quasar | d91cfd3cae8c9fe75b7756d1fd986c1f952fbde751e2005cd8a1b44feec18100

Resubmissions

02-06-2024 23:32

240602-3jg1psbb8t 10

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
02-06-2024 23:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e/Client-built.exe
Size

3.1MB
MD5

aa577b65aef014d53b006d781d104ef6
SHA1

318e06013bbfcfdd14f4e21aa2540f1f1dfe0039
SHA256

242351aa410188e74858d60f04973bf05071b98e82f6494d2ba1851d23fdf178
SHA512

45649bade97928524c7b1e6d456f7abe2036fe33775ac4308c786bd3a8d1ce68ce7ff12dbddb4c80b8d3c28324b13ec37e0ec72c856ce15c32e0724952deace5
SSDEEP

49152:Hv+lL26AaNeWgPhlmVqvMQ7XSKXXxNESEdk/iKLoGdYTHHB72eh2NT:HvuL26AaNeWgPhlmVqkQ7XSKnx80

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.1.1:4782

88.98.207.207:4782

Mutex

6d19d2f9-1235-4b10-a1dd-486dc3edd052

Attributes

encryption_key
12AE26995FE0F312DC3ADA3C8CD142053AD088CA
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5052-1-0x0000000000BE0000-0x0000000000F04000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Executes dropped EXE 1 IoCs

Processes:

Client.exe

pid process

1552 Client.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2120 schtasks.exe
464 schtasks.exe

pid	process
1552	Client.exe

pid	process
2120	schtasks.exe
464	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133618447715941509"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings chrome.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

1316 chrome.exe
1316 chrome.exe
2628 chrome.exe
2628 chrome.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Client.exe

pid process

1552 Client.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

chrome.exe

pid process

1316 chrome.exe
1316 chrome.exe
1316 chrome.exe
1316 chrome.exe
1316 chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	chrome.exe

pid	process
1552	Client.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Client-built.exeClient.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	5052	Client-built.exe
Token: SeDebugPrivilege	1552	Client.exe
Token: SeShutdownPrivilege	1316	chrome.exe
Token: SeCreatePagefilePrivilege	1316	chrome.exe
Token: SeShutdownPrivilege	1316	chrome.exe
Token: SeCreatePagefilePrivilege	1316	chrome.exe
Token: SeShutdownPrivilege	1316	chrome.exe
Token: SeCreatePagefilePrivilege	1316	chrome.exe
Token: SeShutdownPrivilege	1316	chrome.exe
Token: SeCreatePagefilePrivilege	1316	chrome.exe
Token: SeShutdownPrivilege	1316	chrome.exe
Token: SeCreatePagefilePrivilege	1316	chrome.exe
Token: SeShutdownPrivilege	1316	chrome.exe
Token: SeCreatePagefilePrivilege	1316	chrome.exe
Token: SeShutdownPrivilege	1316	chrome.exe
Token: SeCreatePagefilePrivilege	1316	chrome.exe
Token: SeShutdownPrivilege	1316	chrome.exe
Token: SeCreatePagefilePrivilege	1316	chrome.exe
Token: SeShutdownPrivilege	1316	chrome.exe
Token: SeCreatePagefilePrivilege	1316	chrome.exe
Token: SeShutdownPrivilege	1316	chrome.exe
Token: SeCreatePagefilePrivilege	1316	chrome.exe
Token: SeShutdownPrivilege	1316	chrome.exe
Token: SeCreatePagefilePrivilege	1316	chrome.exe
Token: SeShutdownPrivilege	1316	chrome.exe
Token: SeCreatePagefilePrivilege	1316	chrome.exe
Token: SeShutdownPrivilege	1316	chrome.exe
Token: SeCreatePagefilePrivilege	1316	chrome.exe
Token: SeShutdownPrivilege	1316	chrome.exe
Token: SeCreatePagefilePrivilege	1316	chrome.exe
Token: SeShutdownPrivilege	1316	chrome.exe
Token: SeCreatePagefilePrivilege	1316	chrome.exe
Token: SeShutdownPrivilege	1316	chrome.exe
Token: SeCreatePagefilePrivilege	1316	chrome.exe
Token: SeShutdownPrivilege	1316	chrome.exe
Token: SeCreatePagefilePrivilege	1316	chrome.exe
Token: SeShutdownPrivilege	1316	chrome.exe
Token: SeCreatePagefilePrivilege	1316	chrome.exe
Token: SeShutdownPrivilege	1316	chrome.exe
Token: SeCreatePagefilePrivilege	1316	chrome.exe
Token: SeShutdownPrivilege	1316	chrome.exe
Token: SeCreatePagefilePrivilege	1316	chrome.exe
Token: SeShutdownPrivilege	1316	chrome.exe
Token: SeCreatePagefilePrivilege	1316	chrome.exe
Token: SeShutdownPrivilege	1316	chrome.exe
Token: SeCreatePagefilePrivilege	1316	chrome.exe
Token: SeShutdownPrivilege	1316	chrome.exe
Token: SeCreatePagefilePrivilege	1316	chrome.exe
Token: SeShutdownPrivilege	1316	chrome.exe
Token: SeCreatePagefilePrivilege	1316	chrome.exe
Token: SeShutdownPrivilege	1316	chrome.exe
Token: SeCreatePagefilePrivilege	1316	chrome.exe
Token: SeShutdownPrivilege	1316	chrome.exe
Token: SeCreatePagefilePrivilege	1316	chrome.exe
Token: SeShutdownPrivilege	1316	chrome.exe
Token: SeCreatePagefilePrivilege	1316	chrome.exe
Token: SeShutdownPrivilege	1316	chrome.exe
Token: SeCreatePagefilePrivilege	1316	chrome.exe
Token: SeShutdownPrivilege	1316	chrome.exe
Token: SeCreatePagefilePrivilege	1316	chrome.exe
Token: SeShutdownPrivilege	1316	chrome.exe
Token: SeCreatePagefilePrivilege	1316	chrome.exe
Token: SeShutdownPrivilege	1316	chrome.exe
Token: SeCreatePagefilePrivilege	1316	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

Processes:

chrome.exe

pid	process
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe
1316	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Client.exe

pid process

1552 Client.exe

pid	process
1552	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Client-built.exechrome.exe

description	pid	process	target process
PID 5052 wrote to memory of 2120	5052	Client-built.exe	schtasks.exe
PID 5052 wrote to memory of 2120	5052	Client-built.exe	schtasks.exe
PID 5052 wrote to memory of 1552	5052	Client-built.exe	Client.exe
PID 5052 wrote to memory of 1552	5052	Client-built.exe	Client.exe
PID 1316 wrote to memory of 3096	1316	chrome.exe	chrome.exe
PID 1316 wrote to memory of 3096	1316	chrome.exe	chrome.exe
PID 1316 wrote to memory of 116	1316	chrome.exe	chrome.exe
PID 1316 wrote to memory of 116	1316	chrome.exe	chrome.exe
PID 1316 wrote to memory of 116	1316	chrome.exe	chrome.exe
PID 1316 wrote to memory of 116	1316	chrome.exe	chrome.exe
PID 1316 wrote to memory of 116	1316	chrome.exe	chrome.exe
PID 1316 wrote to memory of 116	1316	chrome.exe	chrome.exe
PID 1316 wrote to memory of 116	1316	chrome.exe	chrome.exe
PID 1316 wrote to memory of 116	1316	chrome.exe	chrome.exe
PID 1316 wrote to memory of 116	1316	chrome.exe	chrome.exe
PID 1316 wrote to memory of 116	1316	chrome.exe	chrome.exe
PID 1316 wrote to memory of 116	1316	chrome.exe	chrome.exe
PID 1316 wrote to memory of 116	1316	chrome.exe	chrome.exe
PID 1316 wrote to memory of 116	1316	chrome.exe	chrome.exe
PID 1316 wrote to memory of 116	1316	chrome.exe	chrome.exe
PID 1316 wrote to memory of 116	1316	chrome.exe	chrome.exe
PID 1316 wrote to memory of 116	1316	chrome.exe	chrome.exe
PID 1316 wrote to memory of 116	1316	chrome.exe	chrome.exe
PID 1316 wrote to memory of 116	1316	chrome.exe	chrome.exe
PID 1316 wrote to memory of 116	1316	chrome.exe	chrome.exe
PID 1316 wrote to memory of 116	1316	chrome.exe	chrome.exe
PID 1316 wrote to memory of 116	1316	chrome.exe	chrome.exe
PID 1316 wrote to memory of 116	1316	chrome.exe	chrome.exe
PID 1316 wrote to memory of 116	1316	chrome.exe	chrome.exe
PID 1316 wrote to memory of 116	1316	chrome.exe	chrome.exe
PID 1316 wrote to memory of 116	1316	chrome.exe	chrome.exe
PID 1316 wrote to memory of 116	1316	chrome.exe	chrome.exe
PID 1316 wrote to memory of 116	1316	chrome.exe	chrome.exe
PID 1316 wrote to memory of 116	1316	chrome.exe	chrome.exe
PID 1316 wrote to memory of 116	1316	chrome.exe	chrome.exe
PID 1316 wrote to memory of 116	1316	chrome.exe	chrome.exe
PID 1316 wrote to memory of 116	1316	chrome.exe	chrome.exe
PID 1316 wrote to memory of 4804	1316	chrome.exe	chrome.exe
PID 1316 wrote to memory of 4804	1316	chrome.exe	chrome.exe
PID 1316 wrote to memory of 2752	1316	chrome.exe	chrome.exe
PID 1316 wrote to memory of 2752	1316	chrome.exe	chrome.exe
PID 1316 wrote to memory of 2752	1316	chrome.exe	chrome.exe
PID 1316 wrote to memory of 2752	1316	chrome.exe	chrome.exe
PID 1316 wrote to memory of 2752	1316	chrome.exe	chrome.exe
PID 1316 wrote to memory of 2752	1316	chrome.exe	chrome.exe
PID 1316 wrote to memory of 2752	1316	chrome.exe	chrome.exe
PID 1316 wrote to memory of 2752	1316	chrome.exe	chrome.exe
PID 1316 wrote to memory of 2752	1316	chrome.exe	chrome.exe
PID 1316 wrote to memory of 2752	1316	chrome.exe	chrome.exe
PID 1316 wrote to memory of 2752	1316	chrome.exe	chrome.exe
PID 1316 wrote to memory of 2752	1316	chrome.exe	chrome.exe
PID 1316 wrote to memory of 2752	1316	chrome.exe	chrome.exe
PID 1316 wrote to memory of 2752	1316	chrome.exe	chrome.exe
PID 1316 wrote to memory of 2752	1316	chrome.exe	chrome.exe
PID 1316 wrote to memory of 2752	1316	chrome.exe	chrome.exe
PID 1316 wrote to memory of 2752	1316	chrome.exe	chrome.exe
PID 1316 wrote to memory of 2752	1316	chrome.exe	chrome.exe
PID 1316 wrote to memory of 2752	1316	chrome.exe	chrome.exe
PID 1316 wrote to memory of 2752	1316	chrome.exe	chrome.exe
PID 1316 wrote to memory of 2752	1316	chrome.exe	chrome.exe
PID 1316 wrote to memory of 2752	1316	chrome.exe	chrome.exe
PID 1316 wrote to memory of 2752	1316	chrome.exe	chrome.exe
PID 1316 wrote to memory of 2752	1316	chrome.exe	chrome.exe
PID 1316 wrote to memory of 2752	1316	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\e\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5052

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:2120

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1552

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb1cecab58,0x7ffb1cecab68,0x7ffb1cecab78
2⤵
PID:3096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1700 --field-trial-handle=1908,i,1412515560851515697,15507211482323368265,131072 /prefetch:2
2⤵
PID:116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1908,i,1412515560851515697,15507211482323368265,131072 /prefetch:8
2⤵
PID:4804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2212 --field-trial-handle=1908,i,1412515560851515697,15507211482323368265,131072 /prefetch:8
2⤵
PID:2752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3068 --field-trial-handle=1908,i,1412515560851515697,15507211482323368265,131072 /prefetch:1
2⤵
PID:4136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3076 --field-trial-handle=1908,i,1412515560851515697,15507211482323368265,131072 /prefetch:1
2⤵
PID:4992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3592 --field-trial-handle=1908,i,1412515560851515697,15507211482323368265,131072 /prefetch:1
2⤵
PID:4480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3892 --field-trial-handle=1908,i,1412515560851515697,15507211482323368265,131072 /prefetch:8
2⤵
PID:3464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4452 --field-trial-handle=1908,i,1412515560851515697,15507211482323368265,131072 /prefetch:8
2⤵
PID:4376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4608 --field-trial-handle=1908,i,1412515560851515697,15507211482323368265,131072 /prefetch:8
2⤵
PID:3384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4848 --field-trial-handle=1908,i,1412515560851515697,15507211482323368265,131072 /prefetch:8
2⤵
PID:2544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5016 --field-trial-handle=1908,i,1412515560851515697,15507211482323368265,131072 /prefetch:8
2⤵
PID:876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4668 --field-trial-handle=1908,i,1412515560851515697,15507211482323368265,131072 /prefetch:1
2⤵
PID:5072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4108 --field-trial-handle=1908,i,1412515560851515697,15507211482323368265,131072 /prefetch:1
2⤵
PID:1536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4392 --field-trial-handle=1908,i,1412515560851515697,15507211482323368265,131072 /prefetch:8
2⤵
PID:2492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4528 --field-trial-handle=1908,i,1412515560851515697,15507211482323368265,131072 /prefetch:8
2⤵
PID:4320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1860 --field-trial-handle=1908,i,1412515560851515697,15507211482323368265,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2628

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1792

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5056

C:\Users\Admin\AppData\Local\Temp\Temp1_Hello.zip\e\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Hello.zip\e\Client-built.exe"
1⤵
PID:4740

C:\Users\Admin\AppData\Local\Temp\Temp1_Hello.zip\e\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Hello.zip\e\Client-built.exe"
1⤵
PID:4812

C:\Users\Admin\AppData\Local\Temp\Temp1_Hello.zip\e\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Hello.zip\e\Client-built.exe"
1⤵
PID:1816

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
015e194ac98475c1f047901782cff746

SHA1
4b5d931cecf3f0ac67af7be4da8e50693c043339

SHA256
a80a347da952ddca21bf01ae744569fe7b5c75227e69cc62ec8be6cad3692ef8

SHA512
c185c7965b75796ba4599eddcd5ed17cf3dba6d3301add35ef6d87f2c17061d2a61d0ed7cd68a9ff259cd5422cc3f9cc9f6d6c72244b39bb87ffbe4ee9a3c849

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
653bbf672a5ff1d60ea35c2fa1afeb7f

SHA1
0d2154334a865c20cdcdce0c829c06093f013f80

SHA256
cfb473b38993ed734eefc7d805ce474122ddc841764a04aa33c66d189803406a

SHA512
e51a08b7c8e9bd1df98c484d002586a7e7db0d913727d6fb24bb1ec9348e5fd64f2ad89768dcb85cc28c5406ef64ad86faea589d0ba7d86daf1bea7191f8e52a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
7b5048b076babbb47acfccbd68e89def

SHA1
a4a5202a227b2fee976e63d343b90806977fbb5e

SHA256
b204a044f9b89c590b2842880c1e3e2400800e8ab69f2c423a2ddd99eb518148

SHA512
108c85cc6745e85e1a7fe26c95617cce7965d458d7694be690fdd23622d6dddad57cd0243046b7dc11c6e5570754e64930c9e19b1df2ec1e0123053ad8dc14ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
1355c833d1bda32567691eb00546ffb2

SHA1
02ee8bf963259586085a105cffaf986d2714a402

SHA256
d9ac142eef45ae9affed7ea08f1591fc72d505c11a674b30bec8df5e800a8089

SHA512
df76a8ce4bc78e4627b669c660d72f63d70099b79745095e530370170785792dd1c3ba227e74fcc7ff9e46eb634f701289ec7d637be8e253274db2371210b0c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
f85a9aa27785bb9d43e37b105ec108e5

SHA1
83c3fb42341c23ca841b0fffad91e492102ae8c1

SHA256
c6ab731d309b13294d2ddd666aa4a386bd8f1ff7eca0f7e1a2339249da6d1b4c

SHA512
8ad0a2d8ae190a7250f35bdfc7f82691549945a48ff6c06d3922b3d5d8228fd8341d7b334a93bbafce5dfb0954560d48ae52a8396c5b6de8c0e9ee059987707c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
b6bc5eeabed1fdb8ee63c77dbccd9d87

SHA1
eceae3e0c8046adaa97c60761e05b47c2376792b

SHA256
ee6018192a7f1f91009cda0c09bce535dac45c0c8c6ada3f78a803545b4a50c6

SHA512
c9e2cecbdfdd9f447d80d4b909b815de15e36c89e0d63de3813ca181e53365656fc513a0516ff3aa34ee17ad9e4b4c7f9b9aa1ccd059eeac264b344a63f83263

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
900673d428afae32ca0d80d7fa4c9411

SHA1
bacb19e11bf69e1a2872a91aaaf01942fe961874

SHA256
71c20ab9c78dd42e0bf84402fd0d1589c29582c508fc156f543f52657182fd19

SHA512
8c96ed388dc79a9ba388d196d38c3e0307c2559517cbba44a3037d226ccc167aa3feafdfa9de6a14d0bbd226dcc56565c95236d8e902c8d7e487003b34998cb3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
ef10a81158d9c60717b75a9629985d47

SHA1
ef9720a48ef346062fefa0618022dfe75e721657

SHA256
0da4fcd570f29c23d5cb6cbf5ff3adaba29784398b63f8adb6841acc469a105a

SHA512
99d826c7646bfb431a6992e0904c6692c2b32bdf511e61e8a197c4622cc3835fb1ddf46a4f66cece14f2e096b53101431812a975b5d591338a1f6320ddc6f254

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
261KB

MD5
bba6b4e710846842b7d23e753e9e8ed3

SHA1
1abddc9af7b133385cba38794228678bfaaf3a73

SHA256
6a75dd10fa964d4979cceb6738844c152fed24fbd874725b9e3192f08068dcee

SHA512
5136e5e7b73880f71bb9052b826871e2d8c84625c699da147557544e0a0908594777d2dbd8b606d6c7da0ba3e6bc0bce8b0d71c899b94f41052c766da6f98e0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
97KB

MD5
73d653d9f9b0d8ed2434cbe7d64e9331

SHA1
89173dbbe9994dbfe02c0f36a1effd3af8d12df4

SHA256
a923a32c1c1c4bffad815141d8c51489fbe7aa005c94607d3e2c94cc509dc4d2

SHA512
c9635b257440309f073cf462a81404d8803bf4e149cc8e3f7c92cd2d81d3009ba152b858ea8f5af1edeca76ad6d6de479ef07c1a808117d573a3c5ac5471f252

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe581c6c.TMP
Filesize
88KB

MD5
8c20fa1bab77f7d790378da1d281758d

SHA1
db9b282060f546216d85e6dd58b9a588620a037a

SHA256
17c508110a1240b548bb486c8ed47b5e2a2e7cf085fd6e2c72ed4e12b294f769

SHA512
7b792a5c00139cf41a33996da8b102ce3cb83ba09d03bb6e6c6263edf9c00e2647ee02c678de76442e06b18280a004d5392c292fc98bf5ada467b2ec3f59cc80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client-built.exe.log
Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
3.1MB

MD5
aa577b65aef014d53b006d781d104ef6

SHA1
318e06013bbfcfdd14f4e21aa2540f1f1dfe0039

SHA256
242351aa410188e74858d60f04973bf05071b98e82f6494d2ba1851d23fdf178

SHA512
45649bade97928524c7b1e6d456f7abe2036fe33775ac4308c786bd3a8d1ce68ce7ff12dbddb4c80b8d3c28324b13ec37e0ec72c856ce15c32e0724952deace5

Download Submit
C:\Users\Admin\Downloads\Hello.zip.crdownload
Filesize
1.2MB

MD5
841effd0ddf0100acce68a802aca7400

SHA1
8f4b8c69e3371b13432271fc7a54df56a2dace4d

SHA256
d91cfd3cae8c9fe75b7756d1fd986c1f952fbde751e2005cd8a1b44feec18100

SHA512
0e55f6817c0b7e7d3e022275e002d36e84ca45157a585ac16bfa92e44bd283d2d7660bf932ecf6c4f829a373d41f42aadd17fbba0155024b3ee7f9e8ed0ee933

Download Submit
\??\pipe\crashpad_1316_YTMZNWFRGQHBMJGY
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1552-83-0x000000001C530000-0x000000001CA58000-memory.dmp

Filesize
5.2MB

Download
memory/1552-85-0x00007FFB22490000-0x00007FFB22F51000-memory.dmp

Filesize
10.8MB

Download
memory/1552-86-0x00007FFB22490000-0x00007FFB22F51000-memory.dmp

Filesize
10.8MB

Download
memory/1552-22-0x000000001BE40000-0x000000001BEF2000-memory.dmp

Filesize
712KB

Download
memory/1552-21-0x000000001BD30000-0x000000001BD80000-memory.dmp

Filesize
320KB

Download
memory/1552-11-0x00007FFB22490000-0x00007FFB22F51000-memory.dmp

Filesize
10.8MB

Download
memory/1552-10-0x00007FFB22490000-0x00007FFB22F51000-memory.dmp

Filesize
10.8MB

Download
memory/5052-0-0x00007FFB22493000-0x00007FFB22495000-memory.dmp

Filesize
8KB

Download
memory/5052-9-0x00007FFB22490000-0x00007FFB22F51000-memory.dmp

Filesize
10.8MB

Download
memory/5052-2-0x00007FFB22490000-0x00007FFB22F51000-memory.dmp

Filesize
10.8MB

Download
memory/5052-1-0x0000000000BE0000-0x0000000000F04000-memory.dmp

Filesize
3.1MB

Download