quasar | 65914f9dcfa1f7e81859a9e042ee84b549bde879180d4eea3eb7fe4f50b73097

Analysis

max time kernel
138s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
30-06-2024 17:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Remote.exe
Size

3.1MB
MD5

875d3550ed90decbd5188e1d2cc961c0
SHA1

b067c399f32873bfb4d16524a87d17196c6a070b
SHA256

65914f9dcfa1f7e81859a9e042ee84b549bde879180d4eea3eb7fe4f50b73097
SHA512

c7799194bbebba17ce32765416ed75a996a29c9694191e6cc89966fa10a9675cafef26867320fabfbb21a851f4ee261b99b260aa0c4f5ee359fcd128a71c13fa
SSDEEP

49152:HviI22SsaNYfdPBldt698dBcjHEKRJ6zbR3LoGdqTHHB72eh2NT:Hvv22SsaNYfdPBldt6+dBcjHEKRJ6l

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.1.150:4782

Mutex

adc301f6-35ca-4636-b286-ad2aef63f877

Attributes

encryption_key
54B7AB1A151267275EF24D335CE7E3B6ABDDC53E
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Updater Services
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar payload 2 IoCs

Processes:

resource yara_rule

behavioral1/memory/3572-1-0x0000000000A20000-0x0000000000D44000-memory.dmp family_quasar
C:\Windows\system32\SubDir\Client.exe family_quasar
Executes dropped EXE 2 IoCs

Processes:

Client.exeRemote.exe

pid process

1048 Client.exe
4040 Remote.exe

resource	yara_rule
behavioral1/memory/3572-1-0x0000000000A20000-0x0000000000D44000-memory.dmp	family_quasar
C:\Windows\system32\SubDir\Client.exe	family_quasar

Drops file in System32 directory 5 IoCs

Processes:

Remote.exeClient.exe

description	ioc	process
File created	C:\Windows\system32\SubDir\Client.exe	Remote.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Remote.exe
File opened for modification	C:\Windows\system32\SubDir	Remote.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe

Drops file in Windows directory 1 IoCs

Processes:

chrome.exe

description ioc process

File opened for modification C:\Windows\SystemTemp chrome.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133642416316968599"	chrome.exe

NTFS ADS 1 IoCs

Processes:

chrome.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Remote.exe:Zone.Identifier chrome.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

3512 schtasks.exe
3216 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

2952 chrome.exe
2952 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

2952 chrome.exe
2952 chrome.exe
2952 chrome.exe
2952 chrome.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Remote.exe:Zone.Identifier	chrome.exe

pid	process
3512	schtasks.exe
3216	schtasks.exe

pid	process
2952	chrome.exe
2952	chrome.exe

pid	process
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

Processes:

Remote.exeClient.exechrome.exeRemote.exe

description	pid	process
Token: SeDebugPrivilege	3572	Remote.exe
Token: SeDebugPrivilege	1048	Client.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeDebugPrivilege	4040	Remote.exe

Suspicious use of FindShellTrayWindow 36 IoCs

Processes:

Client.exechrome.exe

pid	process
1048	Client.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe

Suspicious use of SendNotifyMessage 13 IoCs

Processes:

Client.exechrome.exe

pid process

1048 Client.exe
2952 chrome.exe
2952 chrome.exe
2952 chrome.exe
2952 chrome.exe
2952 chrome.exe
2952 chrome.exe
2952 chrome.exe
2952 chrome.exe
2952 chrome.exe
2952 chrome.exe
2952 chrome.exe
2952 chrome.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Client.exe

pid process

1048 Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Remote.exeClient.exechrome.exe

description	pid	process	target process
PID 3572 wrote to memory of 3512	3572	Remote.exe	schtasks.exe
PID 3572 wrote to memory of 3512	3572	Remote.exe	schtasks.exe
PID 3572 wrote to memory of 1048	3572	Remote.exe	Client.exe
PID 3572 wrote to memory of 1048	3572	Remote.exe	Client.exe
PID 1048 wrote to memory of 3216	1048	Client.exe	schtasks.exe
PID 1048 wrote to memory of 3216	1048	Client.exe	schtasks.exe
PID 2952 wrote to memory of 2608	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 2608	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 1072	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 1072	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 1072	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 1072	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 1072	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 1072	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 1072	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 1072	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 1072	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 1072	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 1072	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 1072	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 1072	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 1072	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 1072	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 1072	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 1072	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 1072	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 1072	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 1072	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 1072	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 1072	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 1072	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 1072	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 1072	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 1072	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 1072	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 1072	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 1072	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 1072	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 1096	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 1096	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 5040	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 5040	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 5040	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 5040	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 5040	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 5040	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 5040	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 5040	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 5040	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 5040	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 5040	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 5040	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 5040	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 5040	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 5040	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 5040	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 5040	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 5040	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 5040	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 5040	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 5040	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 5040	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 5040	2952	chrome.exe	chrome.exe
PID 2952 wrote to memory of 5040	2952	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Remote.exe
"C:\Users\Admin\AppData\Local\Temp\Remote.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3572

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows Updater Services" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
2⤵
- Scheduled Task/Job: Scheduled Task
PID:3512

C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows Updater Services" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Scheduled Task/Job: Scheduled Task
PID:3216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xe4,0x108,0x7ff8b4b8cc40,0x7ff8b4b8cc4c,0x7ff8b4b8cc58
2⤵
PID:2608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1828,i,7735449641035345143,302738445976555734,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1824 /prefetch:2
2⤵
PID:1072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2044,i,7735449641035345143,302738445976555734,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2108 /prefetch:3
2⤵
PID:1096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2188,i,7735449641035345143,302738445976555734,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2200 /prefetch:8
2⤵
PID:5040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3096,i,7735449641035345143,302738445976555734,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3124 /prefetch:1
2⤵
PID:3888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3128,i,7735449641035345143,302738445976555734,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3196 /prefetch:1
2⤵
PID:4760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4468,i,7735449641035345143,302738445976555734,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4392 /prefetch:1
2⤵
PID:2676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4432,i,7735449641035345143,302738445976555734,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4572 /prefetch:8
2⤵
PID:360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4600,i,7735449641035345143,302738445976555734,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4716 /prefetch:8
2⤵
PID:4304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4792,i,7735449641035345143,302738445976555734,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4780 /prefetch:8
2⤵
PID:4984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4776,i,7735449641035345143,302738445976555734,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4724 /prefetch:8
2⤵
PID:4892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4768,i,7735449641035345143,302738445976555734,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4876 /prefetch:1
2⤵
PID:3832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3228,i,7735449641035345143,302738445976555734,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3280 /prefetch:8
2⤵
PID:2104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3464,i,7735449641035345143,302738445976555734,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4252 /prefetch:8
2⤵
PID:1964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5236,i,7735449641035345143,302738445976555734,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5376 /prefetch:8
2⤵
- NTFS ADS
PID:1196

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:4028

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3144

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4020

C:\Users\Admin\Downloads\Remote.exe
"C:\Users\Admin\Downloads\Remote.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4040

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
Filesize
649B

MD5
b072985ec93ebffd6a5bca0f58b726ca

SHA1
14bf0162fe9b8b7427747a97518e3cfa79f19d1a

SHA256
ac5132af604a28fe7775317e850c95873044fe8610f3ebc4bd268791aea17e5d

SHA512
f0b090dc3235b7b173531240f717a884ddfa1d8d216ea17f638e6883fd3bb900f50bf8e8a01add09229627a5f56a4af101c6d5beeac5dba610799f75b7f24781

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
8e93a49832ecddc742ce53ea6df230eb

SHA1
1dfa3b736b70630836a13030871fb4f3563b2f72

SHA256
dced22cffdea2152ee50c322b2f9c79bc0f8732155cb265a3767ed0036aceef0

SHA512
eb28f8ac3f3fd0b0e1807180d1e14dee7313dac2a7b100d58a38be28501f85d4f5292242657cf8ae8128837e2e9e6fad9f34e9b1e15678b619638115652b1b2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
a52a9b6efbd1247eb8d278c9598e5ce2

SHA1
c1c91094e741603a18a88b2ab94af11c1e79b142

SHA256
3daddb5a7c415960be2ac9f1051d28aed2b8d29a2fb6e79cfe7d9123b59c242a

SHA512
c256ccb5a087da0bfaaa18ff9925309e142bc012a916eeca3b8c073a08b355fb490307a24b994aa4a9c8e4b6fff1b92af02c8ba487841b2b81394712ce16b8ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
523B

MD5
7cd642393fe27cb4b24cd437bb4a6795

SHA1
0a7ecb2af97fc54bfa1efed955f789cc0aef1a26

SHA256
75cd5e25eb0bc02a68861c4c378b630f70915dcdf49f56c8a5ba69bc38055680

SHA512
b2804f4a496dde37e1e5e85b7aa83eeca1c826817e9395141bb55e4d4f34e05dd78bec4853020efb07ea01dd18a9b471d987333fcd3f3055ccbf74ac31918e1e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
9KB

MD5
f10ef8d0237608f5278ce3591b10ea7e

SHA1
353ea760679e571aab83d456f99e2bda94b7d0ce

SHA256
9c19fd395b9078da7f3f9359c21f5c05181b541495b476a2c1b0b7a225a453a8

SHA512
689bda4d4176e320d0460f1bba6427f9eecc9ddfca0a9f8942184e21f5de551539e61f7ba363728ac16b07dbcb1d1fc86ab9af25a5ff3cd03a395a867e6f630f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
9KB

MD5
0fe0ae599214ecc5c7aa28d362ba02ab

SHA1
13ba5578fb46afc6566065958e71d2b60072bdcb

SHA256
493cb17ec246b98b4974fd08c02a397cde9520bb8c5a7d63a7d3fcbb4bba8fe6

SHA512
7ee0105b56471f4a0ac5ff9eeceb3e47e7169f8fbeb435b0487ee66363b3a0031b77793ffa5ce67f60ff010be020f9485ae972fe80a0b30169bba3f0e14ad64b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
15KB

MD5
9e01c059de71b43a1a64a58f0c70b25a

SHA1
5a15e40ea59e3aca0311dd679c399a1c4d4d3bf4

SHA256
e482f5ffb713e1d9ca0c849a439ca3a103148d717084d865d0ab3bdb048f9d0e

SHA512
75fae94d0d528edaf7bdd29d54cc3ce9ec7813cd1fa7a763c75c7e70d6cce923a591ecd40146cf5ccd9c934fdd61500e8e4fa16faa16135d8356800faf6bb50e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
169KB

MD5
76919931d4fae8bc907404827875000d

SHA1
2262ec3bdbb71aaeadd3fc3718bbeca576867f82

SHA256
5bbf4571e8e49f5f71563b5d16a4114221048ee9659ef91983f91600ce6b2418

SHA512
c33215c0365abd57410f46e69633364f3d5012297ae83ac40506c7c7a9e259bddff67390e5952f60caba67ac101485a1f0390746e9d5cf7ce663cd6d219a0657

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
169KB

MD5
11f0a214a70b382786175d8a742045c3

SHA1
4acfa274e0ebce1ca1aa3e0094f74240c87e73d5

SHA256
906c5a35bb13edb370f76aee72ab3761b6fe49175256f9de59866ac9140b4a56

SHA512
b27679f4b9636ef183af3670c668a5ed060ef1d4ec368690fa3374e7fe4a2c32f9b3c2ddde11fbb5b92b024efd55da3ceaf0ce25ec8eb46d819757a63d00113b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Remote.exe.log
Filesize
1KB

MD5
b4e91d2e5f40d5e2586a86cf3bb4df24

SHA1
31920b3a41aa4400d4a0230a7622848789b38672

SHA256
5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210

SHA512
968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

Download Submit
C:\Users\Admin\Downloads\Remote.exe:Zone.Identifier
Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Windows\system32\SubDir\Client.exe
Filesize
3.1MB

MD5
875d3550ed90decbd5188e1d2cc961c0

SHA1
b067c399f32873bfb4d16524a87d17196c6a070b

SHA256
65914f9dcfa1f7e81859a9e042ee84b549bde879180d4eea3eb7fe4f50b73097

SHA512
c7799194bbebba17ce32765416ed75a996a29c9694191e6cc89966fa10a9675cafef26867320fabfbb21a851f4ee261b99b260aa0c4f5ee359fcd128a71c13fa

Download Submit
\??\pipe\crashpad_2952_VZNQERANWDVRPMRW
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1048-96-0x00007FF8A3870000-0x00007FF8A4332000-memory.dmp

Filesize
10.8MB

Download
memory/1048-12-0x000000001C710000-0x000000001C760000-memory.dmp

Filesize
320KB

Download
memory/1048-89-0x00007FF8A3870000-0x00007FF8A4332000-memory.dmp

Filesize
10.8MB

Download
memory/1048-49-0x000000001D010000-0x000000001D538000-memory.dmp

Filesize
5.2MB

Download
memory/1048-11-0x00007FF8A3870000-0x00007FF8A4332000-memory.dmp

Filesize
10.8MB

Download
memory/1048-10-0x00007FF8A3870000-0x00007FF8A4332000-memory.dmp

Filesize
10.8MB

Download
memory/1048-13-0x000000001C820000-0x000000001C8D2000-memory.dmp

Filesize
712KB

Download
memory/3572-0-0x00007FF8A3873000-0x00007FF8A3875000-memory.dmp

Filesize
8KB

Download
memory/3572-9-0x00007FF8A3870000-0x00007FF8A4332000-memory.dmp

Filesize
10.8MB

Download
memory/3572-2-0x00007FF8A3870000-0x00007FF8A4332000-memory.dmp

Filesize
10.8MB

Download
memory/3572-1-0x0000000000A20000-0x0000000000D44000-memory.dmp

Filesize
3.1MB

Download