quasar | b20abd5beb95d17b9c77dc4fa06c98af37b62489e9cf5da8e4e12b19ed93cf6f

Analysis

max time kernel
150s
max time network
144s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
03-06-2024 07:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Dishkum Tena.exe
Size

3.1MB
MD5

36970784c3736c71546d73e0773ee956
SHA1

2d09c257a3e09b079d23520400953bafc495e06e
SHA256

55d9f08bfa42b14a3bbb968df3b645e18ea4c311656c272c1b9522aa648f955d
SHA512

6f0fd26eb7f2b64c875f7021f82ddf8240beaba804a6649404ac8e33115d1372dc53cae94e242b1a77a4bf86f4836bc072b9e64563204b591d03357d3c82be2c
SSDEEP

49152:Gvht62XlaSFNWPjljiFa2RoUYI1C91JgLoGd9hTHHB72eh2NT:GvL62XlaSFNWPjljiFXRoUYI1CE

Score

10^/10

quasar dani69 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Dani69

192.168.1.2:4782

Mutex

9f26ad88-50ee-4f62-81ff-c770a798a67c

Attributes

encryption_key
81B07382BFEB227CBA1AE8701042E7A26708E9ED
install_name
Dani69.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Dani69
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3096-1-0x00000000001D0000-0x00000000004F4000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Dani69.exe	family_quasar

Executes dropped EXE 1 IoCs

Processes:

Dani69.exe

pid process

404 Dani69.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4788 schtasks.exe
424 schtasks.exe

pid	process
4788	schtasks.exe
424	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133618740495832909"	chrome.exe

Modifies registry class 1 IoCs

Processes:

MiniSearchHost.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

4208 chrome.exe
4208 chrome.exe
1536 chrome.exe
1536 chrome.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Dani69.exe

pid process

404 Dani69.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

4208 chrome.exe
4208 chrome.exe
4208 chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

pid	process
4208	chrome.exe
4208	chrome.exe
1536	chrome.exe
1536	chrome.exe

pid	process
4208	chrome.exe
4208	chrome.exe
4208	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Dishkum Tena.exeDani69.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	3096	Dishkum Tena.exe
Token: SeDebugPrivilege	404	Dani69.exe
Token: SeShutdownPrivilege	4208	chrome.exe
Token: SeCreatePagefilePrivilege	4208	chrome.exe
Token: SeShutdownPrivilege	4208	chrome.exe
Token: SeCreatePagefilePrivilege	4208	chrome.exe
Token: SeShutdownPrivilege	4208	chrome.exe
Token: SeCreatePagefilePrivilege	4208	chrome.exe
Token: SeShutdownPrivilege	4208	chrome.exe
Token: SeCreatePagefilePrivilege	4208	chrome.exe
Token: SeShutdownPrivilege	4208	chrome.exe
Token: SeCreatePagefilePrivilege	4208	chrome.exe
Token: SeShutdownPrivilege	4208	chrome.exe
Token: SeCreatePagefilePrivilege	4208	chrome.exe
Token: SeShutdownPrivilege	4208	chrome.exe
Token: SeCreatePagefilePrivilege	4208	chrome.exe
Token: SeShutdownPrivilege	4208	chrome.exe
Token: SeCreatePagefilePrivilege	4208	chrome.exe
Token: SeShutdownPrivilege	4208	chrome.exe
Token: SeCreatePagefilePrivilege	4208	chrome.exe
Token: SeShutdownPrivilege	4208	chrome.exe
Token: SeCreatePagefilePrivilege	4208	chrome.exe
Token: SeShutdownPrivilege	4208	chrome.exe
Token: SeCreatePagefilePrivilege	4208	chrome.exe
Token: SeShutdownPrivilege	4208	chrome.exe
Token: SeCreatePagefilePrivilege	4208	chrome.exe
Token: SeShutdownPrivilege	4208	chrome.exe
Token: SeCreatePagefilePrivilege	4208	chrome.exe
Token: SeShutdownPrivilege	4208	chrome.exe
Token: SeCreatePagefilePrivilege	4208	chrome.exe
Token: SeShutdownPrivilege	4208	chrome.exe
Token: SeCreatePagefilePrivilege	4208	chrome.exe
Token: SeShutdownPrivilege	4208	chrome.exe
Token: SeCreatePagefilePrivilege	4208	chrome.exe
Token: SeShutdownPrivilege	4208	chrome.exe
Token: SeCreatePagefilePrivilege	4208	chrome.exe
Token: SeShutdownPrivilege	4208	chrome.exe
Token: SeCreatePagefilePrivilege	4208	chrome.exe
Token: SeShutdownPrivilege	4208	chrome.exe
Token: SeCreatePagefilePrivilege	4208	chrome.exe
Token: SeShutdownPrivilege	4208	chrome.exe
Token: SeCreatePagefilePrivilege	4208	chrome.exe
Token: SeShutdownPrivilege	4208	chrome.exe
Token: SeCreatePagefilePrivilege	4208	chrome.exe
Token: SeShutdownPrivilege	4208	chrome.exe
Token: SeCreatePagefilePrivilege	4208	chrome.exe
Token: SeShutdownPrivilege	4208	chrome.exe
Token: SeCreatePagefilePrivilege	4208	chrome.exe
Token: SeShutdownPrivilege	4208	chrome.exe
Token: SeCreatePagefilePrivilege	4208	chrome.exe
Token: SeShutdownPrivilege	4208	chrome.exe
Token: SeCreatePagefilePrivilege	4208	chrome.exe
Token: SeShutdownPrivilege	4208	chrome.exe
Token: SeCreatePagefilePrivilege	4208	chrome.exe
Token: SeShutdownPrivilege	4208	chrome.exe
Token: SeCreatePagefilePrivilege	4208	chrome.exe
Token: SeShutdownPrivilege	4208	chrome.exe
Token: SeCreatePagefilePrivilege	4208	chrome.exe
Token: SeShutdownPrivilege	4208	chrome.exe
Token: SeCreatePagefilePrivilege	4208	chrome.exe
Token: SeShutdownPrivilege	4208	chrome.exe
Token: SeCreatePagefilePrivilege	4208	chrome.exe
Token: SeShutdownPrivilege	4208	chrome.exe
Token: SeCreatePagefilePrivilege	4208	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

Processes:

Dani69.exechrome.exe

pid	process
404	Dani69.exe
4208	chrome.exe
4208	chrome.exe
4208	chrome.exe
4208	chrome.exe
4208	chrome.exe
4208	chrome.exe
4208	chrome.exe
4208	chrome.exe
4208	chrome.exe
4208	chrome.exe
4208	chrome.exe
4208	chrome.exe
4208	chrome.exe
4208	chrome.exe
4208	chrome.exe
4208	chrome.exe
4208	chrome.exe
4208	chrome.exe
4208	chrome.exe
4208	chrome.exe
4208	chrome.exe
4208	chrome.exe
4208	chrome.exe
4208	chrome.exe
4208	chrome.exe
4208	chrome.exe

Suspicious use of SendNotifyMessage 13 IoCs

Processes:

Dani69.exechrome.exe

pid	process
404	Dani69.exe
4208	chrome.exe
4208	chrome.exe
4208	chrome.exe
4208	chrome.exe
4208	chrome.exe
4208	chrome.exe
4208	chrome.exe
4208	chrome.exe
4208	chrome.exe
4208	chrome.exe
4208	chrome.exe
4208	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Dani69.exeMiniSearchHost.exe

pid process

404 Dani69.exe
8 MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Dishkum Tena.exeDani69.exechrome.exe

description	pid	process	target process
PID 3096 wrote to memory of 4788	3096	Dishkum Tena.exe	schtasks.exe
PID 3096 wrote to memory of 4788	3096	Dishkum Tena.exe	schtasks.exe
PID 3096 wrote to memory of 404	3096	Dishkum Tena.exe	Dani69.exe
PID 3096 wrote to memory of 404	3096	Dishkum Tena.exe	Dani69.exe
PID 404 wrote to memory of 424	404	Dani69.exe	schtasks.exe
PID 404 wrote to memory of 424	404	Dani69.exe	schtasks.exe
PID 4208 wrote to memory of 4936	4208	chrome.exe	chrome.exe
PID 4208 wrote to memory of 4936	4208	chrome.exe	chrome.exe
PID 4208 wrote to memory of 2952	4208	chrome.exe	chrome.exe
PID 4208 wrote to memory of 2952	4208	chrome.exe	chrome.exe
PID 4208 wrote to memory of 2952	4208	chrome.exe	chrome.exe
PID 4208 wrote to memory of 2952	4208	chrome.exe	chrome.exe
PID 4208 wrote to memory of 2952	4208	chrome.exe	chrome.exe
PID 4208 wrote to memory of 2952	4208	chrome.exe	chrome.exe
PID 4208 wrote to memory of 2952	4208	chrome.exe	chrome.exe
PID 4208 wrote to memory of 2952	4208	chrome.exe	chrome.exe
PID 4208 wrote to memory of 2952	4208	chrome.exe	chrome.exe
PID 4208 wrote to memory of 2952	4208	chrome.exe	chrome.exe
PID 4208 wrote to memory of 2952	4208	chrome.exe	chrome.exe
PID 4208 wrote to memory of 2952	4208	chrome.exe	chrome.exe
PID 4208 wrote to memory of 2952	4208	chrome.exe	chrome.exe
PID 4208 wrote to memory of 2952	4208	chrome.exe	chrome.exe
PID 4208 wrote to memory of 2952	4208	chrome.exe	chrome.exe
PID 4208 wrote to memory of 2952	4208	chrome.exe	chrome.exe
PID 4208 wrote to memory of 2952	4208	chrome.exe	chrome.exe
PID 4208 wrote to memory of 2952	4208	chrome.exe	chrome.exe
PID 4208 wrote to memory of 2952	4208	chrome.exe	chrome.exe
PID 4208 wrote to memory of 2952	4208	chrome.exe	chrome.exe
PID 4208 wrote to memory of 2952	4208	chrome.exe	chrome.exe
PID 4208 wrote to memory of 2952	4208	chrome.exe	chrome.exe
PID 4208 wrote to memory of 2952	4208	chrome.exe	chrome.exe
PID 4208 wrote to memory of 2952	4208	chrome.exe	chrome.exe
PID 4208 wrote to memory of 2952	4208	chrome.exe	chrome.exe
PID 4208 wrote to memory of 2952	4208	chrome.exe	chrome.exe
PID 4208 wrote to memory of 2952	4208	chrome.exe	chrome.exe
PID 4208 wrote to memory of 2952	4208	chrome.exe	chrome.exe
PID 4208 wrote to memory of 2952	4208	chrome.exe	chrome.exe
PID 4208 wrote to memory of 2952	4208	chrome.exe	chrome.exe
PID 4208 wrote to memory of 2952	4208	chrome.exe	chrome.exe
PID 4208 wrote to memory of 2120	4208	chrome.exe	chrome.exe
PID 4208 wrote to memory of 2120	4208	chrome.exe	chrome.exe
PID 4208 wrote to memory of 1540	4208	chrome.exe	chrome.exe
PID 4208 wrote to memory of 1540	4208	chrome.exe	chrome.exe
PID 4208 wrote to memory of 1540	4208	chrome.exe	chrome.exe
PID 4208 wrote to memory of 1540	4208	chrome.exe	chrome.exe
PID 4208 wrote to memory of 1540	4208	chrome.exe	chrome.exe
PID 4208 wrote to memory of 1540	4208	chrome.exe	chrome.exe
PID 4208 wrote to memory of 1540	4208	chrome.exe	chrome.exe
PID 4208 wrote to memory of 1540	4208	chrome.exe	chrome.exe
PID 4208 wrote to memory of 1540	4208	chrome.exe	chrome.exe
PID 4208 wrote to memory of 1540	4208	chrome.exe	chrome.exe
PID 4208 wrote to memory of 1540	4208	chrome.exe	chrome.exe
PID 4208 wrote to memory of 1540	4208	chrome.exe	chrome.exe
PID 4208 wrote to memory of 1540	4208	chrome.exe	chrome.exe
PID 4208 wrote to memory of 1540	4208	chrome.exe	chrome.exe
PID 4208 wrote to memory of 1540	4208	chrome.exe	chrome.exe
PID 4208 wrote to memory of 1540	4208	chrome.exe	chrome.exe
PID 4208 wrote to memory of 1540	4208	chrome.exe	chrome.exe
PID 4208 wrote to memory of 1540	4208	chrome.exe	chrome.exe
PID 4208 wrote to memory of 1540	4208	chrome.exe	chrome.exe
PID 4208 wrote to memory of 1540	4208	chrome.exe	chrome.exe
PID 4208 wrote to memory of 1540	4208	chrome.exe	chrome.exe
PID 4208 wrote to memory of 1540	4208	chrome.exe	chrome.exe
PID 4208 wrote to memory of 1540	4208	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Dishkum Tena.exe
"C:\Users\Admin\AppData\Local\Temp\Dishkum Tena.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3096

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Dani69" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Dani69.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:4788

C:\Users\Admin\AppData\Roaming\SubDir\Dani69.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Dani69.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:404

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Dani69" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Dani69.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffbf2f8ab58,0x7ffbf2f8ab68,0x7ffbf2f8ab78
2⤵
PID:4936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1512 --field-trial-handle=1800,i,1480448080179710796,4935634749616134888,131072 /prefetch:2
2⤵
PID:2952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 --field-trial-handle=1800,i,1480448080179710796,4935634749616134888,131072 /prefetch:8
2⤵
PID:2120

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1660 --field-trial-handle=1800,i,1480448080179710796,4935634749616134888,131072 /prefetch:8
2⤵
PID:1540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1800,i,1480448080179710796,4935634749616134888,131072 /prefetch:1
2⤵
PID:3188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3188 --field-trial-handle=1800,i,1480448080179710796,4935634749616134888,131072 /prefetch:1
2⤵
PID:5068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3764 --field-trial-handle=1800,i,1480448080179710796,4935634749616134888,131072 /prefetch:1
2⤵
PID:4680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4372 --field-trial-handle=1800,i,1480448080179710796,4935634749616134888,131072 /prefetch:8
2⤵
PID:3272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4500 --field-trial-handle=1800,i,1480448080179710796,4935634749616134888,131072 /prefetch:8
2⤵
PID:2836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4600 --field-trial-handle=1800,i,1480448080179710796,4935634749616134888,131072 /prefetch:8
2⤵
PID:3604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4440 --field-trial-handle=1800,i,1480448080179710796,4935634749616134888,131072 /prefetch:8
2⤵
PID:4556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4976 --field-trial-handle=1800,i,1480448080179710796,4935634749616134888,131072 /prefetch:8
2⤵
PID:3028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4444 --field-trial-handle=1800,i,1480448080179710796,4935634749616134888,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1536

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1856

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:8

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\0283bdee-319b-4d73-97e5-36ec7c182e40.tmp
Filesize
356B

MD5
b80b8b037dcb5810d2e22730144a716c

SHA1
918318193bfe10e22260a34983a401f32b0ae50a

SHA256
afb3f3e7ba71ccc6ee2e597f15ab23ac0a98dd7ccc535126f8392a9e02073f9d

SHA512
c71acaa02d1facdb3bbc8fa8c7fc002102e21b59adbd56b66c552dbc3dbf96428844b636604b1d774b35f43f1420359de9b1a9cf84f04573322712b34e915e80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
bafe872c4314a94674255ec7e7fe3f3b

SHA1
f7cffdb4b9dbbaa5e1e8a589a84ea9ac930fe29f

SHA256
6c69539946292d4773c9b88d5a9705c9d7dd07053e67e2a4bfb66dedbef42883

SHA512
948bdbe042cf855e3bb87e11068326458ae22641f5b35a83cd875d85fea137c2057abe0a9e2f87216dcf52897e7fa110cde390d56c637adabd020d05d9fed09a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
3385a1fbf9944f3753ad08bb657c73e4

SHA1
776b6e4b894f94c5945767d303e35f6b07ceb82b

SHA256
728f883f352d5067d6cd44dd88b8fc149ee5fbce8c05ce51994193f0780cc5fb

SHA512
1e306321e33e9ee337fd1c8b3cae43896dfa2638a93bc85ea1821b2a0a24d6ac0ab431b59d989c432d50f57cec289036888b48ae5b3f5d5e675bbdd85b993f54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
31f9a319518028d6149dd686adf1bc6d

SHA1
c46c30294740954b2d2a806f15f5ae9c662fa1c5

SHA256
0c229912b92c6338d480b0d9506a62872c96f8b9622f09c8f68b6daf5beb6b54

SHA512
2cbbc8975409447b8905b435ad0f2206bfe60058bf83193781b8a9467a506618a4d39435f18635c4b12a9dfd16257f167da10b9617a4c10760d4d19cbf9afac5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
259KB

MD5
f41c1272aeb0ff8572f291959965d2b9

SHA1
4683795882189354bc6f880edcfd0ade94f4acac

SHA256
39e4a77aae28f39fe4ec4b0ac066de3771a4f11df4978dce5803850be9ee5db9

SHA512
3243ca5a4726544a4f9d8d0cc2845f276fa890228057da49fd7d783477aca641b5a004d0b0e14a0e024c1c6b43dcfa73d5772a17e5acc3bee16c3b4e36de5bca

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize
10KB

MD5
2f23663111658be2ba0b273463ff5e60

SHA1
c2af77369b83a0177bfdb90c11fad4c5f897a983

SHA256
eab4709a1ad32b0b87a53d307893899eb3ee26c6a59a1b34fe83062c79817513

SHA512
e0fdfe555a47709cbf14c4c22498c89c3e8fd61c5b40806b9dd06aee20fbdcd3d9c4f7861d1183df15e9c64ed25828f97c8292bc6b4a700d3d4586433bf45bd8

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Dani69.exe
Filesize
3.1MB

MD5
36970784c3736c71546d73e0773ee956

SHA1
2d09c257a3e09b079d23520400953bafc495e06e

SHA256
55d9f08bfa42b14a3bbb968df3b645e18ea4c311656c272c1b9522aa648f955d

SHA512
6f0fd26eb7f2b64c875f7021f82ddf8240beaba804a6649404ac8e33115d1372dc53cae94e242b1a77a4bf86f4836bc072b9e64563204b591d03357d3c82be2c

Download Submit
\??\pipe\crashpad_4208_DRYGAZPSDMLYMBVU
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/404-54-0x00007FFBF9310000-0x00007FFBF9DD2000-memory.dmp

Filesize
10.8MB

Download
memory/404-13-0x000000001C320000-0x000000001C3D2000-memory.dmp

Filesize
712KB

Download
memory/404-48-0x000000001CB10000-0x000000001D038000-memory.dmp

Filesize
5.2MB

Download
memory/404-55-0x00007FFBF9310000-0x00007FFBF9DD2000-memory.dmp

Filesize
10.8MB

Download
memory/404-12-0x000000001C210000-0x000000001C260000-memory.dmp

Filesize
320KB

Download
memory/404-11-0x00007FFBF9310000-0x00007FFBF9DD2000-memory.dmp

Filesize
10.8MB

Download
memory/404-10-0x00007FFBF9310000-0x00007FFBF9DD2000-memory.dmp

Filesize
10.8MB

Download
memory/3096-9-0x00007FFBF9310000-0x00007FFBF9DD2000-memory.dmp

Filesize
10.8MB

Download
memory/3096-0-0x00007FFBF9313000-0x00007FFBF9315000-memory.dmp

Filesize
8KB

Download
memory/3096-2-0x00007FFBF9310000-0x00007FFBF9DD2000-memory.dmp

Filesize
10.8MB

Download
memory/3096-1-0x00000000001D0000-0x00000000004F4000-memory.dmp

Filesize
3.1MB

Download