quasar | f8b020a7d73dd702f0be5c3b77c4de8ee142bd5a3aac3f4ebc64f16fa9715985

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
02-06-2024 23:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

87c807da5b4a2a646390105dac94bc61
SHA1

597d80ed4349e431c5c059ee655c93a0c68e6528
SHA256

459c4c1fbef1557b5f4ead03465530713785c9cb48e2b365f5affe8e93dbec5f
SHA512

825df40a735987d48d328193260f885294c683c12cbb18ae5d07b889c3b7482a90cd02f05aac2d3c362fa817b6502cbec2ae6f0a6378477a9663ef477408ee9f
SSDEEP

49152:uvtG42pda6D+/PjlLOlg6yQipVAQRJ6abR3LoGdfTHHB72eh2NT:uvE42pda6D+/PjlLOlZyQipVAQRJ60

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.1.1:4782

88.98.207.207:4782

192.168.1.211:4782

Mutex

6d19d2f9-1235-4b10-a1dd-486dc3edd052

Attributes

encryption_key
12AE26995FE0F312DC3ADA3C8CD142053AD088CA
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2456-1-0x0000000000820000-0x0000000000B44000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Executes dropped EXE 1 IoCs

Processes:

Client.exe

pid process

4036 Client.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4628 schtasks.exe
3288 schtasks.exe

pid	process
4036	Client.exe

pid	process
4628	schtasks.exe
3288	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133618451118129277"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings chrome.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

1064 chrome.exe
1064 chrome.exe
3480 chrome.exe
3480 chrome.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Client.exe

pid process

4036 Client.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

1064 chrome.exe
1064 chrome.exe
1064 chrome.exe
1064 chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	chrome.exe

pid	process
4036	Client.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Client-built.exeClient.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	2456	Client-built.exe
Token: SeDebugPrivilege	4036	Client.exe
Token: SeShutdownPrivilege	1064	chrome.exe
Token: SeCreatePagefilePrivilege	1064	chrome.exe
Token: SeShutdownPrivilege	1064	chrome.exe
Token: SeCreatePagefilePrivilege	1064	chrome.exe
Token: SeShutdownPrivilege	1064	chrome.exe
Token: SeCreatePagefilePrivilege	1064	chrome.exe
Token: SeShutdownPrivilege	1064	chrome.exe
Token: SeCreatePagefilePrivilege	1064	chrome.exe
Token: SeShutdownPrivilege	1064	chrome.exe
Token: SeCreatePagefilePrivilege	1064	chrome.exe
Token: SeShutdownPrivilege	1064	chrome.exe
Token: SeCreatePagefilePrivilege	1064	chrome.exe
Token: SeShutdownPrivilege	1064	chrome.exe
Token: SeCreatePagefilePrivilege	1064	chrome.exe
Token: SeShutdownPrivilege	1064	chrome.exe
Token: SeCreatePagefilePrivilege	1064	chrome.exe
Token: SeShutdownPrivilege	1064	chrome.exe
Token: SeCreatePagefilePrivilege	1064	chrome.exe
Token: SeShutdownPrivilege	1064	chrome.exe
Token: SeCreatePagefilePrivilege	1064	chrome.exe
Token: SeShutdownPrivilege	1064	chrome.exe
Token: SeCreatePagefilePrivilege	1064	chrome.exe
Token: SeShutdownPrivilege	1064	chrome.exe
Token: SeCreatePagefilePrivilege	1064	chrome.exe
Token: SeShutdownPrivilege	1064	chrome.exe
Token: SeCreatePagefilePrivilege	1064	chrome.exe
Token: SeShutdownPrivilege	1064	chrome.exe
Token: SeCreatePagefilePrivilege	1064	chrome.exe
Token: SeShutdownPrivilege	1064	chrome.exe
Token: SeCreatePagefilePrivilege	1064	chrome.exe
Token: SeShutdownPrivilege	1064	chrome.exe
Token: SeCreatePagefilePrivilege	1064	chrome.exe
Token: SeShutdownPrivilege	1064	chrome.exe
Token: SeCreatePagefilePrivilege	1064	chrome.exe
Token: SeShutdownPrivilege	1064	chrome.exe
Token: SeCreatePagefilePrivilege	1064	chrome.exe
Token: SeShutdownPrivilege	1064	chrome.exe
Token: SeCreatePagefilePrivilege	1064	chrome.exe
Token: SeShutdownPrivilege	1064	chrome.exe
Token: SeCreatePagefilePrivilege	1064	chrome.exe
Token: SeShutdownPrivilege	1064	chrome.exe
Token: SeCreatePagefilePrivilege	1064	chrome.exe
Token: SeShutdownPrivilege	1064	chrome.exe
Token: SeCreatePagefilePrivilege	1064	chrome.exe
Token: SeShutdownPrivilege	1064	chrome.exe
Token: SeCreatePagefilePrivilege	1064	chrome.exe
Token: SeShutdownPrivilege	1064	chrome.exe
Token: SeCreatePagefilePrivilege	1064	chrome.exe
Token: SeShutdownPrivilege	1064	chrome.exe
Token: SeCreatePagefilePrivilege	1064	chrome.exe
Token: SeShutdownPrivilege	1064	chrome.exe
Token: SeCreatePagefilePrivilege	1064	chrome.exe
Token: SeShutdownPrivilege	1064	chrome.exe
Token: SeCreatePagefilePrivilege	1064	chrome.exe
Token: SeShutdownPrivilege	1064	chrome.exe
Token: SeCreatePagefilePrivilege	1064	chrome.exe
Token: SeShutdownPrivilege	1064	chrome.exe
Token: SeCreatePagefilePrivilege	1064	chrome.exe
Token: SeShutdownPrivilege	1064	chrome.exe
Token: SeCreatePagefilePrivilege	1064	chrome.exe
Token: SeShutdownPrivilege	1064	chrome.exe
Token: SeCreatePagefilePrivilege	1064	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

Processes:

chrome.exe

pid	process
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Client.exe

pid process

4036 Client.exe

pid	process
4036	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Client-built.exeClient.exechrome.exe

description	pid	process	target process
PID 2456 wrote to memory of 4628	2456	Client-built.exe	schtasks.exe
PID 2456 wrote to memory of 4628	2456	Client-built.exe	schtasks.exe
PID 2456 wrote to memory of 4036	2456	Client-built.exe	Client.exe
PID 2456 wrote to memory of 4036	2456	Client-built.exe	Client.exe
PID 4036 wrote to memory of 3288	4036	Client.exe	schtasks.exe
PID 4036 wrote to memory of 3288	4036	Client.exe	schtasks.exe
PID 1064 wrote to memory of 3476	1064	chrome.exe	chrome.exe
PID 1064 wrote to memory of 3476	1064	chrome.exe	chrome.exe
PID 1064 wrote to memory of 696	1064	chrome.exe	chrome.exe
PID 1064 wrote to memory of 696	1064	chrome.exe	chrome.exe
PID 1064 wrote to memory of 696	1064	chrome.exe	chrome.exe
PID 1064 wrote to memory of 696	1064	chrome.exe	chrome.exe
PID 1064 wrote to memory of 696	1064	chrome.exe	chrome.exe
PID 1064 wrote to memory of 696	1064	chrome.exe	chrome.exe
PID 1064 wrote to memory of 696	1064	chrome.exe	chrome.exe
PID 1064 wrote to memory of 696	1064	chrome.exe	chrome.exe
PID 1064 wrote to memory of 696	1064	chrome.exe	chrome.exe
PID 1064 wrote to memory of 696	1064	chrome.exe	chrome.exe
PID 1064 wrote to memory of 696	1064	chrome.exe	chrome.exe
PID 1064 wrote to memory of 696	1064	chrome.exe	chrome.exe
PID 1064 wrote to memory of 696	1064	chrome.exe	chrome.exe
PID 1064 wrote to memory of 696	1064	chrome.exe	chrome.exe
PID 1064 wrote to memory of 696	1064	chrome.exe	chrome.exe
PID 1064 wrote to memory of 696	1064	chrome.exe	chrome.exe
PID 1064 wrote to memory of 696	1064	chrome.exe	chrome.exe
PID 1064 wrote to memory of 696	1064	chrome.exe	chrome.exe
PID 1064 wrote to memory of 696	1064	chrome.exe	chrome.exe
PID 1064 wrote to memory of 696	1064	chrome.exe	chrome.exe
PID 1064 wrote to memory of 696	1064	chrome.exe	chrome.exe
PID 1064 wrote to memory of 696	1064	chrome.exe	chrome.exe
PID 1064 wrote to memory of 696	1064	chrome.exe	chrome.exe
PID 1064 wrote to memory of 696	1064	chrome.exe	chrome.exe
PID 1064 wrote to memory of 696	1064	chrome.exe	chrome.exe
PID 1064 wrote to memory of 696	1064	chrome.exe	chrome.exe
PID 1064 wrote to memory of 696	1064	chrome.exe	chrome.exe
PID 1064 wrote to memory of 696	1064	chrome.exe	chrome.exe
PID 1064 wrote to memory of 696	1064	chrome.exe	chrome.exe
PID 1064 wrote to memory of 696	1064	chrome.exe	chrome.exe
PID 1064 wrote to memory of 696	1064	chrome.exe	chrome.exe
PID 1064 wrote to memory of 1244	1064	chrome.exe	chrome.exe
PID 1064 wrote to memory of 1244	1064	chrome.exe	chrome.exe
PID 1064 wrote to memory of 1748	1064	chrome.exe	chrome.exe
PID 1064 wrote to memory of 1748	1064	chrome.exe	chrome.exe
PID 1064 wrote to memory of 1748	1064	chrome.exe	chrome.exe
PID 1064 wrote to memory of 1748	1064	chrome.exe	chrome.exe
PID 1064 wrote to memory of 1748	1064	chrome.exe	chrome.exe
PID 1064 wrote to memory of 1748	1064	chrome.exe	chrome.exe
PID 1064 wrote to memory of 1748	1064	chrome.exe	chrome.exe
PID 1064 wrote to memory of 1748	1064	chrome.exe	chrome.exe
PID 1064 wrote to memory of 1748	1064	chrome.exe	chrome.exe
PID 1064 wrote to memory of 1748	1064	chrome.exe	chrome.exe
PID 1064 wrote to memory of 1748	1064	chrome.exe	chrome.exe
PID 1064 wrote to memory of 1748	1064	chrome.exe	chrome.exe
PID 1064 wrote to memory of 1748	1064	chrome.exe	chrome.exe
PID 1064 wrote to memory of 1748	1064	chrome.exe	chrome.exe
PID 1064 wrote to memory of 1748	1064	chrome.exe	chrome.exe
PID 1064 wrote to memory of 1748	1064	chrome.exe	chrome.exe
PID 1064 wrote to memory of 1748	1064	chrome.exe	chrome.exe
PID 1064 wrote to memory of 1748	1064	chrome.exe	chrome.exe
PID 1064 wrote to memory of 1748	1064	chrome.exe	chrome.exe
PID 1064 wrote to memory of 1748	1064	chrome.exe	chrome.exe
PID 1064 wrote to memory of 1748	1064	chrome.exe	chrome.exe
PID 1064 wrote to memory of 1748	1064	chrome.exe	chrome.exe
PID 1064 wrote to memory of 1748	1064	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2456

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:4628

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4036

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:3288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb97edab58,0x7ffb97edab68,0x7ffb97edab78
2⤵
PID:3476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1844 --field-trial-handle=1916,i,1493725131620918671,7424786296372366004,131072 /prefetch:2
2⤵
PID:696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1916,i,1493725131620918671,7424786296372366004,131072 /prefetch:8
2⤵
PID:1244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2212 --field-trial-handle=1916,i,1493725131620918671,7424786296372366004,131072 /prefetch:8
2⤵
PID:1748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=1916,i,1493725131620918671,7424786296372366004,131072 /prefetch:1
2⤵
PID:2320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3064 --field-trial-handle=1916,i,1493725131620918671,7424786296372366004,131072 /prefetch:1
2⤵
PID:928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4304 --field-trial-handle=1916,i,1493725131620918671,7424786296372366004,131072 /prefetch:1
2⤵
PID:2828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3916 --field-trial-handle=1916,i,1493725131620918671,7424786296372366004,131072 /prefetch:8
2⤵
PID:1732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4580 --field-trial-handle=1916,i,1493725131620918671,7424786296372366004,131072 /prefetch:8
2⤵
PID:4884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4768 --field-trial-handle=1916,i,1493725131620918671,7424786296372366004,131072 /prefetch:8
2⤵
PID:2148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4556 --field-trial-handle=1916,i,1493725131620918671,7424786296372366004,131072 /prefetch:8
2⤵
PID:3236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4736 --field-trial-handle=1916,i,1493725131620918671,7424786296372366004,131072 /prefetch:8
2⤵
PID:2588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4728 --field-trial-handle=1916,i,1493725131620918671,7424786296372366004,131072 /prefetch:1
2⤵
PID:816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3248 --field-trial-handle=1916,i,1493725131620918671,7424786296372366004,131072 /prefetch:8
2⤵
PID:1172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 --field-trial-handle=1916,i,1493725131620918671,7424786296372366004,131072 /prefetch:8
2⤵
PID:3924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1644 --field-trial-handle=1916,i,1493725131620918671,7424786296372366004,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3480

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3596

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1316

C:\Users\Admin\AppData\Local\Temp\Temp1_Hello.zip\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Hello.zip\Client-built.exe"
1⤵
PID:3488

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
344a6e8d07c4b9681dc1700aebfc632e

SHA1
5d3a0122d5a34298eb4560e3d1adb99134417818

SHA256
8d053c9e0724733af119dfafec1a613527f51f14f424aca5b8de7bb1df72f7e5

SHA512
db9f8ebbbc46ea193f2ece87e69010f97c586c495df646e83d1acc5afadae606b4d3e186ef1e9bc05c821be9c0d7c19e546edbcce5001c6662e5030a08a43b21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
dd698aeb29780031f4763dfaf3f7d8c1

SHA1
69321f2b183ce7003c1e9abb58fb86332c0d88db

SHA256
67785e94e4105d479d84079c77558ae8fc646139f76d9c18eb30c69811948fea

SHA512
677d93d4347a4371ce9825c3b9b11c3bd0e6c33c85bfdf49731f0b812060d147ab956b4db61c988cf9e94788e6cc2e5b78669a6d34d2636d5060ec3b5ee5fcdc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
28e9eb58ad894b9c2e54e76439fd5999

SHA1
f9b8cb7c92215df4190585e1ae46361e8143e072

SHA256
53e39c50a19e887c51172151d320ef0a81793737287ac92e243cf4994596ae7c

SHA512
c23112010b86e3fc727e9d8f8a4e0ee82f7f83bb58c584d5dd518aea77e55dd0f217e74f82b0352b4879dfa578179b7f23acd6f6edeb42008af06d9a6cf2e93c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
49b3bba1aceee9955ea31aac3a3d3415

SHA1
191a5b13d163e8ba7bc9e5b477100549c6cb777b

SHA256
244151acd3325428395b4e47d55c5d09734ebe431bc6a5bad0b4090856007094

SHA512
76874e2c499999bd6affc0b267e61484a315b3e02b21f1f4f851858637d1c7cf8331de7d3daee735bdd48ff1020eb16bef5f1a5b8a639d9dda9798acdbe334ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
e561254e4541aa1a6f9eea9ddbf9a528

SHA1
a596c8de42b3456b0e4b259e4d815dc01181ad36

SHA256
3c98918491aee499a0cc88f5c0a7d3a3578ea8bdf609cff53607d94434ea2015

SHA512
24eb9dd8d025d10c6e9f80794ba0e832b6560c57fd243bf10078100ae7195d549d584280b4be99e1ba15bb05846c47abb0341cd151b170f51d6572c8a56d415a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
49afd3ab310c051364275174ac733ee9

SHA1
3e3e03e223d430cd641b3266b6ad07f2263cc225

SHA256
2e686a39a931ed57a9218acab84df71363fb9a6f31770d39057a5435c17ad7cd

SHA512
4ee5577deecc65656e617241c808924cb647acadebb2e42cf35a5893eae6a80d2131f0d193eed4224fa7cc37d2d7a12c7a3db9f3c0e2c3fd02970b058dbca456

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
5e16ae4ef41a127d9e5da8c518b19dae

SHA1
40fe4b1a891b649ab729ba4db1ed3e8acc692235

SHA256
8199b5e96370646d1c8e6f92e6cd0010d46b059f74351fce0192e2ca5d2a7b22

SHA512
e2aee3a1cf1a51e690b7123323fb93ee2e2d7ebf182d4ca6182ce26944c8a4a698cbdb19354502be8d839a877032dbd93c188216996e94c46fbb275c86c1ee49

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
261KB

MD5
e4cb888a583cd786f4a6b9fe78e6ed17

SHA1
6cc393aa8a310a6c40862bb974df501f765b8327

SHA256
91bf9ad74bf7c0a63e14a2bf8f5521c9af47c764eeb624a04220c492ce92c63c

SHA512
949cab99fa4a31b00a503df99df203a4b8fc40672813f5544832db18e1837b332bad2eb2507ad4eb2bbf053a16af1d397c842a0f3ac36fe2cc06b11b88823ffd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
97KB

MD5
73d653d9f9b0d8ed2434cbe7d64e9331

SHA1
89173dbbe9994dbfe02c0f36a1effd3af8d12df4

SHA256
a923a32c1c1c4bffad815141d8c51489fbe7aa005c94607d3e2c94cc509dc4d2

SHA512
c9635b257440309f073cf462a81404d8803bf4e149cc8e3f7c92cd2d81d3009ba152b858ea8f5af1edeca76ad6d6de479ef07c1a808117d573a3c5ac5471f252

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57e7fe.TMP
Filesize
88KB

MD5
8c20fa1bab77f7d790378da1d281758d

SHA1
db9b282060f546216d85e6dd58b9a588620a037a

SHA256
17c508110a1240b548bb486c8ed47b5e2a2e7cf085fd6e2c72ed4e12b294f769

SHA512
7b792a5c00139cf41a33996da8b102ce3cb83ba09d03bb6e6c6263edf9c00e2647ee02c678de76442e06b18280a004d5392c292fc98bf5ada467b2ec3f59cc80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client-built.exe.log
Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
3.1MB

MD5
87c807da5b4a2a646390105dac94bc61

SHA1
597d80ed4349e431c5c059ee655c93a0c68e6528

SHA256
459c4c1fbef1557b5f4ead03465530713785c9cb48e2b365f5affe8e93dbec5f

SHA512
825df40a735987d48d328193260f885294c683c12cbb18ae5d07b889c3b7482a90cd02f05aac2d3c362fa817b6502cbec2ae6f0a6378477a9663ef477408ee9f

Download Submit
C:\Users\Admin\Downloads\Hello.zip
Filesize
1.2MB

MD5
71a5a0777c905188d8d419b0e4914fd5

SHA1
a2f0d35a8a4eedeb574db6dc5bb6cff8d4f0eef9

SHA256
f8b020a7d73dd702f0be5c3b77c4de8ee142bd5a3aac3f4ebc64f16fa9715985

SHA512
66da0f340079383705c195dee3e23e55fa101287817e0ae06aa6a3187edb4136ce7a357615c026f30c13de899906bf440cf7c4902dfa421b0bcbee2f08ee4698

Download Submit
\??\pipe\crashpad_1064_DVOXAGTXLILTTGUO
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2456-0-0x00007FFB9D473000-0x00007FFB9D475000-memory.dmp

Filesize
8KB

Download
memory/2456-10-0x00007FFB9D470000-0x00007FFB9DF31000-memory.dmp

Filesize
10.8MB

Download
memory/2456-2-0x00007FFB9D470000-0x00007FFB9DF31000-memory.dmp

Filesize
10.8MB

Download
memory/2456-1-0x0000000000820000-0x0000000000B44000-memory.dmp

Filesize
3.1MB

Download
memory/4036-48-0x000000001CAC0000-0x000000001CFE8000-memory.dmp

Filesize
5.2MB

Download
memory/4036-80-0x00007FFB9D470000-0x00007FFB9DF31000-memory.dmp

Filesize
10.8MB

Download
memory/4036-81-0x00007FFB9D470000-0x00007FFB9DF31000-memory.dmp

Filesize
10.8MB

Download
memory/4036-14-0x000000001C2D0000-0x000000001C382000-memory.dmp

Filesize
712KB

Download
memory/4036-13-0x000000001BAC0000-0x000000001BB10000-memory.dmp

Filesize
320KB

Download
memory/4036-11-0x00007FFB9D470000-0x00007FFB9DF31000-memory.dmp

Filesize
10.8MB

Download
memory/4036-9-0x00007FFB9D470000-0x00007FFB9DF31000-memory.dmp

Filesize
10.8MB

Download