quasar | 4da81d41e48ee5ddf37d4c5dd49826ccf9a9f4ee9b2b89f64323de3a45cd1f84

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 15:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

40e23e474ee8d2726fe03b40081a25d6
SHA1

81c729c9dcaa6357d4c3d5e7f5c10f5b1f2a5844
SHA256

4da81d41e48ee5ddf37d4c5dd49826ccf9a9f4ee9b2b89f64323de3a45cd1f84
SHA512

bc536ccedb560c762df85b316650db397d4bb03f4c7e6d30530d9a685d34e936c26ae3981e9ea87dead6e735b992588c9fb374ea644c11baa0db1c12ef165251
SSDEEP

49152:3vTlL26AaNeWgPhlmVqvMQ7XSKhuRJ6+bR3LoGdi8THHB72eh2NT:3vJL26AaNeWgPhlmVqkQ7XSKhuRJ64S

Score

10^/10

quasar wave generator spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Wave Generator

192.168.1.150:4782

Mutex

4fa54cdc-4bee-4759-b0fd-21bb6d6f9eed

Attributes

encryption_key
99A3D9CE1DE6501187FC4C0E50EBB3FE8AD7B9A8
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Microsoft Task Manager Worker Service
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar payload 2 IoCs

Processes:

resource yara_rule

behavioral2/memory/816-1-0x00000000009C0000-0x0000000000CE4000-memory.dmp family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar
Executes dropped EXE 1 IoCs

Processes:

Client.exe

pid process

2004 Client.exe

resource	yara_rule
behavioral2/memory/816-1-0x00000000009C0000-0x0000000000CE4000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

pid	process
2004	Client.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133642363962653555"	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

4572 schtasks.exe
4936 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exe

pid process

5012 chrome.exe
5012 chrome.exe
5012 chrome.exe
5012 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

chrome.exe

pid process

5012 chrome.exe
5012 chrome.exe
5012 chrome.exe
5012 chrome.exe
5012 chrome.exe
5012 chrome.exe
5012 chrome.exe
5012 chrome.exe
5012 chrome.exe

pid	process
4572	schtasks.exe
4936	schtasks.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Client-built.exeClient.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	816	Client-built.exe
Token: SeDebugPrivilege	2004	Client.exe
Token: SeShutdownPrivilege	5012	chrome.exe
Token: SeCreatePagefilePrivilege	5012	chrome.exe
Token: SeShutdownPrivilege	5012	chrome.exe
Token: SeCreatePagefilePrivilege	5012	chrome.exe
Token: SeShutdownPrivilege	5012	chrome.exe
Token: SeCreatePagefilePrivilege	5012	chrome.exe
Token: SeShutdownPrivilege	5012	chrome.exe
Token: SeCreatePagefilePrivilege	5012	chrome.exe
Token: SeShutdownPrivilege	5012	chrome.exe
Token: SeCreatePagefilePrivilege	5012	chrome.exe
Token: SeShutdownPrivilege	5012	chrome.exe
Token: SeCreatePagefilePrivilege	5012	chrome.exe
Token: SeShutdownPrivilege	5012	chrome.exe
Token: SeCreatePagefilePrivilege	5012	chrome.exe
Token: SeShutdownPrivilege	5012	chrome.exe
Token: SeCreatePagefilePrivilege	5012	chrome.exe
Token: SeShutdownPrivilege	5012	chrome.exe
Token: SeCreatePagefilePrivilege	5012	chrome.exe
Token: SeShutdownPrivilege	5012	chrome.exe
Token: SeCreatePagefilePrivilege	5012	chrome.exe
Token: SeShutdownPrivilege	5012	chrome.exe
Token: SeCreatePagefilePrivilege	5012	chrome.exe
Token: SeShutdownPrivilege	5012	chrome.exe
Token: SeCreatePagefilePrivilege	5012	chrome.exe
Token: SeShutdownPrivilege	5012	chrome.exe
Token: SeCreatePagefilePrivilege	5012	chrome.exe
Token: SeShutdownPrivilege	5012	chrome.exe
Token: SeCreatePagefilePrivilege	5012	chrome.exe
Token: SeShutdownPrivilege	5012	chrome.exe
Token: SeCreatePagefilePrivilege	5012	chrome.exe
Token: SeShutdownPrivilege	5012	chrome.exe
Token: SeCreatePagefilePrivilege	5012	chrome.exe
Token: SeShutdownPrivilege	5012	chrome.exe
Token: SeCreatePagefilePrivilege	5012	chrome.exe
Token: SeShutdownPrivilege	5012	chrome.exe
Token: SeCreatePagefilePrivilege	5012	chrome.exe
Token: SeShutdownPrivilege	5012	chrome.exe
Token: SeCreatePagefilePrivilege	5012	chrome.exe
Token: SeShutdownPrivilege	5012	chrome.exe
Token: SeCreatePagefilePrivilege	5012	chrome.exe
Token: SeShutdownPrivilege	5012	chrome.exe
Token: SeCreatePagefilePrivilege	5012	chrome.exe
Token: SeShutdownPrivilege	5012	chrome.exe
Token: SeCreatePagefilePrivilege	5012	chrome.exe
Token: SeShutdownPrivilege	5012	chrome.exe
Token: SeCreatePagefilePrivilege	5012	chrome.exe
Token: SeShutdownPrivilege	5012	chrome.exe
Token: SeCreatePagefilePrivilege	5012	chrome.exe
Token: SeShutdownPrivilege	5012	chrome.exe
Token: SeCreatePagefilePrivilege	5012	chrome.exe
Token: SeShutdownPrivilege	5012	chrome.exe
Token: SeCreatePagefilePrivilege	5012	chrome.exe
Token: SeShutdownPrivilege	5012	chrome.exe
Token: SeCreatePagefilePrivilege	5012	chrome.exe
Token: SeShutdownPrivilege	5012	chrome.exe
Token: SeCreatePagefilePrivilege	5012	chrome.exe
Token: SeShutdownPrivilege	5012	chrome.exe
Token: SeCreatePagefilePrivilege	5012	chrome.exe
Token: SeShutdownPrivilege	5012	chrome.exe
Token: SeCreatePagefilePrivilege	5012	chrome.exe
Token: SeShutdownPrivilege	5012	chrome.exe
Token: SeCreatePagefilePrivilege	5012	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Client.exe

pid process

2004 Client.exe

pid	process
2004	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Client-built.exeClient.exechrome.exe

description	pid	process	target process
PID 816 wrote to memory of 4936	816	Client-built.exe	schtasks.exe
PID 816 wrote to memory of 4936	816	Client-built.exe	schtasks.exe
PID 816 wrote to memory of 2004	816	Client-built.exe	Client.exe
PID 816 wrote to memory of 2004	816	Client-built.exe	Client.exe
PID 2004 wrote to memory of 4572	2004	Client.exe	schtasks.exe
PID 2004 wrote to memory of 4572	2004	Client.exe	schtasks.exe
PID 5012 wrote to memory of 3516	5012	chrome.exe	chrome.exe
PID 5012 wrote to memory of 3516	5012	chrome.exe	chrome.exe
PID 5012 wrote to memory of 1516	5012	chrome.exe	chrome.exe
PID 5012 wrote to memory of 1516	5012	chrome.exe	chrome.exe
PID 5012 wrote to memory of 1516	5012	chrome.exe	chrome.exe
PID 5012 wrote to memory of 1516	5012	chrome.exe	chrome.exe
PID 5012 wrote to memory of 1516	5012	chrome.exe	chrome.exe
PID 5012 wrote to memory of 1516	5012	chrome.exe	chrome.exe
PID 5012 wrote to memory of 1516	5012	chrome.exe	chrome.exe
PID 5012 wrote to memory of 1516	5012	chrome.exe	chrome.exe
PID 5012 wrote to memory of 1516	5012	chrome.exe	chrome.exe
PID 5012 wrote to memory of 1516	5012	chrome.exe	chrome.exe
PID 5012 wrote to memory of 1516	5012	chrome.exe	chrome.exe
PID 5012 wrote to memory of 1516	5012	chrome.exe	chrome.exe
PID 5012 wrote to memory of 1516	5012	chrome.exe	chrome.exe
PID 5012 wrote to memory of 1516	5012	chrome.exe	chrome.exe
PID 5012 wrote to memory of 1516	5012	chrome.exe	chrome.exe
PID 5012 wrote to memory of 1516	5012	chrome.exe	chrome.exe
PID 5012 wrote to memory of 1516	5012	chrome.exe	chrome.exe
PID 5012 wrote to memory of 1516	5012	chrome.exe	chrome.exe
PID 5012 wrote to memory of 1516	5012	chrome.exe	chrome.exe
PID 5012 wrote to memory of 1516	5012	chrome.exe	chrome.exe
PID 5012 wrote to memory of 1516	5012	chrome.exe	chrome.exe
PID 5012 wrote to memory of 1516	5012	chrome.exe	chrome.exe
PID 5012 wrote to memory of 1516	5012	chrome.exe	chrome.exe
PID 5012 wrote to memory of 1516	5012	chrome.exe	chrome.exe
PID 5012 wrote to memory of 1516	5012	chrome.exe	chrome.exe
PID 5012 wrote to memory of 1516	5012	chrome.exe	chrome.exe
PID 5012 wrote to memory of 1516	5012	chrome.exe	chrome.exe
PID 5012 wrote to memory of 1516	5012	chrome.exe	chrome.exe
PID 5012 wrote to memory of 1516	5012	chrome.exe	chrome.exe
PID 5012 wrote to memory of 1516	5012	chrome.exe	chrome.exe
PID 5012 wrote to memory of 1516	5012	chrome.exe	chrome.exe
PID 5012 wrote to memory of 4728	5012	chrome.exe	chrome.exe
PID 5012 wrote to memory of 4728	5012	chrome.exe	chrome.exe
PID 5012 wrote to memory of 396	5012	chrome.exe	chrome.exe
PID 5012 wrote to memory of 396	5012	chrome.exe	chrome.exe
PID 5012 wrote to memory of 396	5012	chrome.exe	chrome.exe
PID 5012 wrote to memory of 396	5012	chrome.exe	chrome.exe
PID 5012 wrote to memory of 396	5012	chrome.exe	chrome.exe
PID 5012 wrote to memory of 396	5012	chrome.exe	chrome.exe
PID 5012 wrote to memory of 396	5012	chrome.exe	chrome.exe
PID 5012 wrote to memory of 396	5012	chrome.exe	chrome.exe
PID 5012 wrote to memory of 396	5012	chrome.exe	chrome.exe
PID 5012 wrote to memory of 396	5012	chrome.exe	chrome.exe
PID 5012 wrote to memory of 396	5012	chrome.exe	chrome.exe
PID 5012 wrote to memory of 396	5012	chrome.exe	chrome.exe
PID 5012 wrote to memory of 396	5012	chrome.exe	chrome.exe
PID 5012 wrote to memory of 396	5012	chrome.exe	chrome.exe
PID 5012 wrote to memory of 396	5012	chrome.exe	chrome.exe
PID 5012 wrote to memory of 396	5012	chrome.exe	chrome.exe
PID 5012 wrote to memory of 396	5012	chrome.exe	chrome.exe
PID 5012 wrote to memory of 396	5012	chrome.exe	chrome.exe
PID 5012 wrote to memory of 396	5012	chrome.exe	chrome.exe
PID 5012 wrote to memory of 396	5012	chrome.exe	chrome.exe
PID 5012 wrote to memory of 396	5012	chrome.exe	chrome.exe
PID 5012 wrote to memory of 396	5012	chrome.exe	chrome.exe
PID 5012 wrote to memory of 396	5012	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:816

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Microsoft Task Manager Worker Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
2⤵
- Scheduled Task/Job: Scheduled Task
PID:4936

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Microsoft Task Manager Worker Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Scheduled Task/Job: Scheduled Task
PID:4572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc0221ab58,0x7ffc0221ab68,0x7ffc0221ab78
2⤵
PID:3516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1780 --field-trial-handle=1976,i,7437230026774929265,14639935603743701094,131072 /prefetch:2
2⤵
PID:1516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 --field-trial-handle=1976,i,7437230026774929265,14639935603743701094,131072 /prefetch:8
2⤵
PID:4728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2280 --field-trial-handle=1976,i,7437230026774929265,14639935603743701094,131072 /prefetch:8
2⤵
PID:396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3108 --field-trial-handle=1976,i,7437230026774929265,14639935603743701094,131072 /prefetch:1
2⤵
PID:1020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3136 --field-trial-handle=1976,i,7437230026774929265,14639935603743701094,131072 /prefetch:1
2⤵
PID:2324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=1768 --field-trial-handle=1976,i,7437230026774929265,14639935603743701094,131072 /prefetch:1
2⤵
PID:4528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4520 --field-trial-handle=1976,i,7437230026774929265,14639935603743701094,131072 /prefetch:8
2⤵
PID:2196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4840 --field-trial-handle=1976,i,7437230026774929265,14639935603743701094,131072 /prefetch:8
2⤵
PID:1696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4084 --field-trial-handle=1976,i,7437230026774929265,14639935603743701094,131072 /prefetch:1
2⤵
PID:624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5072 --field-trial-handle=1976,i,7437230026774929265,14639935603743701094,131072 /prefetch:1
2⤵
PID:816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3324 --field-trial-handle=1976,i,7437230026774929265,14639935603743701094,131072 /prefetch:1
2⤵
PID:3400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4184 --field-trial-handle=1976,i,7437230026774929265,14639935603743701094,131072 /prefetch:1
2⤵
PID:1720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4396 --field-trial-handle=1976,i,7437230026774929265,14639935603743701094,131072 /prefetch:1
2⤵
PID:2528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3324 --field-trial-handle=1976,i,7437230026774929265,14639935603743701094,131072 /prefetch:8
2⤵
PID:4108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3500 --field-trial-handle=1976,i,7437230026774929265,14639935603743701094,131072 /prefetch:8
2⤵
PID:2492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5004 --field-trial-handle=1976,i,7437230026774929265,14639935603743701094,131072 /prefetch:8
2⤵
PID:4376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=1656 --field-trial-handle=1976,i,7437230026774929265,14639935603743701094,131072 /prefetch:1
2⤵
PID:2540

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1796

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
d76be0030303759f8652b5b090482cb6

SHA1
6fade073f8bb2fc077036f144c4f94ceb9d1a4ce

SHA256
9c07fdb563b48ba05fc7a38117298e9c17d1195b0147f03a10518edf11aa0581

SHA512
a9fe4bd828d9edefa011643e76ca5b207dc3b7a7b585040440f445ec6380b12e1a92f181c240d2a65fe795900499d3b4e2cbc98acfb3fd537094b3e413be174e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
ca6f6034725df47e83a7b0d08f5acb58

SHA1
7adb1d74a73d56b9a4d0f5d6c07a9465a202e927

SHA256
96fcd03b2995a37a605ba940311ca26ff824f0c4a85c8b3ed41f4afb82c3ee65

SHA512
baeb3339c08441a5a7451a49a30e38811a793ad149494671e4e07748fd04692e2fb7bd61c1801b4e7f319fb13ac373f0748d6cff4e2909224cd14712e8f9c7cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
257KB

MD5
4b0d02f2a81ca3269c04fd3be37d53af

SHA1
025afa3f0d90e6b69c6fca081b402f5d8267bfc6

SHA256
df4f33e33c71d3aa3c8887f9dba7940d8a031e6a6274e234d3dcd12765c1f829

SHA512
dee3ac7b4e221b98070ccd72ab0bec9fb0ebefe650026f8003275229e2bceda48de5673c9e43b984d540d264208daad049d13b6b0b62060780ff5ffaacc27524

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
257KB

MD5
ad1e9d4f6e4eb95ec3755391454e98f6

SHA1
e5a1e57d246914dd0060632ce335ab79702cc657

SHA256
5688867b78eef2c7724a31448be7fb9671c9593794877c0c4fe3ea66374f684c

SHA512
f98e8470852d8b87a40c8c227b6574c247924c40e1a622c8abbe0a23feccb95e14970ee92a129bc32e5cf09b0b4eab27185fb643721a3396f69791b59895313f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
92KB

MD5
402fed6af25802372b3ab4086ee459c8

SHA1
80fbc0e147d503d8f959e25f9aaa1cb8b10fdbd8

SHA256
6aadff92c0c1a372c1e48a3aa41a673c5a91cfa40ab5202bd6d3bde9f5305f13

SHA512
a0bb55bae75b7d4bc15ed00c87754d603e0ee07e6fd9ae671ee56c9b96a9da9cd825aa1cb74979bebe47f98941f7f03608ad644bde16215e4d700523de8488cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58d6c3.TMP
Filesize
89KB

MD5
8299c2919e18a90aa10ec7f0c6722174

SHA1
f647264a7c3d1e68a7f1b425e20a7cebd17d3bab

SHA256
476f9a9745dbee7d5352a5d077873ff630ad0a5aecb73fec180730273d5b52a9

SHA512
f7600da8c3d5b305bb1ce6ccbf6ed8956e033c70f683627283a4e74a6c69b5cf71a109b81d9c916303c5f944e417a1a1855339212da404f776bdcc314b97bed1

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
3.1MB

MD5
40e23e474ee8d2726fe03b40081a25d6

SHA1
81c729c9dcaa6357d4c3d5e7f5c10f5b1f2a5844

SHA256
4da81d41e48ee5ddf37d4c5dd49826ccf9a9f4ee9b2b89f64323de3a45cd1f84

SHA512
bc536ccedb560c762df85b316650db397d4bb03f4c7e6d30530d9a685d34e936c26ae3981e9ea87dead6e735b992588c9fb374ea644c11baa0db1c12ef165251

Download Submit
\??\pipe\crashpad_5012_PIARPHDDLFCTVIWV
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/816-9-0x00007FFC0ADF0000-0x00007FFC0B8B1000-memory.dmp

Filesize
10.8MB

Download
memory/816-0-0x00007FFC0ADF3000-0x00007FFC0ADF5000-memory.dmp

Filesize
8KB

Download
memory/816-2-0x00007FFC0ADF0000-0x00007FFC0B8B1000-memory.dmp

Filesize
10.8MB

Download
memory/816-1-0x00000000009C0000-0x0000000000CE4000-memory.dmp

Filesize
3.1MB

Download
memory/2004-14-0x00007FFC0ADF0000-0x00007FFC0B8B1000-memory.dmp

Filesize
10.8MB

Download
memory/2004-13-0x000000001DDD0000-0x000000001DE82000-memory.dmp

Filesize
712KB

Download
memory/2004-12-0x000000001DCC0000-0x000000001DD10000-memory.dmp

Filesize
320KB

Download
memory/2004-47-0x000000001E700000-0x000000001EC28000-memory.dmp

Filesize
5.2MB

Download
memory/2004-11-0x00007FFC0ADF0000-0x00007FFC0B8B1000-memory.dmp

Filesize
10.8MB

Download
memory/2004-10-0x00007FFC0ADF0000-0x00007FFC0B8B1000-memory.dmp

Filesize
10.8MB

Download