quasar | afe6294896126bff591fd4ff3dee78474d3d5c1eb3ffb1e19feded5790274024

Analysis

max time kernel
81s
max time network
79s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27-06-2024 03:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FrozenLoader.exe
Size

348KB
MD5

56df78c075bbdd3b936d20271cd5dd82
SHA1

3da3858b7567d1c553d5c0159fcb77bdd066a1eb
SHA256

afe6294896126bff591fd4ff3dee78474d3d5c1eb3ffb1e19feded5790274024
SHA512

e18fd89bfb797ba68fa8f9a74d152693ac2e8b7f2e8fbac564aa8ea6a8562176036eec6cd0ebf599821c6e047a9e28c105e45e7d3d65527c534d24334c1e4c6e
SSDEEP

6144:QG13U1vhtvTA19YhA/bDI3RdG2XC5pH1:LUJtLAvSA4y2XC5pH1

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.0.1

Botnet

Office04

127.0.0.1:2912

Mutex

QSR_MUTEX_kZpgHXcbTqoAXhJbxd

Attributes

encryption_key
BRjfOpzb3dVWPO5EbkGe
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar payload 2 IoCs

Processes:

resource yara_rule

behavioral2/memory/1724-1-0x0000000000550000-0x00000000005AE000-memory.dmp family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar
Executes dropped EXE 1 IoCs

Processes:

Client.exe

pid process

4944 Client.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 ip-api.com

resource	yara_rule
behavioral2/memory/1724-1-0x0000000000550000-0x00000000005AE000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

pid	process
4944	Client.exe

flow	ioc
3	ip-api.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133639342045884738"	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

5032 schtasks.exe
3392 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exe

pid process

1584 chrome.exe
1584 chrome.exe
1584 chrome.exe
1584 chrome.exe

pid	process
5032	schtasks.exe
3392	schtasks.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

Processes:

chrome.exe

pid	process
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

FrozenLoader.exechrome.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	1724	FrozenLoader.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeDebugPrivilege	4944	Client.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe
Token: SeShutdownPrivilege	1584	chrome.exe
Token: SeCreatePagefilePrivilege	1584	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Client.exe

pid process

4944 Client.exe

pid	process
4944	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1584 wrote to memory of 2464	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 2464	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1112	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 432	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 432	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1776	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1776	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1776	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1776	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1776	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1776	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1776	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1776	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1776	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1776	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1776	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1776	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1776	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1776	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1776	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1776	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1776	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1776	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1776	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1776	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1776	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1776	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1776	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1776	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1776	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1776	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1776	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1776	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1776	1584	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\FrozenLoader.exe
"C:\Users\Admin\AppData\Local\Temp\FrozenLoader.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1724

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\FrozenLoader.exe" /rl HIGHEST /f
2⤵
- Scheduled Task/Job: Scheduled Task
PID:5032

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4944

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Scheduled Task/Job: Scheduled Task
PID:3392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcdab7ab58,0x7ffcdab7ab68,0x7ffcdab7ab78
2⤵
PID:2464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1840 --field-trial-handle=1928,i,16103191280291631947,10211908122636017968,131072 /prefetch:2
2⤵
PID:1112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1928,i,16103191280291631947,10211908122636017968,131072 /prefetch:8
2⤵
PID:432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2192 --field-trial-handle=1928,i,16103191280291631947,10211908122636017968,131072 /prefetch:8
2⤵
PID:1776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3088 --field-trial-handle=1928,i,16103191280291631947,10211908122636017968,131072 /prefetch:1
2⤵
PID:4344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3128 --field-trial-handle=1928,i,16103191280291631947,10211908122636017968,131072 /prefetch:1
2⤵
PID:760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3996 --field-trial-handle=1928,i,16103191280291631947,10211908122636017968,131072 /prefetch:1
2⤵
PID:624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4352 --field-trial-handle=1928,i,16103191280291631947,10211908122636017968,131072 /prefetch:8
2⤵
PID:2468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4840 --field-trial-handle=1928,i,16103191280291631947,10211908122636017968,131072 /prefetch:8
2⤵
PID:4904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4964 --field-trial-handle=1928,i,16103191280291631947,10211908122636017968,131072 /prefetch:1
2⤵
PID:2052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4676 --field-trial-handle=1928,i,16103191280291631947,10211908122636017968,131072 /prefetch:1
2⤵
PID:3688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4108 --field-trial-handle=1928,i,16103191280291631947,10211908122636017968,131072 /prefetch:1
2⤵
PID:4156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3084 --field-trial-handle=1928,i,16103191280291631947,10211908122636017968,131072 /prefetch:1
2⤵
PID:4432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4712 --field-trial-handle=1928,i,16103191280291631947,10211908122636017968,131072 /prefetch:1
2⤵
PID:3892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3168 --field-trial-handle=1928,i,16103191280291631947,10211908122636017968,131072 /prefetch:8
2⤵
PID:3616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3176 --field-trial-handle=1928,i,16103191280291631947,10211908122636017968,131072 /prefetch:8
2⤵
PID:4672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3196 --field-trial-handle=1928,i,16103191280291631947,10211908122636017968,131072 /prefetch:8
2⤵
PID:448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=4496 --field-trial-handle=1928,i,16103191280291631947,10211908122636017968,131072 /prefetch:1
2⤵
PID:3168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=4180 --field-trial-handle=1928,i,16103191280291631947,10211908122636017968,131072 /prefetch:1
2⤵
PID:3356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=4964 --field-trial-handle=1928,i,16103191280291631947,10211908122636017968,131072 /prefetch:1
2⤵
PID:4996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=4824 --field-trial-handle=1928,i,16103191280291631947,10211908122636017968,131072 /prefetch:1
2⤵
PID:2712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=4460 --field-trial-handle=1928,i,16103191280291631947,10211908122636017968,131072 /prefetch:1
2⤵
PID:1508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=4868 --field-trial-handle=1928,i,16103191280291631947,10211908122636017968,131072 /prefetch:1
2⤵
PID:3352

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4976

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
a6d069471ed9883cfc61d72c6d2412d3

SHA1
e0ac4b45394b983438d8b683acbe3bbdf8342904

SHA256
1147222a700a12c6d9b0da0601fc7ff60b7a71a2c423a90469b232a0afbaee7d

SHA512
fe9e366a1a6910062a1d870f05057ff5df81e00ad0bfb30d5e9987037c39da5542c8b23781e0098322a1344cbe69be2c9d67b947212ac620b051db3426f3942f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
24e4384a69abe6c3bfe1e05cdda65269

SHA1
f7a77aace3dc9e680509b780c56cf8d8e9a6aa76

SHA256
deb4aa2b445c8569e6628e5bf04e9eeb798f0b0f09be6ea6209cf77a66626480

SHA512
e562970c1e8250a44b456ce0900a12d23b107d872d27a12daff1d7724574df0bdff4d0827b30e3a2a6490bc0283b67cb03a2b8ccb4603bccfaf042a644b58764

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
c63d099e44ebe3db8f4f460d096619c2

SHA1
c2cb8af9a18ea9cffdc4b4ebc60c977a325cd412

SHA256
a160095a3480a302c1f60db19e205b2aa19e9a3b38ce2be894f65675a4a42caf

SHA512
4df6d61230306e641b44d9dff5dd055b7ebb48e08652b3b091933d9a8eba6bcd2ce570ac657962166084173ad1eab9cc9206f8b518b635c6349b43014605d9bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
257KB

MD5
28c84824ac52b79cec20e8e8a5a4e62e

SHA1
cdfed4d29dcb6ec0cf99ddffda2d7acf18059913

SHA256
858f6792a5fff88d2cde39dcc92ed290e80fd66da0d775dcefa6788edb57e211

SHA512
5fe2954798fd98b3b56660f6d1acce16ca2fc2df22891fe62ec5767b3ee551556ab09bfee37d2969ee449ab5784f3458caaf163fdac70070ebd9dd166c572e68

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
257KB

MD5
c7cae6ef854fe43b889e62853cd2d551

SHA1
e22d6a201764efeb7dfb87e6086facf98ebae952

SHA256
7f0a63a166c46c80ca570feb4a35c4e7358972b14224c53ca7ff0fa63d3c22d8

SHA512
527e83b2287b6d62ef86a8930d325289e7c112b4f432795a4c1345bc83ef45a0e40fdf8dac0b9e2e7db842685af8d2c5e55b7cb076b03e77f274c4b78cd96734

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
90KB

MD5
8924a972857d1160c551102d2d5a7e5d

SHA1
99c8285177101f22a5d70ea9a51bbc30c44443ef

SHA256
d4e60f028a63e9e5ca1a8e057e4c814b0f32acbadf71250e3c2294eed0833d5c

SHA512
3716b1ac8853d26e7d80752603eeb19da3678bbac93703c1824d7ba6e36853347813cc6f3d9cf0501e9b40203825624a8bad6a073f5511af5f6541844977071c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57fba6.TMP
Filesize
87KB

MD5
15bc9e949e5254e2d80bca58b7ff3667

SHA1
fee48c38d6fd501e3cc9a0509286ed01ba09b3ab

SHA256
8fc14b7ad3c2365f6e1c4de91992484d98bf886a96de908f8477fa1771b20c4a

SHA512
69907d5cc4908c99c646aeafd8061b8cd2f3ba1479748da093017ea9bb0f2463fb86d0f680c5fe379a74e99c56d7fa2bf5fdbcfc6ebecfa17f772f50c769f217

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
348KB

MD5
56df78c075bbdd3b936d20271cd5dd82

SHA1
3da3858b7567d1c553d5c0159fcb77bdd066a1eb

SHA256
afe6294896126bff591fd4ff3dee78474d3d5c1eb3ffb1e19feded5790274024

SHA512
e18fd89bfb797ba68fa8f9a74d152693ac2e8b7f2e8fbac564aa8ea6a8562176036eec6cd0ebf599821c6e047a9e28c105e45e7d3d65527c534d24334c1e4c6e

Download Submit
\??\pipe\crashpad_1584_PEUUOSIPVYQYABHY
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1724-57-0x00000000748CE000-0x00000000748CF000-memory.dmp

Filesize
4KB

Download
memory/1724-3-0x0000000005050000-0x00000000050E2000-memory.dmp

Filesize
584KB

Download
memory/1724-0-0x00000000748CE000-0x00000000748CF000-memory.dmp

Filesize
4KB

Download
memory/1724-66-0x00000000748C0000-0x0000000075070000-memory.dmp

Filesize
7.7MB

Download
memory/1724-5-0x0000000004FB0000-0x0000000005016000-memory.dmp

Filesize
408KB

Download
memory/1724-1-0x0000000000550000-0x00000000005AE000-memory.dmp

Filesize
376KB

Download
memory/1724-74-0x00000000748C0000-0x0000000075070000-memory.dmp

Filesize
7.7MB

Download
memory/1724-2-0x00000000054C0000-0x0000000005A64000-memory.dmp

Filesize
5.6MB

Download
memory/1724-6-0x0000000005CD0000-0x0000000005CE2000-memory.dmp

Filesize
72KB

Download
memory/1724-4-0x00000000748C0000-0x0000000075070000-memory.dmp

Filesize
7.7MB

Download
memory/4944-79-0x0000000006080000-0x000000000608A000-memory.dmp

Filesize
40KB

Download
memory/4944-75-0x00000000748C0000-0x0000000075070000-memory.dmp

Filesize
7.7MB

Download
memory/4944-114-0x00000000748C0000-0x0000000075070000-memory.dmp

Filesize
7.7MB

Download
memory/4944-115-0x00000000748C0000-0x0000000075070000-memory.dmp

Filesize
7.7MB

Download
memory/4944-73-0x00000000748C0000-0x0000000075070000-memory.dmp

Filesize
7.7MB

Download