quasar | 24870912ebadfaf5657f71f068767c1ad98f3fc973b313dec17f170808c33293

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
02-06-2024 23:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

c7120916a9fb4b558f1e36da622fb7b2
SHA1

88689f5e3eec43a9839cbae46b8b295ac88645cc
SHA256

d5b9c9a4f3587ab74c78cc9631306dc577663ce4ce7b1619597a82c036c0b63b
SHA512

93f9a94ada80ad66fa8c8d67ee3b3fe3c035404e67a73548161a12833ae27beb6c4b9b50d9fb5b859b01a1cbe0d8b3e6b10c27dadd6a79a55b43e6083194ec1d
SSDEEP

49152:2v5Jo21JaEW0kPnlodHoSpSrApeu+g8jhtUoGdbxTHHB72eh2NT:2vTo21JaEW0kPnlodH5pSrAEu+gn

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.1.1:4782

88.98.207.207:4782

192.168.1.211:4782

192.168.0.132:4782

2a01:4b00:b31a:3e00:d4a4:5f88:ab8:cc7d:4782

fd00::1617:c634:9b0b:2a22:4782

2a01:4b00:b31a:3e00:c7a:623f:eb1:3db6:4782

fd00::c7a:623f:eb1:3db6:4782

fe80::19ef:ec1a:f41f:39a5%5:4782

192.168.1.211:52859

2a01:4b00:b31a:3e00:d4a4:5f88:ab8:cc7d:52859

Mutex

6d19d2f9-1235-4b10-a1dd-486dc3edd052

Attributes

encryption_key
12AE26995FE0F312DC3ADA3C8CD142053AD088CA
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1752-1-0x0000000000F70000-0x0000000001294000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Executes dropped EXE 1 IoCs

Processes:

Client.exe

pid process

3416 Client.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4760 schtasks.exe
2776 schtasks.exe

pid	process
3416	Client.exe

pid	process
4760	schtasks.exe
2776	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133618459958987518"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings chrome.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

4348 chrome.exe
4348 chrome.exe
2028 chrome.exe
2028 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

4348 chrome.exe
4348 chrome.exe
4348 chrome.exe
4348 chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Client-built.exeClient.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	1752	Client-built.exe
Token: SeDebugPrivilege	3416	Client.exe
Token: SeShutdownPrivilege	4348	chrome.exe
Token: SeCreatePagefilePrivilege	4348	chrome.exe
Token: SeShutdownPrivilege	4348	chrome.exe
Token: SeCreatePagefilePrivilege	4348	chrome.exe
Token: SeShutdownPrivilege	4348	chrome.exe
Token: SeCreatePagefilePrivilege	4348	chrome.exe
Token: SeShutdownPrivilege	4348	chrome.exe
Token: SeCreatePagefilePrivilege	4348	chrome.exe
Token: SeShutdownPrivilege	4348	chrome.exe
Token: SeCreatePagefilePrivilege	4348	chrome.exe
Token: SeShutdownPrivilege	4348	chrome.exe
Token: SeCreatePagefilePrivilege	4348	chrome.exe
Token: SeShutdownPrivilege	4348	chrome.exe
Token: SeCreatePagefilePrivilege	4348	chrome.exe
Token: SeShutdownPrivilege	4348	chrome.exe
Token: SeCreatePagefilePrivilege	4348	chrome.exe
Token: SeShutdownPrivilege	4348	chrome.exe
Token: SeCreatePagefilePrivilege	4348	chrome.exe
Token: SeShutdownPrivilege	4348	chrome.exe
Token: SeCreatePagefilePrivilege	4348	chrome.exe
Token: SeShutdownPrivilege	4348	chrome.exe
Token: SeCreatePagefilePrivilege	4348	chrome.exe
Token: SeShutdownPrivilege	4348	chrome.exe
Token: SeCreatePagefilePrivilege	4348	chrome.exe
Token: SeShutdownPrivilege	4348	chrome.exe
Token: SeCreatePagefilePrivilege	4348	chrome.exe
Token: SeShutdownPrivilege	4348	chrome.exe
Token: SeCreatePagefilePrivilege	4348	chrome.exe
Token: SeShutdownPrivilege	4348	chrome.exe
Token: SeCreatePagefilePrivilege	4348	chrome.exe
Token: SeShutdownPrivilege	4348	chrome.exe
Token: SeCreatePagefilePrivilege	4348	chrome.exe
Token: SeShutdownPrivilege	4348	chrome.exe
Token: SeCreatePagefilePrivilege	4348	chrome.exe
Token: SeShutdownPrivilege	4348	chrome.exe
Token: SeCreatePagefilePrivilege	4348	chrome.exe
Token: SeShutdownPrivilege	4348	chrome.exe
Token: SeCreatePagefilePrivilege	4348	chrome.exe
Token: SeShutdownPrivilege	4348	chrome.exe
Token: SeCreatePagefilePrivilege	4348	chrome.exe
Token: SeShutdownPrivilege	4348	chrome.exe
Token: SeCreatePagefilePrivilege	4348	chrome.exe
Token: SeShutdownPrivilege	4348	chrome.exe
Token: SeCreatePagefilePrivilege	4348	chrome.exe
Token: SeShutdownPrivilege	4348	chrome.exe
Token: SeCreatePagefilePrivilege	4348	chrome.exe
Token: SeShutdownPrivilege	4348	chrome.exe
Token: SeCreatePagefilePrivilege	4348	chrome.exe
Token: SeShutdownPrivilege	4348	chrome.exe
Token: SeCreatePagefilePrivilege	4348	chrome.exe
Token: SeShutdownPrivilege	4348	chrome.exe
Token: SeCreatePagefilePrivilege	4348	chrome.exe
Token: SeShutdownPrivilege	4348	chrome.exe
Token: SeCreatePagefilePrivilege	4348	chrome.exe
Token: SeShutdownPrivilege	4348	chrome.exe
Token: SeCreatePagefilePrivilege	4348	chrome.exe
Token: SeShutdownPrivilege	4348	chrome.exe
Token: SeCreatePagefilePrivilege	4348	chrome.exe
Token: SeShutdownPrivilege	4348	chrome.exe
Token: SeCreatePagefilePrivilege	4348	chrome.exe
Token: SeShutdownPrivilege	4348	chrome.exe
Token: SeCreatePagefilePrivilege	4348	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

Processes:

chrome.exe

pid	process
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Client.exe

pid process

3416 Client.exe

pid	process
3416	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Client-built.exechrome.exe

description	pid	process	target process
PID 1752 wrote to memory of 4760	1752	Client-built.exe	schtasks.exe
PID 1752 wrote to memory of 4760	1752	Client-built.exe	schtasks.exe
PID 1752 wrote to memory of 3416	1752	Client-built.exe	Client.exe
PID 1752 wrote to memory of 3416	1752	Client-built.exe	Client.exe
PID 4348 wrote to memory of 2252	4348	chrome.exe	chrome.exe
PID 4348 wrote to memory of 2252	4348	chrome.exe	chrome.exe
PID 4348 wrote to memory of 2836	4348	chrome.exe	chrome.exe
PID 4348 wrote to memory of 2836	4348	chrome.exe	chrome.exe
PID 4348 wrote to memory of 2836	4348	chrome.exe	chrome.exe
PID 4348 wrote to memory of 2836	4348	chrome.exe	chrome.exe
PID 4348 wrote to memory of 2836	4348	chrome.exe	chrome.exe
PID 4348 wrote to memory of 2836	4348	chrome.exe	chrome.exe
PID 4348 wrote to memory of 2836	4348	chrome.exe	chrome.exe
PID 4348 wrote to memory of 2836	4348	chrome.exe	chrome.exe
PID 4348 wrote to memory of 2836	4348	chrome.exe	chrome.exe
PID 4348 wrote to memory of 2836	4348	chrome.exe	chrome.exe
PID 4348 wrote to memory of 2836	4348	chrome.exe	chrome.exe
PID 4348 wrote to memory of 2836	4348	chrome.exe	chrome.exe
PID 4348 wrote to memory of 2836	4348	chrome.exe	chrome.exe
PID 4348 wrote to memory of 2836	4348	chrome.exe	chrome.exe
PID 4348 wrote to memory of 2836	4348	chrome.exe	chrome.exe
PID 4348 wrote to memory of 2836	4348	chrome.exe	chrome.exe
PID 4348 wrote to memory of 2836	4348	chrome.exe	chrome.exe
PID 4348 wrote to memory of 2836	4348	chrome.exe	chrome.exe
PID 4348 wrote to memory of 2836	4348	chrome.exe	chrome.exe
PID 4348 wrote to memory of 2836	4348	chrome.exe	chrome.exe
PID 4348 wrote to memory of 2836	4348	chrome.exe	chrome.exe
PID 4348 wrote to memory of 2836	4348	chrome.exe	chrome.exe
PID 4348 wrote to memory of 2836	4348	chrome.exe	chrome.exe
PID 4348 wrote to memory of 2836	4348	chrome.exe	chrome.exe
PID 4348 wrote to memory of 2836	4348	chrome.exe	chrome.exe
PID 4348 wrote to memory of 2836	4348	chrome.exe	chrome.exe
PID 4348 wrote to memory of 2836	4348	chrome.exe	chrome.exe
PID 4348 wrote to memory of 2836	4348	chrome.exe	chrome.exe
PID 4348 wrote to memory of 2836	4348	chrome.exe	chrome.exe
PID 4348 wrote to memory of 2836	4348	chrome.exe	chrome.exe
PID 4348 wrote to memory of 2836	4348	chrome.exe	chrome.exe
PID 4348 wrote to memory of 692	4348	chrome.exe	chrome.exe
PID 4348 wrote to memory of 692	4348	chrome.exe	chrome.exe
PID 4348 wrote to memory of 4160	4348	chrome.exe	chrome.exe
PID 4348 wrote to memory of 4160	4348	chrome.exe	chrome.exe
PID 4348 wrote to memory of 4160	4348	chrome.exe	chrome.exe
PID 4348 wrote to memory of 4160	4348	chrome.exe	chrome.exe
PID 4348 wrote to memory of 4160	4348	chrome.exe	chrome.exe
PID 4348 wrote to memory of 4160	4348	chrome.exe	chrome.exe
PID 4348 wrote to memory of 4160	4348	chrome.exe	chrome.exe
PID 4348 wrote to memory of 4160	4348	chrome.exe	chrome.exe
PID 4348 wrote to memory of 4160	4348	chrome.exe	chrome.exe
PID 4348 wrote to memory of 4160	4348	chrome.exe	chrome.exe
PID 4348 wrote to memory of 4160	4348	chrome.exe	chrome.exe
PID 4348 wrote to memory of 4160	4348	chrome.exe	chrome.exe
PID 4348 wrote to memory of 4160	4348	chrome.exe	chrome.exe
PID 4348 wrote to memory of 4160	4348	chrome.exe	chrome.exe
PID 4348 wrote to memory of 4160	4348	chrome.exe	chrome.exe
PID 4348 wrote to memory of 4160	4348	chrome.exe	chrome.exe
PID 4348 wrote to memory of 4160	4348	chrome.exe	chrome.exe
PID 4348 wrote to memory of 4160	4348	chrome.exe	chrome.exe
PID 4348 wrote to memory of 4160	4348	chrome.exe	chrome.exe
PID 4348 wrote to memory of 4160	4348	chrome.exe	chrome.exe
PID 4348 wrote to memory of 4160	4348	chrome.exe	chrome.exe
PID 4348 wrote to memory of 4160	4348	chrome.exe	chrome.exe
PID 4348 wrote to memory of 4160	4348	chrome.exe	chrome.exe
PID 4348 wrote to memory of 4160	4348	chrome.exe	chrome.exe
PID 4348 wrote to memory of 4160	4348	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:4760

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3416

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xe0,0x108,0x7ffe5ae4ab58,0x7ffe5ae4ab68,0x7ffe5ae4ab78
2⤵
PID:2252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1692 --field-trial-handle=1900,i,6631818467210081443,17071421781057315789,131072 /prefetch:2
2⤵
PID:2836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1900,i,6631818467210081443,17071421781057315789,131072 /prefetch:8
2⤵
PID:692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2224 --field-trial-handle=1900,i,6631818467210081443,17071421781057315789,131072 /prefetch:8
2⤵
PID:4160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3052 --field-trial-handle=1900,i,6631818467210081443,17071421781057315789,131072 /prefetch:1
2⤵
PID:4788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3060 --field-trial-handle=1900,i,6631818467210081443,17071421781057315789,131072 /prefetch:1
2⤵
PID:1296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4304 --field-trial-handle=1900,i,6631818467210081443,17071421781057315789,131072 /prefetch:1
2⤵
PID:2884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4472 --field-trial-handle=1900,i,6631818467210081443,17071421781057315789,131072 /prefetch:8
2⤵
PID:4392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4620 --field-trial-handle=1900,i,6631818467210081443,17071421781057315789,131072 /prefetch:8
2⤵
PID:4824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4800 --field-trial-handle=1900,i,6631818467210081443,17071421781057315789,131072 /prefetch:8
2⤵
PID:2920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4864 --field-trial-handle=1900,i,6631818467210081443,17071421781057315789,131072 /prefetch:8
2⤵
PID:3992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4904 --field-trial-handle=1900,i,6631818467210081443,17071421781057315789,131072 /prefetch:8
2⤵
PID:4180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4504 --field-trial-handle=1900,i,6631818467210081443,17071421781057315789,131072 /prefetch:1
2⤵
PID:2548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2528 --field-trial-handle=1900,i,6631818467210081443,17071421781057315789,131072 /prefetch:8
2⤵
PID:4716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3168 --field-trial-handle=1900,i,6631818467210081443,17071421781057315789,131072 /prefetch:8
2⤵
PID:1728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1552 --field-trial-handle=1900,i,6631818467210081443,17071421781057315789,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2028

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:216

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2524

C:\Users\Admin\AppData\Local\Temp\Temp1_Hello.zip\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Hello.zip\Client-built.exe"
1⤵
PID:1976

C:\Users\Admin\AppData\Local\Temp\Temp1_Hello.zip\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Hello.zip\Client-built.exe"
1⤵
PID:2072

C:\Users\Admin\AppData\Local\Temp\Temp1_Hello.zip\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Hello.zip\Client-built.exe"
1⤵
PID:1096

C:\Users\Admin\AppData\Local\Temp\Temp1_Hello.zip\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Hello.zip\Client-built.exe"
1⤵
PID:4352

C:\Users\Admin\AppData\Local\Temp\Temp1_Hello.zip\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Hello.zip\Client-built.exe"
1⤵
PID:920

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
4d0602c6c9d566e8dd03d130d282408f

SHA1
9942302e2d5e0a9473f4fdcbe08470dbad023f0a

SHA256
3309bf197717b42b9b40c1801b394ae05b8b2be39185f4c680a3a66853febb96

SHA512
5d6aba63c1e1dab007c49aff1e724bade2e76804482f12a3de15f1dbc7649f87f59efd168c92236c2c90f334f1929d8049d5bafdaa5480eef4ae8c1fe1a86d4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
8fd84f577fed26567ea92458e537f589

SHA1
25b7c4846d8ba1f97cd6eaf963052dfe7bacfdd5

SHA256
89777be920e6452788a5e7f925e208aba111606925db6a5b879e4104950b619f

SHA512
9832aeabbc26ed1208b98640f21103924fb3ad4992f0b50bb892a1b5354828896025049fb2f80d2437975547dccf0196674fd13a104da9bcf252fc55003a3f98

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
a354f397d5c0e67db026d95fde25ec08

SHA1
0490cd4d1d2adae988136af307bd1b7fc42d03fa

SHA256
84a26edc2357e4957a899019166dd087df060e4fd3feea95010e9b48a780013c

SHA512
aee1fbf912d3eecff9364654346b38840a804020e643eee74a5727115fddb159cb074996e76f61442f10355536e1ce0a60f94263e13ae81389cf48365cef0841

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
4104176109f1ae43e72d377771ec7fd0

SHA1
a2ee02903c72f5900479d640f17a8db3541ca95d

SHA256
e42d9076671dca92cb547420c19381ca770404b2eb60a011c67477f0796a1c40

SHA512
5ec1966b2d943b786ce89d73a5e42883584e3210bfb8c51e26495e42a6224051424304aaad315ca19fefeaed663d43bd26a4a39bcc7539c9cf44a4c0e43ffd3c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
a320dd2a3b569068620f0f6d6a25c59a

SHA1
06c79f1d9be947749db6fb5ec16b5b9c52c1bf14

SHA256
5f2b91ae49540fc409df0fba8c4ff611c0443572244e21ed08d3d50e6db7dea5

SHA512
b744685380292d4c973992afaeabb7b455f716eebac961ad372a0704d1f28bd7e9d1b6452d9a8a45d248398f116ea83b92bf9644b793a4c9d893d3dc917b3090

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
f427fa6601507501ba374cbfe59fd2f5

SHA1
db6086848b9726fce52efff66ef8f2e5300a901d

SHA256
deb9b43625f6ecbd0fcecce9d442fc748e174cd1028dbb60cb0d016467e3901f

SHA512
1394f84ef92d8516ce876584d204f3e9e183d69774b6095a330f97e7f2df6088653929060ce3ba14bbed9d5f171d9cbab49b7ad35f45724e99d42296f9dc1f19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
3c0f09f586d22b0263715836d2a19cc0

SHA1
ab9687a444ea23f15dad81b480cd7bb6dd3efabc

SHA256
7880f92d2ce69544f8e0d72a597917edbfb664634b810d68029a9768b4d8b2ee

SHA512
c1ee669053de2d0ce3922ac4143e80d3e5d8d1666bfced400bfd44a711a720c85db4d171fe1c116f4f5e4c7c55d90cd1fb982828174a2844b49c292114b98391

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
261KB

MD5
861cf45296048f59d581ccbb966faeb1

SHA1
f71a12f27af3f2098dff60081598342866bef78a

SHA256
7b9561ae9fc7c06ad743a33d5217a85928b8e27b688707203d12b01475ba85c2

SHA512
7465b2f7df40ed2eb9a692510c4db4af6c317c3ccea0c4523830c6c5e251f52045dd31a69c72bc265a6e4b227ef3047b6b4b059a52a05ff6c5183494aad7f2ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
97KB

MD5
2a7fc13b7bf01e17d7ed728bb1566550

SHA1
3e65b930efbef4e9be163391119201512e3f19da

SHA256
62e95587a8e5d66873deac534ac7cdb7705cf08fb7a6ba5a3dc9aa08db4dc4fd

SHA512
11d65ebd68b4331a8680225e0260a33adfc582e471cc07e4030238753ab58c39e487e273c0bf0ea42d4c9be10d8b479150d37fdc6e40137df4307ea6db699c4d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57f0b9.TMP
Filesize
88KB

MD5
1293940038ff7b74baed3e43dc4d1362

SHA1
a668adf153e81699e068d75d25354cfb164d6e23

SHA256
4bbf089375d9473a49bf903b483876fec823e8fb3012b31ab91ba38f15d240a5

SHA512
5ff5274f1b3beb431cd327b52bcc35d9e3be12a47feff5b4bfd46ca539d697333f5007f42ef7e9fbf65fc4e820a4dc0ea16da2677968bdcee1c60b62d5006c57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client-built.exe.log
Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
3.1MB

MD5
c7120916a9fb4b558f1e36da622fb7b2

SHA1
88689f5e3eec43a9839cbae46b8b295ac88645cc

SHA256
d5b9c9a4f3587ab74c78cc9631306dc577663ce4ce7b1619597a82c036c0b63b

SHA512
93f9a94ada80ad66fa8c8d67ee3b3fe3c035404e67a73548161a12833ae27beb6c4b9b50d9fb5b859b01a1cbe0d8b3e6b10c27dadd6a79a55b43e6083194ec1d

Download Submit
C:\Users\Admin\Downloads\Hello.zip
Filesize
1.2MB

MD5
a37983ffe22ee93c0f091b56ec94924e

SHA1
2b7581a1a2b49441ebf16709064f192d321540c6

SHA256
24870912ebadfaf5657f71f068767c1ad98f3fc973b313dec17f170808c33293

SHA512
55bd6e4c8f7fb2782dc6ff51b88b3c06d3d4e4cc461de6d22e3e6fca70b20b5cc4d9ed975010dd5a0c89ede5a5b29f67a53b05a404afb25037ee287f4e883c1f

Download Submit
\??\pipe\crashpad_4348_JNPTPAXEXRDQHUIC
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1752-0-0x00007FFE5FA03000-0x00007FFE5FA05000-memory.dmp

Filesize
8KB

Download
memory/1752-9-0x00007FFE5FA00000-0x00007FFE604C1000-memory.dmp

Filesize
10.8MB

Download
memory/1752-2-0x00007FFE5FA00000-0x00007FFE604C1000-memory.dmp

Filesize
10.8MB

Download
memory/1752-1-0x0000000000F70000-0x0000000001294000-memory.dmp

Filesize
3.1MB

Download
memory/3416-48-0x000000001C430000-0x000000001C958000-memory.dmp

Filesize
5.2MB

Download
memory/3416-22-0x000000001BD40000-0x000000001BDF2000-memory.dmp

Filesize
712KB

Download
memory/3416-79-0x00007FFE5FA00000-0x00007FFE604C1000-memory.dmp

Filesize
10.8MB

Download
memory/3416-80-0x00007FFE5FA00000-0x00007FFE604C1000-memory.dmp

Filesize
10.8MB

Download
memory/3416-21-0x000000001BC30000-0x000000001BC80000-memory.dmp

Filesize
320KB

Download
memory/3416-12-0x00007FFE5FA00000-0x00007FFE604C1000-memory.dmp

Filesize
10.8MB

Download
memory/3416-10-0x00007FFE5FA00000-0x00007FFE604C1000-memory.dmp

Filesize
10.8MB

Download