quasar | 0a1af9ad6684d877f7c58b00bec90875ccfd709f547fe396a87a9c26e881977b

Analysis

max time kernel
149s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
30-06-2024 16:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

4f56c5c10fd6d558874a09e5d4dbdffd
SHA1

5b9692b0cfc0da65752a7c6e98528a49ef1b17b9
SHA256

0a1af9ad6684d877f7c58b00bec90875ccfd709f547fe396a87a9c26e881977b
SHA512

699ff682370ee44a41af76686435f41682910d1291fbe159570f51e1aed05331dfce20074b3d5cd5937dfe6a8db651f8a4f320b4bf2fe2f38d585b8d4b95c8b4
SSDEEP

49152:GvnI22SsaNYfdPBldt698dBcjHnKmmmmzzRoGdJCTHHB72eh2NT:GvI22SsaNYfdPBldt6+dBcjHKmmh

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

86.137.1.84:4782

Mutex

adc301f6-35ca-4636-b286-ad2aef63f877

Attributes

encryption_key
54B7AB1A151267275EF24D335CE7E3B6ABDDC53E
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Microsoft Launcher Task Manager
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar payload 2 IoCs

Processes:

resource yara_rule

behavioral1/memory/240-1-0x0000000000EA0000-0x00000000011C4000-memory.dmp family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar
Executes dropped EXE 3 IoCs

Processes:

Client.exeClient-built.exeClient-built.exe

pid process

4560 Client.exe
4016 Client-built.exe
1360 Client-built.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

resource	yara_rule
behavioral1/memory/240-1-0x0000000000EA0000-0x00000000011C4000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133642397441327701"	chrome.exe

NTFS ADS 1 IoCs

Processes:

chrome.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Client-built.exe:Zone.Identifier chrome.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

3216 schtasks.exe
2508 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

1980 chrome.exe
1980 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

1980 chrome.exe
1980 chrome.exe
1980 chrome.exe
1980 chrome.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Client-built.exe:Zone.Identifier	chrome.exe

pid	process
3216	schtasks.exe
2508	schtasks.exe

pid	process
1980	chrome.exe
1980	chrome.exe

pid	process
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Client-built.exeClient.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	240	Client-built.exe
Token: SeDebugPrivilege	4560	Client.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

Processes:

Client.exechrome.exe

pid	process
4560	Client.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe

Suspicious use of SendNotifyMessage 13 IoCs

Processes:

Client.exechrome.exe

pid process

4560 Client.exe
1980 chrome.exe
1980 chrome.exe
1980 chrome.exe
1980 chrome.exe
1980 chrome.exe
1980 chrome.exe
1980 chrome.exe
1980 chrome.exe
1980 chrome.exe
1980 chrome.exe
1980 chrome.exe
1980 chrome.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Client.exe

pid process

4560 Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Client-built.exeClient.exechrome.exe

description	pid	process	target process
PID 240 wrote to memory of 3216	240	Client-built.exe	schtasks.exe
PID 240 wrote to memory of 3216	240	Client-built.exe	schtasks.exe
PID 240 wrote to memory of 4560	240	Client-built.exe	Client.exe
PID 240 wrote to memory of 4560	240	Client-built.exe	Client.exe
PID 4560 wrote to memory of 2508	4560	Client.exe	schtasks.exe
PID 4560 wrote to memory of 2508	4560	Client.exe	schtasks.exe
PID 1980 wrote to memory of 2208	1980	chrome.exe	chrome.exe
PID 1980 wrote to memory of 2208	1980	chrome.exe	chrome.exe
PID 1980 wrote to memory of 5112	1980	chrome.exe	chrome.exe
PID 1980 wrote to memory of 5112	1980	chrome.exe	chrome.exe
PID 1980 wrote to memory of 5112	1980	chrome.exe	chrome.exe
PID 1980 wrote to memory of 5112	1980	chrome.exe	chrome.exe
PID 1980 wrote to memory of 5112	1980	chrome.exe	chrome.exe
PID 1980 wrote to memory of 5112	1980	chrome.exe	chrome.exe
PID 1980 wrote to memory of 5112	1980	chrome.exe	chrome.exe
PID 1980 wrote to memory of 5112	1980	chrome.exe	chrome.exe
PID 1980 wrote to memory of 5112	1980	chrome.exe	chrome.exe
PID 1980 wrote to memory of 5112	1980	chrome.exe	chrome.exe
PID 1980 wrote to memory of 5112	1980	chrome.exe	chrome.exe
PID 1980 wrote to memory of 5112	1980	chrome.exe	chrome.exe
PID 1980 wrote to memory of 5112	1980	chrome.exe	chrome.exe
PID 1980 wrote to memory of 5112	1980	chrome.exe	chrome.exe
PID 1980 wrote to memory of 5112	1980	chrome.exe	chrome.exe
PID 1980 wrote to memory of 5112	1980	chrome.exe	chrome.exe
PID 1980 wrote to memory of 5112	1980	chrome.exe	chrome.exe
PID 1980 wrote to memory of 5112	1980	chrome.exe	chrome.exe
PID 1980 wrote to memory of 5112	1980	chrome.exe	chrome.exe
PID 1980 wrote to memory of 5112	1980	chrome.exe	chrome.exe
PID 1980 wrote to memory of 5112	1980	chrome.exe	chrome.exe
PID 1980 wrote to memory of 5112	1980	chrome.exe	chrome.exe
PID 1980 wrote to memory of 5112	1980	chrome.exe	chrome.exe
PID 1980 wrote to memory of 5112	1980	chrome.exe	chrome.exe
PID 1980 wrote to memory of 5112	1980	chrome.exe	chrome.exe
PID 1980 wrote to memory of 5112	1980	chrome.exe	chrome.exe
PID 1980 wrote to memory of 5112	1980	chrome.exe	chrome.exe
PID 1980 wrote to memory of 5112	1980	chrome.exe	chrome.exe
PID 1980 wrote to memory of 5112	1980	chrome.exe	chrome.exe
PID 1980 wrote to memory of 5112	1980	chrome.exe	chrome.exe
PID 1980 wrote to memory of 5112	1980	chrome.exe	chrome.exe
PID 1980 wrote to memory of 760	1980	chrome.exe	chrome.exe
PID 1980 wrote to memory of 760	1980	chrome.exe	chrome.exe
PID 1980 wrote to memory of 876	1980	chrome.exe	chrome.exe
PID 1980 wrote to memory of 876	1980	chrome.exe	chrome.exe
PID 1980 wrote to memory of 876	1980	chrome.exe	chrome.exe
PID 1980 wrote to memory of 876	1980	chrome.exe	chrome.exe
PID 1980 wrote to memory of 876	1980	chrome.exe	chrome.exe
PID 1980 wrote to memory of 876	1980	chrome.exe	chrome.exe
PID 1980 wrote to memory of 876	1980	chrome.exe	chrome.exe
PID 1980 wrote to memory of 876	1980	chrome.exe	chrome.exe
PID 1980 wrote to memory of 876	1980	chrome.exe	chrome.exe
PID 1980 wrote to memory of 876	1980	chrome.exe	chrome.exe
PID 1980 wrote to memory of 876	1980	chrome.exe	chrome.exe
PID 1980 wrote to memory of 876	1980	chrome.exe	chrome.exe
PID 1980 wrote to memory of 876	1980	chrome.exe	chrome.exe
PID 1980 wrote to memory of 876	1980	chrome.exe	chrome.exe
PID 1980 wrote to memory of 876	1980	chrome.exe	chrome.exe
PID 1980 wrote to memory of 876	1980	chrome.exe	chrome.exe
PID 1980 wrote to memory of 876	1980	chrome.exe	chrome.exe
PID 1980 wrote to memory of 876	1980	chrome.exe	chrome.exe
PID 1980 wrote to memory of 876	1980	chrome.exe	chrome.exe
PID 1980 wrote to memory of 876	1980	chrome.exe	chrome.exe
PID 1980 wrote to memory of 876	1980	chrome.exe	chrome.exe
PID 1980 wrote to memory of 876	1980	chrome.exe	chrome.exe
PID 1980 wrote to memory of 876	1980	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:240

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Microsoft Launcher Task Manager" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
2⤵
- Scheduled Task/Job: Scheduled Task
PID:3216

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4560

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Microsoft Launcher Task Manager" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0x80,0x10c,0x7ff94349ab58,0x7ff94349ab68,0x7ff94349ab78
2⤵
PID:2208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1608 --field-trial-handle=1564,i,6107944017641317481,7918452660720171955,131072 /prefetch:2
2⤵
PID:5112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1564,i,6107944017641317481,7918452660720171955,131072 /prefetch:8
2⤵
PID:760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2208 --field-trial-handle=1564,i,6107944017641317481,7918452660720171955,131072 /prefetch:8
2⤵
PID:876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3056 --field-trial-handle=1564,i,6107944017641317481,7918452660720171955,131072 /prefetch:1
2⤵
PID:884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3128 --field-trial-handle=1564,i,6107944017641317481,7918452660720171955,131072 /prefetch:1
2⤵
PID:5096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4264 --field-trial-handle=1564,i,6107944017641317481,7918452660720171955,131072 /prefetch:1
2⤵
PID:3164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4376 --field-trial-handle=1564,i,6107944017641317481,7918452660720171955,131072 /prefetch:8
2⤵
PID:1572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4528 --field-trial-handle=1564,i,6107944017641317481,7918452660720171955,131072 /prefetch:8
2⤵
PID:1620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4556 --field-trial-handle=1564,i,6107944017641317481,7918452660720171955,131072 /prefetch:8
2⤵
PID:4748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4372 --field-trial-handle=1564,i,6107944017641317481,7918452660720171955,131072 /prefetch:8
2⤵
PID:1468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4780 --field-trial-handle=1564,i,6107944017641317481,7918452660720171955,131072 /prefetch:8
2⤵
PID:4528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4280 --field-trial-handle=1564,i,6107944017641317481,7918452660720171955,131072 /prefetch:1
2⤵
PID:1436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2428 --field-trial-handle=1564,i,6107944017641317481,7918452660720171955,131072 /prefetch:8
2⤵
PID:1032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3256 --field-trial-handle=1564,i,6107944017641317481,7918452660720171955,131072 /prefetch:8
2⤵
PID:3376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3332 --field-trial-handle=1564,i,6107944017641317481,7918452660720171955,131072 /prefetch:8
2⤵
PID:3752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4924 --field-trial-handle=1564,i,6107944017641317481,7918452660720171955,131072 /prefetch:8
2⤵
- NTFS ADS
PID:4368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3468 --field-trial-handle=1564,i,6107944017641317481,7918452660720171955,131072 /prefetch:8
2⤵
PID:4128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2440 --field-trial-handle=1564,i,6107944017641317481,7918452660720171955,131072 /prefetch:8
2⤵
PID:3960

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2436

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4320

C:\Users\Admin\Downloads\Client-built.exe
"C:\Users\Admin\Downloads\Client-built.exe"
1⤵
- Executes dropped EXE
PID:4016

C:\Users\Admin\Downloads\Client-built.exe
"C:\Users\Admin\Downloads\Client-built.exe"
1⤵
- Executes dropped EXE
PID:1360

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\772e006a-73cf-49d1-952f-10c295f85469.tmp
Filesize
7KB

MD5
1398485e73e685070379e883542cbd36

SHA1
9a1d67548536369d70349f22f6cf23da0abd2125

SHA256
62a1c8235b4c3aa758ac2dc11bcc6aa28c66c2dd59db2078ae97310522fe6a9a

SHA512
dc96df099eb787c3e470a399d14d3a9a4899f916f859600f491d6c742bd63d9dec96bfa1bfc27196caf62ea45918d19be58fe11d2b05bded9eb9b2c0f9ca659d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
d9485bee626c6c999c9f1756517345a8

SHA1
6a7956c91e303f3f32431aca0ff114f0ab82acb7

SHA256
db70c6e07009b654233a95b3a4ea87cefe3a8037e3178d15d4d1b44c7c10befd

SHA512
10bf8c206bbbe94617fd2f278eb104555eec5cd8bbdfbaa02050be62a0fcc1f604e67405a41101671a5dcb61db6c648fc17fd948b7924403b9353640fff00b34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
3ae4c59f693796909ea2f4b826db6db3

SHA1
3e9f8513fcb9748d7452a40b8d2caf820f1a3210

SHA256
f27a4b595911ed700f90e5a10190c78c843d75fcfd6b7fa60960c97cdb69ab25

SHA512
793edbd87269b8529b868d778b72759d1fc996ba60866cbdc9570727d161f8277ff8aa8e1f72316fdf5f3d6635e322bc5c4cc4514d4c690e0527ecf7774a3e5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
523B

MD5
b72e33a5cd7f13b97a704d9d22df6883

SHA1
068d68aab02e586f907c370996c5eade8169b355

SHA256
c6ed7b413d2974070bba9783ae9240cdfd747d49f5952531da2f5f72c62e24cf

SHA512
a7f4badbe07f8bf27df0de566da259b3a724725e32c387170d35ad8c99f16a76a517e503c40809b5c1acc0c71cc9028fcc5c18652d315fd538fcc76bc49cf87b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
9207c5423295152cd2247cea62302532

SHA1
1292dcfc755247639efe436d91d0ed80ea8b1b57

SHA256
a174efa56d82f7de3b3b510104a42b922988cbd6f209b0168bcc6f223143d5d0

SHA512
ca7f084738fa2094321fd3ef41134cc4b017eda0bb67941a651fc021a81ed9d0ebbc942dc4322242c4907c515a32d7bc45a1ac2440d5bdcaf5cc86fc2d74d896

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
d326f50c1dd60c854a56a63af658d666

SHA1
288da4effc274600994b0b8f27ee09b0f94c941f

SHA256
85b7fec6fcb72f114ca1ea7e2bcc910a376f66e3303c221aece1e2340f3ddde8

SHA512
4aaeba7c668b9a24d590827d31892c5c97179cef5623527e59d3d3532540ba82ae7a3b04b5fc0985840641f7d6675f5d5631800942c6635b9825c741b159d6c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
46032a47089de6d5808cdcf277ebb788

SHA1
fe3aeab73d3681c14d9e655f2ab7a28bccea8566

SHA256
1e8bed0f1c0bd20dd205e42438ef8ad5bedc22493a5a2d4cd454f5a6badc5fa1

SHA512
7f83977f2451786840233167479a9943ffb30745ced5946b2700220302067cbc76a713e35ee1cf4f495c853962c5105c520fc03998ca8531d4e5e24dcc76ce56

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
272KB

MD5
1b5c1caf19add23982a7d8794eb73c32

SHA1
f577ade8e4db1b9edbab4a94b2a8456994ca8769

SHA256
44d3f9f1dcc51b6b67a5391b12afb0f3d24c1bf98c0cca32489d1024e1222c82

SHA512
c87a92cf4d09ce14ba1101aa07868e5b6bf6b81636dca9be6921b69b0b19825f1d985ee6127a16ee4c6dd72ad1698bf40ee2bceb0d7d56ee399b1173e9e753fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
272KB

MD5
92164eeb0d9694c17b72444937808cb3

SHA1
f853bfdb4db6bb3eda871d51994f96d317d3fbbc

SHA256
f24820f7a7bd809b1f95c3d45f8637bd263fd106882ca6d17e0d42a2f9cfccb8

SHA512
f75d3cf690282ec60c73a0048bfbd8df25ad4b8536734b9a2b89200054ef03b74b13f815eab2c92d94d8e57f5d44e84accc5d8a0f667744d3ededd04ad9c3489

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
Filesize
264KB

MD5
d1b40295e0a881cc2efcec85a679e889

SHA1
373d2e96b948fe7d9c7782f3bf9f2809a3506a44

SHA256
5419d815158e7807925ed654f5c34ab1518be0dbb7f0eaa211b9545f0fb1c0d7

SHA512
0c419b69fc0a9c4cc53664c84d6cec6eb4125c65f6d71dccb42f2f4938a230b5b0b32fc9c5d5544c8e7e83caf8cfb73912850b1a65cdc8431c3cd4f280286556

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client-built.exe.log
Filesize
1KB

MD5
b4e91d2e5f40d5e2586a86cf3bb4df24

SHA1
31920b3a41aa4400d4a0230a7622848789b38672

SHA256
5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210

SHA512
968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
3.1MB

MD5
4f56c5c10fd6d558874a09e5d4dbdffd

SHA1
5b9692b0cfc0da65752a7c6e98528a49ef1b17b9

SHA256
0a1af9ad6684d877f7c58b00bec90875ccfd709f547fe396a87a9c26e881977b

SHA512
699ff682370ee44a41af76686435f41682910d1291fbe159570f51e1aed05331dfce20074b3d5cd5937dfe6a8db651f8a4f320b4bf2fe2f38d585b8d4b95c8b4

Download Submit
C:\Users\Admin\Downloads\Client-built.exe:Zone.Identifier
Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
\??\pipe\crashpad_1980_TUQJCCSYUBJUEHVN
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/240-0-0x00007FF949803000-0x00007FF949805000-memory.dmp

Filesize
8KB

Download
memory/240-9-0x00007FF949800000-0x00007FF94A2C2000-memory.dmp

Filesize
10.8MB

Download
memory/240-2-0x00007FF949800000-0x00007FF94A2C2000-memory.dmp

Filesize
10.8MB

Download
memory/240-1-0x0000000000EA0000-0x00000000011C4000-memory.dmp

Filesize
3.1MB

Download
memory/4560-11-0x00007FF949800000-0x00007FF94A2C2000-memory.dmp

Filesize
10.8MB

Download
memory/4560-66-0x00007FF949800000-0x00007FF94A2C2000-memory.dmp

Filesize
10.8MB

Download
memory/4560-55-0x00007FF949800000-0x00007FF94A2C2000-memory.dmp

Filesize
10.8MB

Download
memory/4560-14-0x000000001CD50000-0x000000001D278000-memory.dmp

Filesize
5.2MB

Download
memory/4560-12-0x000000001C450000-0x000000001C4A0000-memory.dmp

Filesize
320KB

Download
memory/4560-13-0x000000001C560000-0x000000001C612000-memory.dmp

Filesize
712KB

Download
memory/4560-10-0x00007FF949800000-0x00007FF94A2C2000-memory.dmp

Filesize
10.8MB

Download