0000-0x00007FFAA34B1000-memory.dmp

Filesize
10.8MB

Download
memory/4584-72-0x00007FFAA29F0000-0x00007FFAA34B1000-memory.dmp

Filesize
10.8MB

Download
memory/4584-13-0x000000001BE00000-0x000000001BEB2000-memory.dmp

Filesize
712KB

Download
memory/4584-14-0x000000001C5F0000-0x000000001CB18000-memory.dmp

Filesize
5.2MB

Download
memory/4584-80-0x00007FFAA29F0000-0x00007FFAA34B1000-memory.dmp

Filesize
10.8MB

Download