quasar | 7e0c75a10e45e707e25ff968ddf24cb7ed73fd80ae49a04091a1a51f13bd1fb9

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
02-06-2024 23:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

c7d2cead872af6fb32edddcf71b5111b
SHA1

7bbdc422948e09751d8fd35d384bc2ed8f6d9eff
SHA256

97b3602ac7222d914c4a8fb116e76582f695c377b6bf5d524489a2dc3ea90d8b
SHA512

822b76495194780a9aa8f6352cb0d1b718c9e2a2c6f9d0f74cde6bc139c7d2959f82f95d2c89b36e7b2890fd3b7fd05a4d139238d1aad9cb6cfc4cbd84ebf015
SSDEEP

49152:dv9zn3r24paQe+GPhlz1Tt6U7PkD6sg3yR2YRAkCKLoGJYjTHHB72eh2NT:dvFr24paQe+GPhlz1TwU7PkDng3yn

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.1.1:4782

88.98.207.207:4782

192.168.1.211:4782

192.168.0.132:4782

2a01:4b00:b31a:3e00:d4a4:5f88:ab8:cc7d:4782

fd00::1617:c634:9b0b:2a22:4782

2a01:4b00:b31a:3e00:c7a:623f:eb1:3db6:4782

fd00::c7a:623f:eb1:3db6:4782

fe80::19ef:ec1a:f41f:39a5%5:4782

Mutex

6d19d2f9-1235-4b10-a1dd-486dc3edd052

Attributes

encryption_key
12AE26995FE0F312DC3ADA3C8CD142053AD088CA
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/452-1-0x0000000000490000-0x00000000007B4000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Executes dropped EXE 1 IoCs

Processes:

Client.exe

pid process

3936 Client.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1772 schtasks.exe
1340 schtasks.exe

pid	process
3936	Client.exe

pid	process
1772	schtasks.exe
1340	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133618454075432096"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings chrome.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

1900 chrome.exe
1900 chrome.exe
2012 chrome.exe
2012 chrome.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Client.exe

pid process

3936 Client.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

1900 chrome.exe
1900 chrome.exe
1900 chrome.exe
1900 chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	chrome.exe

pid	process
3936	Client.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Client-built.exeClient.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	452	Client-built.exe
Token: SeDebugPrivilege	3936	Client.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe
Token: SeShutdownPrivilege	1900	chrome.exe
Token: SeCreatePagefilePrivilege	1900	chrome.exe

Suspicious use of FindShellTrayWindow 44 IoCs

Processes:

chrome.exe

pid	process
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe
1900	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Client.exe

pid process

3936 Client.exe

pid	process
3936	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Client-built.exeClient.exechrome.exe

description	pid	process	target process
PID 452 wrote to memory of 1772	452	Client-built.exe	schtasks.exe
PID 452 wrote to memory of 1772	452	Client-built.exe	schtasks.exe
PID 452 wrote to memory of 3936	452	Client-built.exe	Client.exe
PID 452 wrote to memory of 3936	452	Client-built.exe	Client.exe
PID 3936 wrote to memory of 1340	3936	Client.exe	schtasks.exe
PID 3936 wrote to memory of 1340	3936	Client.exe	schtasks.exe
PID 1900 wrote to memory of 1824	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 1824	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 4408	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 4408	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 4408	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 4408	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 4408	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 4408	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 4408	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 4408	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 4408	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 4408	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 4408	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 4408	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 4408	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 4408	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 4408	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 4408	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 4408	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 4408	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 4408	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 4408	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 4408	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 4408	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 4408	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 4408	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 4408	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 4408	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 4408	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 4408	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 4408	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 4408	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 4408	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 1068	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 1068	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 4584	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 4584	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 4584	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 4584	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 4584	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 4584	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 4584	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 4584	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 4584	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 4584	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 4584	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 4584	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 4584	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 4584	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 4584	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 4584	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 4584	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 4584	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 4584	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 4584	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 4584	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 4584	1900	chrome.exe	chrome.exe
PID 1900 wrote to memory of 4584	1900	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:452

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1772

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3936

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:1340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffae8a1ab58,0x7ffae8a1ab68,0x7ffae8a1ab78
2⤵
PID:1824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1668 --field-trial-handle=1952,i,10374176600318382350,7525993239894741596,131072 /prefetch:2
2⤵
PID:4408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1952,i,10374176600318382350,7525993239894741596,131072 /prefetch:8
2⤵
PID:1068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2212 --field-trial-handle=1952,i,10374176600318382350,7525993239894741596,131072 /prefetch:8
2⤵
PID:4584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1952,i,10374176600318382350,7525993239894741596,131072 /prefetch:1
2⤵
PID:5100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3064 --field-trial-handle=1952,i,10374176600318382350,7525993239894741596,131072 /prefetch:1
2⤵
PID:1108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4396 --field-trial-handle=1952,i,10374176600318382350,7525993239894741596,131072 /prefetch:1
2⤵
PID:5104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4540 --field-trial-handle=1952,i,10374176600318382350,7525993239894741596,131072 /prefetch:8
2⤵
PID:448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4688 --field-trial-handle=1952,i,10374176600318382350,7525993239894741596,131072 /prefetch:8
2⤵
PID:1576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5016 --field-trial-handle=1952,i,10374176600318382350,7525993239894741596,131072 /prefetch:8
2⤵
PID:3548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4208 --field-trial-handle=1952,i,10374176600318382350,7525993239894741596,131072 /prefetch:8
2⤵
PID:4092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4716 --field-trial-handle=1952,i,10374176600318382350,7525993239894741596,131072 /prefetch:8
2⤵
PID:3152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4712 --field-trial-handle=1952,i,10374176600318382350,7525993239894741596,131072 /prefetch:1
2⤵
PID:2032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4268 --field-trial-handle=1952,i,10374176600318382350,7525993239894741596,131072 /prefetch:8
2⤵
PID:2476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4608 --field-trial-handle=1952,i,10374176600318382350,7525993239894741596,131072 /prefetch:8
2⤵
PID:3388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3284 --field-trial-handle=1952,i,10374176600318382350,7525993239894741596,131072 /prefetch:8
2⤵
PID:2920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2460 --field-trial-handle=1952,i,10374176600318382350,7525993239894741596,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2012

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3084

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2832

C:\Users\Admin\AppData\Local\Temp\Temp1_Hello.zip\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Hello.zip\Client-built.exe"
1⤵
PID:4240

C:\Users\Admin\AppData\Local\Temp\Temp1_Hello.zip\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Hello.zip\Client-built.exe"
1⤵
PID:1568

C:\Users\Admin\Downloads\Client-built.exe
"C:\Users\Admin\Downloads\Client-built.exe"
1⤵
PID:3868

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
71ea0417987ccfdba7c2256d1de431e9

SHA1
12dce237a38845a80c6ce155077b9745d4bccbc6

SHA256
1d31575bf2175981e041f5886e1b30c4f3b9a47e2bc2ace081621626e75da59b

SHA512
ad00cae3f70cbaa67681e42b0ae432a115e2cece44301b82819e84e5f25da57016228925a0a9ec0bc7d90bcd704b78bc8727dc1c087c3f8487ff6945c25ce2c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
69a375514c599d2ed632a97130d9949c

SHA1
e5e81bc196f5901d3737ece8ef68cfff3c70edad

SHA256
e22f4683e71f4ab8b544aba4f3a6c212b2a91bb8467d4904a8889b2da2e3dc67

SHA512
64aa218c3af8ece466aa252698f1fbdf1c4a20280bf60465cf4f918f993870946e31fdda5c637c1c4cbb7c952ac74d20b4a2a52e1d820d50f28c0651f988cc4e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
3e7f7b6e9d52c9266bdc4ca90772f6ef

SHA1
3bb92d837cee226b04ad5664fb4e06158b7ebe50

SHA256
43df98278201b833b82063a28aa1360e96da5c36834d965364e931ac0fe45c92

SHA512
3be9355e8de2df41be730847b5ae8770acefce172e623924e840a73e456ecbb03646addeaa1c3c83635ca92af04a7866a68e530e73240dc97ff2d38442be8d2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
fb17eb4a7841b826a6c5b378890f0b8e

SHA1
451ade51f4ea147a32567efcc20419df8163047d

SHA256
74ea8f72ff9a6c465cf9129105bf217bc7912072bf53418c22c02c854c7b6d3f

SHA512
c33f0d2f01881e6dfece0985b8689fa6a241576bcaf1c77fbbc6c4d296b7cdc4d9c038692421c50ff55e3d0d2ac26ddfecf8093dc2b60bc238c4de17b8432bc9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
6ea77bc0a5556f498118d23211b1e106

SHA1
d26526b372d449d07bf592b73bbee7d8d9f08ea3

SHA256
6c7a634daa32de53924a6e419bac79b0efcaae2abf3f7de8cfebebc8564c900a

SHA512
709e6c56cd1d9eedb8a720d567474b2ffaaad99901cc2053e445731446d5d66cd1d8f2d67f0688cb1cbb3c7d3929004c5f6418bf05a47dc4ee36e78939d41468

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
1ea0aab17fb24e279d9c50fbb990f39f

SHA1
45f299764b36a55fd248170de563f8c12d99b5cb

SHA256
14491750895b401ab58aed39bd3230dee93fc96c602024bb8b3e88ecdc8c69c8

SHA512
782622e4ac3248e2669fae06644e194204d4cfc92e46df4704f4f8cb1b99182f0d6df1464f8583eff2ee681268e5bcebbf74f361c46b3063e2e97bf102ef82d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
dbb8500fce962a5df6c0b489de6b511f

SHA1
59b9c8dbf4dba1af8d382bc2a3613866c3a99d56

SHA256
eb2880e1fa4b5da6022eab6d34ccd303568846c29bce214da2a81d841b4f5931

SHA512
b4c1ab3727d6142660689a32e2d67ada16ab6dc6c00cb79ac952499c3a3bc51b61ef8c9f18542965fe16164dd3f167fc974a96fb952f019b255dca1833653ee8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
e56dbbe3156f1d6c238a7fb71da93935

SHA1
1e255c818463dfe3a4856cfde3edae487d70ac0f

SHA256
acf0765fdbd855af42613dd59db080bf90e7659857e9e8d2b5c7e0c5b145d215

SHA512
fdf97daf8bfb81eb896799abb0bccdbcef7ba6b7190bbcbaa8a1130ac867cc3b2de9d9e6c43e0df8177e61d2e1e008d04e47ef81a0c462d89cc235d4c9d8beab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
799607585002954d7aacc270ee6b8c9f

SHA1
eea289466e0d6186312a12f3ee6be78f515eb2ba

SHA256
d8afa14569ef7996113afe80384469f69ec18b3f1b5c2819be10a116a97b7b2a

SHA512
3523969de3eb7b8a3996411e1ba075745ceb73778aa98c80d8f1a0891eef89fd575b10764fcbddd640327543768703cd78f0e54a24acb5dacb81ba45c96c27ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
261KB

MD5
99ec5aeea39817c13f8c3b9437c251b6

SHA1
f7c2dcd26e658861e559c12e06cd1fcdb13ac82a

SHA256
2aea6aa8d93663d02568224ab1ccfd8c3573583340d474f73e63903ace47db6b

SHA512
240600cf79effd951d6ef61515a692738f93cee2b5638edaff1803d25fe4002323e02a64a5818634da5e96c587958ec759a6518e11cc9209bc39f761ccbdef36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
97KB

MD5
2a7fc13b7bf01e17d7ed728bb1566550

SHA1
3e65b930efbef4e9be163391119201512e3f19da

SHA256
62e95587a8e5d66873deac534ac7cdb7705cf08fb7a6ba5a3dc9aa08db4dc4fd

SHA512
11d65ebd68b4331a8680225e0260a33adfc582e471cc07e4030238753ab58c39e487e273c0bf0ea42d4c9be10d8b479150d37fdc6e40137df4307ea6db699c4d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57f4df.TMP
Filesize
88KB

MD5
1293940038ff7b74baed3e43dc4d1362

SHA1
a668adf153e81699e068d75d25354cfb164d6e23

SHA256
4bbf089375d9473a49bf903b483876fec823e8fb3012b31ab91ba38f15d240a5

SHA512
5ff5274f1b3beb431cd327b52bcc35d9e3be12a47feff5b4bfd46ca539d697333f5007f42ef7e9fbf65fc4e820a4dc0ea16da2677968bdcee1c60b62d5006c57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client-built.exe.log
Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
3.1MB

MD5
c7d2cead872af6fb32edddcf71b5111b

SHA1
7bbdc422948e09751d8fd35d384bc2ed8f6d9eff

SHA256
97b3602ac7222d914c4a8fb116e76582f695c377b6bf5d524489a2dc3ea90d8b

SHA512
822b76495194780a9aa8f6352cb0d1b718c9e2a2c6f9d0f74cde6bc139c7d2959f82f95d2c89b36e7b2890fd3b7fd05a4d139238d1aad9cb6cfc4cbd84ebf015

Download Submit
C:\Users\Admin\Downloads\Hello.zip
Filesize
1.2MB

MD5
833b554ced0a308dd74b615e8073d097

SHA1
f3b0051b2d81978d61d352b32522f73b4fca4ac2

SHA256
7e0c75a10e45e707e25ff968ddf24cb7ed73fd80ae49a04091a1a51f13bd1fb9

SHA512
644e5c2567490a7122afa3f757683ca4c455c34d882872784b7172dfb96537a84e7dde13b6c6bea745ea55f5f32267d5d0387e43c0a30069e12feb94d48635f7

Download Submit
\??\pipe\crashpad_1900_DFRMKAMUBJONLJHU
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/452-9-0x00007FFAEE690000-0x00007FFAEF151000-memory.dmp

Filesize
10.8MB

Download
memory/452-0-0x00007FFAEE693000-0x00007FFAEE695000-memory.dmp

Filesize
8KB

Download
memory/452-2-0x00007FFAEE690000-0x00007FFAEF151000-memory.dmp

Filesize
10.8MB

Download
memory/452-1-0x0000000000490000-0x00000000007B4000-memory.dmp

Filesize
3.1MB

Download
memory/3936-13-0x000000001B820000-0x000000001B8D2000-memory.dmp

Filesize
712KB

Download
memory/3936-12-0x000000001B710000-0x000000001B760000-memory.dmp

Filesize
320KB

Download
memory/3936-176-0x00007FFAEE690000-0x00007FFAEF151000-memory.dmp

Filesize
10.8MB

Download
memory/3936-11-0x00007FFAEE690000-0x00007FFAEF151000-memory.dmp

Filesize
10.8MB

Download
memory/3936-48-0x000000001C210000-0x000000001C738000-memory.dmp

Filesize
5.2MB

Download
memory/3936-10-0x00007FFAEE690000-0x00007FFAEF151000-memory.dmp

Filesize
10.8MB

Download
memory/3936-146-0x00007FFAEE690000-0x00007FFAEF151000-memory.dmp

Filesize
10.8MB

Download