quasar | 32ce02fa1c029625139d9d3a5468de74f8e84029d60bd38c60a2d5b9c729fd7c

Analysis

max time kernel
76s
max time network
77s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
26/03/2025, 19:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Quasar
Size

295KB
MD5

372aa78807cdbd6be3357c112850a0fc
SHA1

783d4706017383fdc6f8a6245357c16ecf95cfc1
SHA256

32ce02fa1c029625139d9d3a5468de74f8e84029d60bd38c60a2d5b9c729fd7c
SHA512

84999427d0f1b92d8ce47b060d439c680c7eaee3d154225436de509b838584b2602343e00c6d0f9690676c8b7c76966156b1aa1092bfce15c5313d08488f7e15
SSDEEP

6144:XiNGNpOL/saqkPV97HILqgIDSsqIe9lvZJT3CqbMrhryf65NRPaCieMjAkvCJv1o:yNGNpOL/saqkPV97HILqgIDSsqIe9lv9

Score

10^/10

quasar discovery spyware trojan

Malware Config

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/4544-812-0x000002213C860000-0x000002213C998000-memory.dmp	family_quasar
behavioral2/memory/4544-813-0x000002213E650000-0x000002213E666000-memory.dmp	family_quasar

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
106	camo.githubusercontent.com
111	raw.githubusercontent.com
90	camo.githubusercontent.com
104	camo.githubusercontent.com
105	camo.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133874918652050056"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3836	chrome.exe
Token: SeCreatePagefilePrivilege	3836	chrome.exe
Token: SeShutdownPrivilege	3836	chrome.exe
Token: SeCreatePagefilePrivilege	3836	chrome.exe
Token: SeShutdownPrivilege	3836	chrome.exe
Token: SeCreatePagefilePrivilege	3836	chrome.exe
Token: SeShutdownPrivilege	3836	chrome.exe
Token: SeCreatePagefilePrivilege	3836	chrome.exe
Token: SeShutdownPrivilege	3836	chrome.exe
Token: SeCreatePagefilePrivilege	3836	chrome.exe
Token: SeShutdownPrivilege	3836	chrome.exe
Token: SeCreatePagefilePrivilege	3836	chrome.exe
Token: SeShutdownPrivilege	3836	chrome.exe
Token: SeCreatePagefilePrivilege	3836	chrome.exe
Token: SeShutdownPrivilege	3836	chrome.exe
Token: SeCreatePagefilePrivilege	3836	chrome.exe
Token: SeShutdownPrivilege	3836	chrome.exe
Token: SeCreatePagefilePrivilege	3836	chrome.exe
Token: SeShutdownPrivilege	3836	chrome.exe
Token: SeCreatePagefilePrivilege	3836	chrome.exe
Token: SeShutdownPrivilege	3836	chrome.exe
Token: SeCreatePagefilePrivilege	3836	chrome.exe
Token: SeShutdownPrivilege	3836	chrome.exe
Token: SeCreatePagefilePrivilege	3836	chrome.exe
Token: SeShutdownPrivilege	3836	chrome.exe
Token: SeCreatePagefilePrivilege	3836	chrome.exe
Token: SeShutdownPrivilege	3836	chrome.exe
Token: SeCreatePagefilePrivilege	3836	chrome.exe
Token: SeShutdownPrivilege	3836	chrome.exe
Token: SeCreatePagefilePrivilege	3836	chrome.exe
Token: SeShutdownPrivilege	3836	chrome.exe
Token: SeCreatePagefilePrivilege	3836	chrome.exe
Token: SeShutdownPrivilege	3836	chrome.exe
Token: SeCreatePagefilePrivilege	3836	chrome.exe
Token: SeShutdownPrivilege	3836	chrome.exe
Token: SeCreatePagefilePrivilege	3836	chrome.exe
Token: SeShutdownPrivilege	3836	chrome.exe
Token: SeCreatePagefilePrivilege	3836	chrome.exe
Token: SeShutdownPrivilege	3836	chrome.exe
Token: SeCreatePagefilePrivilege	3836	chrome.exe
Token: SeShutdownPrivilege	3836	chrome.exe
Token: SeCreatePagefilePrivilege	3836	chrome.exe
Token: SeShutdownPrivilege	3836	chrome.exe
Token: SeCreatePagefilePrivilege	3836	chrome.exe
Token: SeShutdownPrivilege	3836	chrome.exe
Token: SeCreatePagefilePrivilege	3836	chrome.exe
Token: SeShutdownPrivilege	3836	chrome.exe
Token: SeCreatePagefilePrivilege	3836	chrome.exe
Token: SeShutdownPrivilege	3836	chrome.exe
Token: SeCreatePagefilePrivilege	3836	chrome.exe
Token: SeShutdownPrivilege	3836	chrome.exe
Token: SeCreatePagefilePrivilege	3836	chrome.exe
Token: SeShutdownPrivilege	3836	chrome.exe
Token: SeCreatePagefilePrivilege	3836	chrome.exe
Token: SeShutdownPrivilege	3836	chrome.exe
Token: SeCreatePagefilePrivilege	3836	chrome.exe
Token: SeShutdownPrivilege	3836	chrome.exe
Token: SeCreatePagefilePrivilege	3836	chrome.exe
Token: SeShutdownPrivilege	3836	chrome.exe
Token: SeCreatePagefilePrivilege	3836	chrome.exe
Token: SeShutdownPrivilege	3836	chrome.exe
Token: SeCreatePagefilePrivilege	3836	chrome.exe
Token: SeShutdownPrivilege	3836	chrome.exe
Token: SeCreatePagefilePrivilege	3836	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
4544	Quasar.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
4544	Quasar.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3836 wrote to memory of 4812	3836	chrome.exe	97
PID 3836 wrote to memory of 4812	3836	chrome.exe	97
PID 3836 wrote to memory of 1916	3836	chrome.exe	98
PID 3836 wrote to memory of 1916	3836	chrome.exe	98
PID 3836 wrote to memory of 1916	3836	chrome.exe	98
PID 3836 wrote to memory of 1916	3836	chrome.exe	98
PID 3836 wrote to memory of 1916	3836	chrome.exe	98
PID 3836 wrote to memory of 1916	3836	chrome.exe	98
PID 3836 wrote to memory of 1916	3836	chrome.exe	98
PID 3836 wrote to memory of 1916	3836	chrome.exe	98
PID 3836 wrote to memory of 1916	3836	chrome.exe	98
PID 3836 wrote to memory of 1916	3836	chrome.exe	98
PID 3836 wrote to memory of 1916	3836	chrome.exe	98
PID 3836 wrote to memory of 1916	3836	chrome.exe	98
PID 3836 wrote to memory of 1916	3836	chrome.exe	98
PID 3836 wrote to memory of 1916	3836	chrome.exe	98
PID 3836 wrote to memory of 1916	3836	chrome.exe	98
PID 3836 wrote to memory of 1916	3836	chrome.exe	98
PID 3836 wrote to memory of 1916	3836	chrome.exe	98
PID 3836 wrote to memory of 1916	3836	chrome.exe	98
PID 3836 wrote to memory of 1916	3836	chrome.exe	98
PID 3836 wrote to memory of 1916	3836	chrome.exe	98
PID 3836 wrote to memory of 1916	3836	chrome.exe	98
PID 3836 wrote to memory of 1916	3836	chrome.exe	98
PID 3836 wrote to memory of 1916	3836	chrome.exe	98
PID 3836 wrote to memory of 1916	3836	chrome.exe	98
PID 3836 wrote to memory of 1916	3836	chrome.exe	98
PID 3836 wrote to memory of 1916	3836	chrome.exe	98
PID 3836 wrote to memory of 1916	3836	chrome.exe	98
PID 3836 wrote to memory of 1916	3836	chrome.exe	98
PID 3836 wrote to memory of 1916	3836	chrome.exe	98
PID 3836 wrote to memory of 1916	3836	chrome.exe	98
PID 3836 wrote to memory of 5316	3836	chrome.exe	99
PID 3836 wrote to memory of 5316	3836	chrome.exe	99
PID 3836 wrote to memory of 2296	3836	chrome.exe	100
PID 3836 wrote to memory of 2296	3836	chrome.exe	100
PID 3836 wrote to memory of 2296	3836	chrome.exe	100
PID 3836 wrote to memory of 2296	3836	chrome.exe	100
PID 3836 wrote to memory of 2296	3836	chrome.exe	100
PID 3836 wrote to memory of 2296	3836	chrome.exe	100
PID 3836 wrote to memory of 2296	3836	chrome.exe	100
PID 3836 wrote to memory of 2296	3836	chrome.exe	100
PID 3836 wrote to memory of 2296	3836	chrome.exe	100
PID 3836 wrote to memory of 2296	3836	chrome.exe	100
PID 3836 wrote to memory of 2296	3836	chrome.exe	100
PID 3836 wrote to memory of 2296	3836	chrome.exe	100
PID 3836 wrote to memory of 2296	3836	chrome.exe	100
PID 3836 wrote to memory of 2296	3836	chrome.exe	100
PID 3836 wrote to memory of 2296	3836	chrome.exe	100
PID 3836 wrote to memory of 2296	3836	chrome.exe	100
PID 3836 wrote to memory of 2296	3836	chrome.exe	100
PID 3836 wrote to memory of 2296	3836	chrome.exe	100
PID 3836 wrote to memory of 2296	3836	chrome.exe	100
PID 3836 wrote to memory of 2296	3836	chrome.exe	100
PID 3836 wrote to memory of 2296	3836	chrome.exe	100
PID 3836 wrote to memory of 2296	3836	chrome.exe	100
PID 3836 wrote to memory of 2296	3836	chrome.exe	100
PID 3836 wrote to memory of 2296	3836	chrome.exe	100
PID 3836 wrote to memory of 2296	3836	chrome.exe	100
PID 3836 wrote to memory of 2296	3836	chrome.exe	100
PID 3836 wrote to memory of 2296	3836	chrome.exe	100
PID 3836 wrote to memory of 2296	3836	chrome.exe	100
PID 3836 wrote to memory of 2296	3836	chrome.exe	100
PID 3836 wrote to memory of 2296	3836	chrome.exe	100

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Quasar
1⤵
PID:3120

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff96ebcdcf8,0x7ff96ebcdd04,0x7ff96ebcdd10
  2⤵
  PID:4812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2008,i,15810835596877093440,16089592284411439464,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2004 /prefetch:2
  2⤵
  PID:1916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1600,i,15810835596877093440,16089592284411439464,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2252 /prefetch:3
  2⤵
  PID:5316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2392,i,15810835596877093440,16089592284411439464,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2568 /prefetch:8
  2⤵
  PID:2296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3192,i,15810835596877093440,16089592284411439464,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:1132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3212,i,15810835596877093440,16089592284411439464,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:1816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3872,i,15810835596877093440,16089592284411439464,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4456 /prefetch:2
  2⤵
  PID:960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4752,i,15810835596877093440,16089592284411439464,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3076 /prefetch:1
  2⤵
  PID:5256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5252,i,15810835596877093440,16089592284411439464,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5256 /prefetch:8
  2⤵
  PID:4032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5504,i,15810835596877093440,16089592284411439464,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5520 /prefetch:8
  2⤵
  PID:1592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5524,i,15810835596877093440,16089592284411439464,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5384 /prefetch:8
  2⤵
  PID:4940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5540,i,15810835596877093440,16089592284411439464,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5720 /prefetch:8
  2⤵
  PID:3028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5616,i,15810835596877093440,16089592284411439464,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5744 /prefetch:8
  2⤵
  PID:3980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5384,i,15810835596877093440,16089592284411439464,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5712 /prefetch:8
  2⤵
  PID:6012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5372,i,15810835596877093440,16089592284411439464,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5320 /prefetch:1
  2⤵
  PID:5596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=3416,i,15810835596877093440,16089592284411439464,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:5244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6064,i,15810835596877093440,16089592284411439464,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=6116 /prefetch:8
  2⤵
  PID:1932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=1556,i,15810835596877093440,16089592284411439464,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3360 /prefetch:8
  2⤵
  PID:3800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5376,i,15810835596877093440,16089592284411439464,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=6140 /prefetch:8
  2⤵
  PID:2720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5744,i,15810835596877093440,16089592284411439464,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=6168 /prefetch:8
  2⤵
  PID:2980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=4472,i,15810835596877093440,16089592284411439464,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4548 /prefetch:2
  2⤵
  PID:5268

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:5284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2324

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5648

C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe
"C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
812b4e4cd8c4fdb0aba3ab9e80039ac8

SHA1
0c35c8649dca3c6d6e6e26a8fd2ab42965cc3127

SHA256
6e170cd6a6b59be63856f9cabde125c4347882df9103ffc1690cb13c1dcf24a3

SHA512
7dca318d4321dd85e09013a7f2c0b7b6392ff8601d559930069c3742635280c2cb8e434389e45a74f2af3036fe5e5403a39f99e2e241c79c1b8258d4300ec9c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
1226dbd8eb8c791328b8163b8d69f78b

SHA1
f5e4e09548d8e0b7be05306ec553cc78113e54c0

SHA256
eaa4e3a2573a9221277c4ebb6ce6ea9f222cba1cddb66085070a27766e0136fa

SHA512
71d82cfeff02f3316dd109c95210ed19273f83ab4352c679b074ac8831e36f6e5d669e9384a47da0c7c5349f2d20711d1bc9e83fec471b782b76968a0d62c75c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.90.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
ba9d24863b85d06a5d972853fca8bc9b

SHA1
fe2156842c8090e053f4aab11f7e78886320f215

SHA256
eab68ca1270a0716a529e5f847f92186c4b5a13de5036749ccc558b28f0826ca

SHA512
549e8b3f63659447162153a981232da706506594f223b7d88ffeac551dd8cd4e9a9e40c4cd4b7029508d71892fea61ea308083ef061796cdb414f619a69b027b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
0fdffc82c29a764ca82366aa75619e8d

SHA1
2462c1e420549b57e3112cb5e73ff898c634a963

SHA256
17999c09d803e30d22b6d67858239bec641a5c569c31242ee2efeea408c622a4

SHA512
bcd191fa1d26d93eb0f8cd6d5390cd72eb1e441b5a4b3ec005fb8114158f1edadc7fe0f1d8c11423a1a8388b421087f2c66e011659f5a4da63c78d954d2e1188

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
2d211b1869aa4f553c07b837c1a8126c

SHA1
5439ca392272c0d591e9158007ca605980de338b

SHA256
ea22cfe9a2a3657e4f5953bebcb89fd98e27b9cf6c04a9381638beac520c7ec6

SHA512
83af80a70833e183a48764400571d55a7060d6e99b6d0f0737edab2e22ca0a955853629a3b28160f34222dcdef40c71bfb0108c44db108cf3c25398e8372618f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
efdf6cb72593c9f895c72797d7e7970e

SHA1
45b494679279416382253dffea54855bf6048572

SHA256
1f7cf570a2f50382fa56f45dedd375712bf51c373f70c03ae635eb923323eaf7

SHA512
208551ed26cd2d418a97a10427782173e57a8e4ed455108a65ba6ad4432301c418659c737b160d4f9a5ed8731b7f03eea41073f7479bb32aa077768850f9654a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
36d21614212b351ff754b4052bcbb68b

SHA1
8380b09d0f7b848776592bb6788a3501b2597e5e

SHA256
7ea8c2d7aad7458a581cf9ea5f174f5aeb9fee908289533785304b2ca9896816

SHA512
63e9079adbf95ad8f8675493bad90f89fa7b04d81419311ecd67caa0d72f2d25f5b3bbf166e9e4cb306c970e94956f6f8af6ceaf5bcca511429d57222e01fdfe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
ab28c500ba4273d01b4bcb61393f87bb

SHA1
2a83f68a2a2ccec9382be287d8efa79eb196d181

SHA256
c58eb39eb954b6404b9131d7100d720b5a2c2cf84fea19430effca253f9948d2

SHA512
d1044609c24a965cc320498626fb47078aa959bec04fa57c937b314a9fdb1c362bf2485581c9f32e06d79d42d5e4a4d77976f0eb45a9cdec5e73cafa1b1a342f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
09a26e13f4f84bc9e388f8573edb0abf

SHA1
61de9f53740b2023ffe53b6046f1939631040230

SHA256
e7c0e275d3bc872a2ff124e271252b7ffe338cf5c89bc5547a49d75f108bed16

SHA512
cbec6e56283ce441afd442a5adf174b0654873d3774babcd58beaf071b02c4b5c492ebba4568bd3f7bfb3cd297adafcb19ecfa3f798d447d16708baee3f51a99

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57f155.TMP

Filesize
48B

MD5
5a7f42d17a4aead8abd0ffc78a6e8c95

SHA1
dc7c20586248b78cd68ce1fa7cbd8e260e06698f

SHA256
b053fe5a71f87188e3bedff7c640efb1397c1280d6a9e98570d3bd96bec4a77d

SHA512
6abf9afc0fef6a789e0855d353c1998ace2dcd73f7e3c0460448aa1a4afdbeb82e3470b139bf3bdb90f9aff184a1324b4739e2dc5b6f9236d2cb9d469355ce64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
79KB

MD5
dda8d4aae0488c13dc933e50ce2ddd38

SHA1
9cd849136dbb2df5efd19b41a65810f6b5cb183c

SHA256
26b4874b8eab8064dcf44664ece79648bfaeba0e914244d7a59339d2c59affd8

SHA512
87e29792a223b671b8ed0bf1674bdc45c96e97c8eec290da40ad8ec465e2df151f06b0eba6e52e9c3f793a47b77b037150d486c0403ce0da1ee1f3cee45e1b84

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
155KB

MD5
9a06f66f14f67d82b4f148e2ec8cd067

SHA1
4b7b86b6d2df55cc8a1a7f80e4efe4a48222e295

SHA256
068d50a863bb27d39b5fb62c1e110eb1de1a24f5481f11d827dc7b44f6b22bca

SHA512
2e74f98093ccebce6120a1a3c6e62a5351e1c894fdce31298b4f255ee4bafef9837c75b1aa8656fad0d58186a2333d21189f1e7dc537c96e2de37fcdea601e71

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
155KB

MD5
3642c46802c4c018155db7c114eee98f

SHA1
88efd098e2a4c1778c6258f922982ae7e941ba05

SHA256
547d681631d25076c8f53118bc450d27e3f4b1667e0d649e625f86f52d109353

SHA512
540f283b0f39520d2a8872877797de4c03a18fae36c83856dba9f886559fc6eecc94585d7ae55db05b5dc7724f8d98faa0accb7a8ebe3da296b60cef7f50dfa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3836_1903952195\93283feb-25b1-4dcd-8a13-84a5e465f271.tmp

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\Downloads\Quasar.v1.4.1.zip.crdownload

Filesize
3.3MB

MD5
13aa4bf4f5ed1ac503c69470b1ede5c1

SHA1
c0b7dadff8ac37f6d9fd00ae7f375e12812bfc00

SHA256
4cdeb2eae1cec1ab07077142313c524e9cf360cdec63497538c4405c2d8ded62

SHA512
767b03e4e0c2a97cb0282b523bcad734f0c6d226cd1e856f6861e6ae83401d0d30946ad219c8c5de3c90028a0141d3dc0111c85e0a0952156cf09e189709fa7d

Download Submit
memory/4544-814-0x00007FF958E90000-0x00007FF959951000-memory.dmp

Filesize
10.8MB

Download
memory/4544-813-0x000002213E650000-0x000002213E666000-memory.dmp

Filesize
88KB

Download
memory/4544-812-0x000002213C860000-0x000002213C998000-memory.dmp

Filesize
1.2MB

Download
memory/4544-829-0x000002215A0F0000-0x000002215A41E000-memory.dmp

Filesize
3.2MB

Download
memory/4544-830-0x00007FF958E93000-0x00007FF958E95000-memory.dmp

Filesize
8KB

Download
memory/4544-831-0x00007FF958E90000-0x00007FF959951000-memory.dmp

Filesize
10.8MB

Download
memory/4544-811-0x00007FF958E93000-0x00007FF958E95000-memory.dmp

Filesize
8KB

Download