quasar | afaf1fafdbbd222021f2d6dc870e4026866a2be055654207be312d6d9cbf3bf4

Analysis

max time kernel
150s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
30-06-2024 16:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

acae78b76f4b990b86e2d2d5edfbb6fe
SHA1

0407bc802c64787ffd2baf35f6ef6c186e88d1dc
SHA256

afaf1fafdbbd222021f2d6dc870e4026866a2be055654207be312d6d9cbf3bf4
SHA512

8ff3124fa36c76ee7da622cf6faa6e992369dd6211e9808896afb32b677dadbbf65ed36748c8b7edfd0d01a706b3e38e293053f10e2d983017061f82fc426ee3
SSDEEP

49152:SvnI22SsaNYfdPBldt698dBcjHBuRJ6dbR3LoGdKITHHB72eh2NT:SvI22SsaNYfdPBldt6+dBcjHBuRJ6v6

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.1.150:4782

Mutex

adc301f6-35ca-4636-b286-ad2aef63f877

Attributes

encryption_key
54B7AB1A151267275EF24D335CE7E3B6ABDDC53E
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Microsoft Launcher Task Manager
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar payload 2 IoCs

Processes:

resource yara_rule

behavioral1/memory/5100-1-0x0000000000CC0000-0x0000000000FE4000-memory.dmp family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar
Executes dropped EXE 2 IoCs

Processes:

Client.exeClient-built.exe

pid process

1484 Client.exe
3460 Client-built.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

resource	yara_rule
behavioral1/memory/5100-1-0x0000000000CC0000-0x0000000000FE4000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133642378285576332"	chrome.exe

NTFS ADS 1 IoCs

Processes:

chrome.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Client-built.exe:Zone.Identifier chrome.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

2944 schtasks.exe
440 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

1308 chrome.exe
1308 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

1308 chrome.exe
1308 chrome.exe
1308 chrome.exe
1308 chrome.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Client-built.exe:Zone.Identifier	chrome.exe

pid	process
2944	schtasks.exe
440	schtasks.exe

pid	process
1308	chrome.exe
1308	chrome.exe

pid	process
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Client-built.exeClient.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	5100	Client-built.exe
Token: SeDebugPrivilege	1484	Client.exe
Token: SeShutdownPrivilege	1308	chrome.exe
Token: SeCreatePagefilePrivilege	1308	chrome.exe
Token: SeShutdownPrivilege	1308	chrome.exe
Token: SeCreatePagefilePrivilege	1308	chrome.exe
Token: SeShutdownPrivilege	1308	chrome.exe
Token: SeCreatePagefilePrivilege	1308	chrome.exe
Token: SeShutdownPrivilege	1308	chrome.exe
Token: SeCreatePagefilePrivilege	1308	chrome.exe
Token: SeShutdownPrivilege	1308	chrome.exe
Token: SeCreatePagefilePrivilege	1308	chrome.exe
Token: SeShutdownPrivilege	1308	chrome.exe
Token: SeCreatePagefilePrivilege	1308	chrome.exe
Token: SeShutdownPrivilege	1308	chrome.exe
Token: SeCreatePagefilePrivilege	1308	chrome.exe
Token: SeShutdownPrivilege	1308	chrome.exe
Token: SeCreatePagefilePrivilege	1308	chrome.exe
Token: SeShutdownPrivilege	1308	chrome.exe
Token: SeCreatePagefilePrivilege	1308	chrome.exe
Token: SeShutdownPrivilege	1308	chrome.exe
Token: SeCreatePagefilePrivilege	1308	chrome.exe
Token: SeShutdownPrivilege	1308	chrome.exe
Token: SeCreatePagefilePrivilege	1308	chrome.exe
Token: SeShutdownPrivilege	1308	chrome.exe
Token: SeCreatePagefilePrivilege	1308	chrome.exe
Token: SeShutdownPrivilege	1308	chrome.exe
Token: SeCreatePagefilePrivilege	1308	chrome.exe
Token: SeShutdownPrivilege	1308	chrome.exe
Token: SeCreatePagefilePrivilege	1308	chrome.exe
Token: SeShutdownPrivilege	1308	chrome.exe
Token: SeCreatePagefilePrivilege	1308	chrome.exe
Token: SeShutdownPrivilege	1308	chrome.exe
Token: SeCreatePagefilePrivilege	1308	chrome.exe
Token: SeShutdownPrivilege	1308	chrome.exe
Token: SeCreatePagefilePrivilege	1308	chrome.exe
Token: SeShutdownPrivilege	1308	chrome.exe
Token: SeCreatePagefilePrivilege	1308	chrome.exe
Token: SeShutdownPrivilege	1308	chrome.exe
Token: SeCreatePagefilePrivilege	1308	chrome.exe
Token: SeShutdownPrivilege	1308	chrome.exe
Token: SeCreatePagefilePrivilege	1308	chrome.exe
Token: SeShutdownPrivilege	1308	chrome.exe
Token: SeCreatePagefilePrivilege	1308	chrome.exe
Token: SeShutdownPrivilege	1308	chrome.exe
Token: SeCreatePagefilePrivilege	1308	chrome.exe
Token: SeShutdownPrivilege	1308	chrome.exe
Token: SeCreatePagefilePrivilege	1308	chrome.exe
Token: SeShutdownPrivilege	1308	chrome.exe
Token: SeCreatePagefilePrivilege	1308	chrome.exe
Token: SeShutdownPrivilege	1308	chrome.exe
Token: SeCreatePagefilePrivilege	1308	chrome.exe
Token: SeShutdownPrivilege	1308	chrome.exe
Token: SeCreatePagefilePrivilege	1308	chrome.exe
Token: SeShutdownPrivilege	1308	chrome.exe
Token: SeCreatePagefilePrivilege	1308	chrome.exe
Token: SeShutdownPrivilege	1308	chrome.exe
Token: SeCreatePagefilePrivilege	1308	chrome.exe
Token: SeShutdownPrivilege	1308	chrome.exe
Token: SeCreatePagefilePrivilege	1308	chrome.exe
Token: SeShutdownPrivilege	1308	chrome.exe
Token: SeCreatePagefilePrivilege	1308	chrome.exe
Token: SeShutdownPrivilege	1308	chrome.exe
Token: SeCreatePagefilePrivilege	1308	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

Processes:

Client.exechrome.exe

pid	process
1484	Client.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe

Suspicious use of SendNotifyMessage 13 IoCs

Processes:

Client.exechrome.exe

pid process

1484 Client.exe
1308 chrome.exe
1308 chrome.exe
1308 chrome.exe
1308 chrome.exe
1308 chrome.exe
1308 chrome.exe
1308 chrome.exe
1308 chrome.exe
1308 chrome.exe
1308 chrome.exe
1308 chrome.exe
1308 chrome.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Client.exe

pid process

1484 Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Client-built.exeClient.exechrome.exe

description	pid	process	target process
PID 5100 wrote to memory of 2944	5100	Client-built.exe	schtasks.exe
PID 5100 wrote to memory of 2944	5100	Client-built.exe	schtasks.exe
PID 5100 wrote to memory of 1484	5100	Client-built.exe	Client.exe
PID 5100 wrote to memory of 1484	5100	Client-built.exe	Client.exe
PID 1484 wrote to memory of 440	1484	Client.exe	schtasks.exe
PID 1484 wrote to memory of 440	1484	Client.exe	schtasks.exe
PID 1308 wrote to memory of 4320	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 4320	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 2116	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 2116	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 2116	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 2116	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 2116	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 2116	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 2116	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 2116	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 2116	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 2116	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 2116	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 2116	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 2116	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 2116	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 2116	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 2116	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 2116	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 2116	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 2116	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 2116	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 2116	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 2116	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 2116	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 2116	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 2116	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 2116	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 2116	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 2116	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 2116	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 2116	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 2116	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 1932	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 1932	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 1224	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 1224	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 1224	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 1224	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 1224	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 1224	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 1224	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 1224	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 1224	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 1224	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 1224	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 1224	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 1224	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 1224	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 1224	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 1224	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 1224	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 1224	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 1224	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 1224	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 1224	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 1224	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 1224	1308	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5100

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Microsoft Launcher Task Manager" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
2⤵
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1484

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Microsoft Launcher Task Manager" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Scheduled Task/Job: Scheduled Task
PID:440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd7dd3ab58,0x7ffd7dd3ab68,0x7ffd7dd3ab78
2⤵
PID:4320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1524 --field-trial-handle=1744,i,6988612452079266112,1102232273467947599,131072 /prefetch:2
2⤵
PID:2116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 --field-trial-handle=1744,i,6988612452079266112,1102232273467947599,131072 /prefetch:8
2⤵
PID:1932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2212 --field-trial-handle=1744,i,6988612452079266112,1102232273467947599,131072 /prefetch:8
2⤵
PID:1224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3048 --field-trial-handle=1744,i,6988612452079266112,1102232273467947599,131072 /prefetch:1
2⤵
PID:1296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3128 --field-trial-handle=1744,i,6988612452079266112,1102232273467947599,131072 /prefetch:1
2⤵
PID:5092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4284 --field-trial-handle=1744,i,6988612452079266112,1102232273467947599,131072 /prefetch:1
2⤵
PID:1288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4408 --field-trial-handle=1744,i,6988612452079266112,1102232273467947599,131072 /prefetch:8
2⤵
PID:764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4560 --field-trial-handle=1744,i,6988612452079266112,1102232273467947599,131072 /prefetch:8
2⤵
PID:2420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4764 --field-trial-handle=1744,i,6988612452079266112,1102232273467947599,131072 /prefetch:8
2⤵
PID:580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4880 --field-trial-handle=1744,i,6988612452079266112,1102232273467947599,131072 /prefetch:8
2⤵
PID:2312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4964 --field-trial-handle=1744,i,6988612452079266112,1102232273467947599,131072 /prefetch:8
2⤵
PID:3180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5004 --field-trial-handle=1744,i,6988612452079266112,1102232273467947599,131072 /prefetch:1
2⤵
PID:3552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4972 --field-trial-handle=1744,i,6988612452079266112,1102232273467947599,131072 /prefetch:8
2⤵
PID:2032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3452 --field-trial-handle=1744,i,6988612452079266112,1102232273467947599,131072 /prefetch:8
2⤵
PID:3988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3340 --field-trial-handle=1744,i,6988612452079266112,1102232273467947599,131072 /prefetch:8
2⤵
PID:3956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4960 --field-trial-handle=1744,i,6988612452079266112,1102232273467947599,131072 /prefetch:8
2⤵
- NTFS ADS
PID:2188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5132 --field-trial-handle=1744,i,6988612452079266112,1102232273467947599,131072 /prefetch:8
2⤵
PID:2768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5184 --field-trial-handle=1744,i,6988612452079266112,1102232273467947599,131072 /prefetch:8
2⤵
PID:4912

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:796

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4748

C:\Users\Admin\Downloads\Client-built.exe
"C:\Users\Admin\Downloads\Client-built.exe"
1⤵
- Executes dropped EXE
PID:3460

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\1a3d61b5-f826-4218-85d7-765063c4e70b.tmp
Filesize
7KB

MD5
7b8380d6e97b70f5104f6594f76bdcb1

SHA1
3a090963db87fc5ecbf6301787b2b4993e65e508

SHA256
1baf52d41de38d055a7627fa8f754264ff44df54e9d630f2a97d728cfa61cec2

SHA512
cf328a603dac67894f6fe59338e3c042a4ff8145ab82e229b6ef610510417b5494792b16ec4d9379b013f87be23382bd373ae33e27895e8c5ecdae77b1daac6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
0c37300639b51bf6224fd7de66441867

SHA1
fd7fbf45a4679d92cfed4427e7bb6c2698f06610

SHA256
66310bbce729d73f47f738270c50c4c41fb9cca8306b88b9aadd582b9af491ee

SHA512
83ed7dca7586bcaac1825a6ddd6d1c6883b072f8f820833472947717d1a594905a28914cbf60838e243670c2479251736bb0cf1c999a689565cbaac4e6a6eade

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
523B

MD5
2512943e80dc6216522d8212a1acf479

SHA1
eb94773a1c7674c6b3e1df472346195be87de85a

SHA256
aa4f6219499aadf3a95516ade96d3c98a1c9046f16ef86d6ce3621d1b7f658ad

SHA512
0e46eb10f3e065ed88bdd7d4710dbecc9908b3bc99a09583aa69c0d472fb7776124b6054e735ceefee86ebe2727cb02401331fa34c1a0b5ebbd27abcd5b799dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
8c3c7051eae025b0c30dd36cc21f09ab

SHA1
baf50473bb726370831d62c3d7a06aa332af36a9

SHA256
1b4fdd3e3cd0304c3a605ea9cbe00136e131d72333c9a41d060e820f1e6e5ec0

SHA512
d3fdb212ce6c2911610773efb179df51df49adae9bc60c3b7e5b7710ba57c23909597e98b434ed1f511d3187a8bc1a1baaae51586d5cce67a692524f6f3cec2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
ee9a2fdf57b9245d0bc168d8e85e3911

SHA1
ae1f6c01540fe4aebbdb9731cf2e1ce6a80e36d3

SHA256
6ceaeb5c71bd9e33da139d2963b79555c43f2eea49311295894c260f51ce85eb

SHA512
c678b47089aaf3f35f7aa72b3d47eb0f53ae598cbfaa2c578729b8d532e50d97dd39612cf855fd87f8a9a9202ebf427e7441ba3287fc665600c7b898958aa63d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
e789f5c70824c5233058933a455a7080

SHA1
d47254a70fe40ab4a905b5a85035e70559dd0014

SHA256
8a826d21043175a81269be6dcfd18d6a671f3afcbd42682ac4964fc450543ab8

SHA512
fc478b0468ad91af958a4540fd08a7bb42a4ce239d3fdad7c3e7db2264d94dae490fb6b1bb89fbfee0c70b0034625eac886034976d4a70ac2f258355134fd52e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
281KB

MD5
9e047aa40e5a55f17d212eb9bf40c3fa

SHA1
1b607e092724eb0cbc80b690104b731b120b2210

SHA256
1a4cb94a5005c50f52bd41e18485c6ad62edd895ff6dffe8366ab1172507ba05

SHA512
8f62f606c5256da344e79df6fdc0c48d0efd44d2892f6019e5565507869e014ef2540c464493768eafd494c88b6b84905eb720625dfad4ebac2bcdc77d20ba46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
88KB

MD5
9159822d06b2e9dff3090ac6d301c9e7

SHA1
931afeb4c257a5ab8685157c710aea0c984c50c6

SHA256
2259293a412d096069384b134de49a6c0fe07d3c06dd512db7ffdca4c7a6af6d

SHA512
94198d51c025f9893262114399d25d3d9276efdd67f16fa838b61f0abf55f16ef4b21e02867aa0af91a67b881043ee3adf1771ea4b588d4df22f5e7c05c08c0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe586107.TMP
Filesize
83KB

MD5
b24a39728eea59d27c64769104c359b9

SHA1
dceec230f33429603838976c126731355d33eca3

SHA256
f8f2f025d3efd898c45278fdc27e8647aa38eb769fae5c5adf6aa0bb11be2dfe

SHA512
dc53673f35003fa8633be27bb7e9601d3bdeb76ecb70a496e0c6bc4ad40ae7a44960c5a81f4dd735ae51c096f2e5466365504eff9291e969f4590351d6858368

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client-built.exe.log
Filesize
1KB

MD5
b4e91d2e5f40d5e2586a86cf3bb4df24

SHA1
31920b3a41aa4400d4a0230a7622848789b38672

SHA256
5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210

SHA512
968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
3.1MB

MD5
acae78b76f4b990b86e2d2d5edfbb6fe

SHA1
0407bc802c64787ffd2baf35f6ef6c186e88d1dc

SHA256
afaf1fafdbbd222021f2d6dc870e4026866a2be055654207be312d6d9cbf3bf4

SHA512
8ff3124fa36c76ee7da622cf6faa6e992369dd6211e9808896afb32b677dadbbf65ed36748c8b7edfd0d01a706b3e38e293053f10e2d983017061f82fc426ee3

Download Submit
C:\Users\Admin\Downloads\Client-built.exe:Zone.Identifier
Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
\??\pipe\crashpad_1308_KOQLTHZEQNHLZHWB
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1484-11-0x00007FFD70AD0000-0x00007FFD71592000-memory.dmp

Filesize
10.8MB

Download
memory/1484-54-0x000000001D5B0000-0x000000001DAD8000-memory.dmp

Filesize
5.2MB

Download
memory/1484-14-0x00007FFD70AD0000-0x00007FFD71592000-memory.dmp

Filesize
10.8MB

Download
memory/1484-13-0x000000001CC70000-0x000000001CD22000-memory.dmp

Filesize
712KB

Download
memory/1484-12-0x000000001CB60000-0x000000001CBB0000-memory.dmp

Filesize
320KB

Download
memory/1484-10-0x00007FFD70AD0000-0x00007FFD71592000-memory.dmp

Filesize
10.8MB

Download
memory/5100-0-0x00007FFD70AD3000-0x00007FFD70AD5000-memory.dmp

Filesize
8KB

Download
memory/5100-9-0x00007FFD70AD0000-0x00007FFD71592000-memory.dmp

Filesize
10.8MB

Download
memory/5100-2-0x00007FFD70AD0000-0x00007FFD71592000-memory.dmp

Filesize
10.8MB

Download
memory/5100-1-0x0000000000CC0000-0x0000000000FE4000-memory.dmp

Filesize
3.1MB

Download