quasar | 8a31693ddf8924f144ba19a8802766188bd13f1ed7eea7c226eb0e01a9e47685

Analysis

max time kernel
198s
max time network
195s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
24-11-2024 18:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PORQUEPUTASYANOSIRVE.7z
Size

923KB
MD5

d757d40193d311216967491e36fc2ba4
SHA1

2dd90fa74c489da4f85bdf301053230b480a31fa
SHA256

8a31693ddf8924f144ba19a8802766188bd13f1ed7eea7c226eb0e01a9e47685
SHA512

9be26ab222457605eea0c42a4dbcfa80154cb384e6abf0db6a010fcca172a0eda8792b9e3fff9d67717f095f67448d9310c7e049f7fea8dd5907afe8bd462921
SSDEEP

24576:q9gl2kNvEE7GFdGqXsShFTAkBojKLUI56eGk:46vbIGqXscAkW+h1

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

azxq0ap.localto.net:3425

Mutex

e51e2b65-e963-4051-9736-67d57ed46798

Attributes

encryption_key
AEA258EF65BF1786F0F767C0BE2497ECC304C46F
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x002800000004504b-3.dat	family_quasar
behavioral1/memory/2340-5-0x00000000004C0000-0x00000000007E4000-memory.dmp	family_quasar

Executes dropped EXE 2 IoCs

pid	Process
2340	PORQUEPUTASYANOSIRVE.exe
2228	Client.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133769469390689804"	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1876	schtasks.exe
4704	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2972	7zFM.exe
Token: 35	2972	7zFM.exe
Token: SeSecurityPrivilege	2972	7zFM.exe
Token: SeDebugPrivilege	2340	PORQUEPUTASYANOSIRVE.exe
Token: SeDebugPrivilege	2228	Client.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
2972	7zFM.exe
2972	7zFM.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2228	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 1876	2340	PORQUEPUTASYANOSIRVE.exe	90
PID 2340 wrote to memory of 1876	2340	PORQUEPUTASYANOSIRVE.exe	90
PID 2340 wrote to memory of 2228	2340	PORQUEPUTASYANOSIRVE.exe	92
PID 2340 wrote to memory of 2228	2340	PORQUEPUTASYANOSIRVE.exe	92
PID 2228 wrote to memory of 4704	2228	Client.exe	93
PID 2228 wrote to memory of 4704	2228	Client.exe	93
PID 2436 wrote to memory of 4300	2436	chrome.exe	99
PID 2436 wrote to memory of 4300	2436	chrome.exe	99
PID 2436 wrote to memory of 4780	2436	chrome.exe	100
PID 2436 wrote to memory of 4780	2436	chrome.exe	100
PID 2436 wrote to memory of 4780	2436	chrome.exe	100
PID 2436 wrote to memory of 4780	2436	chrome.exe	100
PID 2436 wrote to memory of 4780	2436	chrome.exe	100
PID 2436 wrote to memory of 4780	2436	chrome.exe	100
PID 2436 wrote to memory of 4780	2436	chrome.exe	100
PID 2436 wrote to memory of 4780	2436	chrome.exe	100
PID 2436 wrote to memory of 4780	2436	chrome.exe	100
PID 2436 wrote to memory of 4780	2436	chrome.exe	100
PID 2436 wrote to memory of 4780	2436	chrome.exe	100
PID 2436 wrote to memory of 4780	2436	chrome.exe	100
PID 2436 wrote to memory of 4780	2436	chrome.exe	100
PID 2436 wrote to memory of 4780	2436	chrome.exe	100
PID 2436 wrote to memory of 4780	2436	chrome.exe	100
PID 2436 wrote to memory of 4780	2436	chrome.exe	100
PID 2436 wrote to memory of 4780	2436	chrome.exe	100
PID 2436 wrote to memory of 4780	2436	chrome.exe	100
PID 2436 wrote to memory of 4780	2436	chrome.exe	100
PID 2436 wrote to memory of 4780	2436	chrome.exe	100
PID 2436 wrote to memory of 4780	2436	chrome.exe	100
PID 2436 wrote to memory of 4780	2436	chrome.exe	100
PID 2436 wrote to memory of 4780	2436	chrome.exe	100
PID 2436 wrote to memory of 4780	2436	chrome.exe	100
PID 2436 wrote to memory of 4780	2436	chrome.exe	100
PID 2436 wrote to memory of 4780	2436	chrome.exe	100
PID 2436 wrote to memory of 4780	2436	chrome.exe	100
PID 2436 wrote to memory of 4780	2436	chrome.exe	100
PID 2436 wrote to memory of 4780	2436	chrome.exe	100
PID 2436 wrote to memory of 4780	2436	chrome.exe	100
PID 2436 wrote to memory of 4612	2436	chrome.exe	101
PID 2436 wrote to memory of 4612	2436	chrome.exe	101
PID 2436 wrote to memory of 1020	2436	chrome.exe	102
PID 2436 wrote to memory of 1020	2436	chrome.exe	102
PID 2436 wrote to memory of 1020	2436	chrome.exe	102
PID 2436 wrote to memory of 1020	2436	chrome.exe	102
PID 2436 wrote to memory of 1020	2436	chrome.exe	102
PID 2436 wrote to memory of 1020	2436	chrome.exe	102
PID 2436 wrote to memory of 1020	2436	chrome.exe	102
PID 2436 wrote to memory of 1020	2436	chrome.exe	102
PID 2436 wrote to memory of 1020	2436	chrome.exe	102
PID 2436 wrote to memory of 1020	2436	chrome.exe	102
PID 2436 wrote to memory of 1020	2436	chrome.exe	102
PID 2436 wrote to memory of 1020	2436	chrome.exe	102
PID 2436 wrote to memory of 1020	2436	chrome.exe	102
PID 2436 wrote to memory of 1020	2436	chrome.exe	102
PID 2436 wrote to memory of 1020	2436	chrome.exe	102
PID 2436 wrote to memory of 1020	2436	chrome.exe	102
PID 2436 wrote to memory of 1020	2436	chrome.exe	102
PID 2436 wrote to memory of 1020	2436	chrome.exe	102
PID 2436 wrote to memory of 1020	2436	chrome.exe	102
PID 2436 wrote to memory of 1020	2436	chrome.exe	102
PID 2436 wrote to memory of 1020	2436	chrome.exe	102
PID 2436 wrote to memory of 1020	2436	chrome.exe	102
PID 2436 wrote to memory of 1020	2436	chrome.exe	102
PID 2436 wrote to memory of 1020	2436	chrome.exe	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\PORQUEPUTASYANOSIRVE.7z"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2972

C:\Users\Admin\Desktop\PORQUEPUTASYANOSIRVE.exe
"C:\Users\Admin\Desktop\PORQUEPUTASYANOSIRVE.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1876
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff827b5cc40,0x7ff827b5cc4c,0x7ff827b5cc58
  2⤵
  PID:4300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1944,i,12470332624339899677,12113116681508573507,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1940 /prefetch:2
  2⤵
  PID:4780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2208,i,12470332624339899677,12113116681508573507,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1564 /prefetch:3
  2⤵
  PID:4612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2312,i,12470332624339899677,12113116681508573507,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2476 /prefetch:8
  2⤵
  PID:1020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3152,i,12470332624339899677,12113116681508573507,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:4404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3184,i,12470332624339899677,12113116681508573507,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:2852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3888,i,12470332624339899677,12113116681508573507,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3712 /prefetch:1
  2⤵
  PID:2652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4868,i,12470332624339899677,12113116681508573507,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4876 /prefetch:8
  2⤵
  PID:528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4948,i,12470332624339899677,12113116681508573507,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4956 /prefetch:8
  2⤵
  PID:4408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4524,i,12470332624339899677,12113116681508573507,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4748 /prefetch:1
  2⤵
  PID:2856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5288,i,12470332624339899677,12113116681508573507,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4036 /prefetch:1
  2⤵
  PID:5104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4504,i,12470332624339899677,12113116681508573507,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4892 /prefetch:8
  2⤵
  PID:2204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5336,i,12470332624339899677,12113116681508573507,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5404 /prefetch:8
  2⤵
  PID:4704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3408,i,12470332624339899677,12113116681508573507,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:4560

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
5c2a85734520a780d676b469ba8db28b

SHA1
7e2d915178621fc8007b3e4d17d2038d648b4ddf

SHA256
b87cd307f68051e8836ae1c240b0043972cbd772e9b153506088196c58cb8d8f

SHA512
3ab0e1a40f4754a14c4072afad8f9597528078fca35e669b567823368c43289c77631e1304bc34c1725c22a1b8d435fd313f6c0e069af624816d92cd7a0b1b4e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000017

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
901a8c7c1b232377b63aaf50fde1dfa9

SHA1
f814bbc1cbf0eba7c38739fcd7c2c5e011c84d3c

SHA256
30477fed540c59edc9b5c81a7f651112e03c12762e2f0bdde225b40d110e3808

SHA512
d734660f5e7c523acdb81fb94782540044c4099241ee2f32bc12a1de86cbb6adc1c0a5c7f94d144d5fb51479265735b2691280716430096d3d16ed9b4073b00b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\1d0ea435-91e9-47e0-8cf7-3bb8e12420e0.tmp

Filesize
356B

MD5
8d40aa546b12f5d1ac5866e0d0a4d63e

SHA1
fd62e8a3f00eba51008fcdea896c8b88efe1ae56

SHA256
2a060231d8ea91b4aeb0f267470906dff64889f2bdf0a9f49dcbb5fde0ed200a

SHA512
1a70301d4f8a65771dc3a24f481eb79d4254a75c384ffcfc3c5fcdf55e03d140b643196b79a9b50426aee417c437b69d5452f554f14959d4bb14761774bc6b79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
dbcd5361d01206d001317f61efe802a3

SHA1
f5380e6c83be265edf703b67f4148c480ec9f4a2

SHA256
1a9b6ee0ffbd8ce793db4ff810c94e39e041fdacd572d0c197954bb657743f8f

SHA512
bee8ffc9302172dd67ee15c523ed246df60e6694b372e54fe58c0cefe0ab45796f7decb4bf0a6d835d3c296c26c6eddcd56a0d7629ac2c6d0b8c9515e1541dd9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
d5dfe0bb9aa6ead60ffc0213850b91c8

SHA1
5026ae40403b7dd96bf889d077b0f8270388c300

SHA256
5df614040e4c4a78a614165e264356930f283f65f73bf16ea832690e479c0e7d

SHA512
8fd1b2ae161a6dde5e9cb5a832822c7d33c356832103e1ca56a25a7080d8bce38f87be9602b4fb03ce9ea0996e9f79f6a514ff1764a42f7dca34f066ca6d745e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b4649b10985ccb2fab7327729ff05b97

SHA1
7cda120b59d1ef0dd77fea94f52e0b9e6cba1a42

SHA256
e055e1f71ba8ddbd54e72524c73ea8aeee7811f62ba70b366a7d97db58ae2803

SHA512
a60b513eaf94a25d7c97a08aea484fdaf91823cb303801b43eea9c3073a3e11c4dbeacfc722dc794ec91799a894876dad38b7a00301df5b715c97632edfa0cc1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
857B

MD5
74277c02b9b805bc1ac0da7ec684e817

SHA1
0e9cc0571ff68769aa5229e7c4f9ae3d32f62aaa

SHA256
4206fea5879cc0de74db3ccfccb7128b7d20d04bc438de4e42a664ef309780b7

SHA512
1a48cf28e28c9b010df6cea5713bab1f1039cc3f8e8b915ca36b5c676a43b9f0e98badf3a82c0489a63b93581c28a151c2885f3fd21aebd0355d40ad36047ebd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
be91c64ebdd506957d947dfcf79438e0

SHA1
d1e17799e5bc2ce88af269820894a9a819f25634

SHA256
6a9c2c90e8f61a95d69cfd673af0570de0dc9a6921d50d33e5670da624ee5f20

SHA512
fc8f39af3cde344a4613cab9f78e0baf947c00bfdc8c1b2f8a8aeca507d57e44817032fba7f7efb60111e1e4cc7e3b762fa440c602a36d1c3d94abb172a5d8a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
db0a704d190a987e128642eccf08a714

SHA1
b660ec9138130a65a9d71e535624e20a9f228cb5

SHA256
55ec96e730624889ec2aa22914cc46005b19cf40cfe50d4b7d430bb9568b7bb9

SHA512
f8dafa0e05a60bf9309b121d1afdaadb2fab173389bce3f39deb5d6a5307ea9e3680e9669851f9c26a43def629faeb00333186321bb6ea788505b97aab9a8de4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
01466b007b0633a399aa1dbede36bd5e

SHA1
940791c04d258e4d325e2efe6dc5eadc10c31fd0

SHA256
2569ed1b7f5f607102b3cb4c32aa149fedccedff4632f0944298312b5467201a

SHA512
9e2d608a6c483211611a9afa5dbaf6ea3740a6a7d23868acf7d450ae58f9aedf7ceb704af9ad99e4580b255980e544967143b29186f75274c1ad4426562e6100

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
bd788738675265fb175baa540166e2ee

SHA1
aed8adda7b7fda8d39b8ef18415a9d7688a0db41

SHA256
5245ec384f33ed602f512a1bf06227d74d3035af211cad54f0b5ee8fb4346b2a

SHA512
3d6eac943132e8d1571198ec9aed77ad97fdcbff3e67bbf1ff0910664c427a652b61689357b2b52b416a4f1771e7c45c77ad3384fbeda567d1075e27a8bc05af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
430a6dd9dc62ea67cf3137435aab6aa6

SHA1
e09a147a43d61d948265b0788ac987adf690f4f4

SHA256
0a9be997f51412b33775a6f740969bd64bb13cc1d1d2e291b930ba612a2dc9ad

SHA512
237d40e6d6ff05b2d38fe22a37325a4d3cceb746f68e3850ee605e11e18eb1483aa246604aaac14fb244db01a0d3021d33892c0bb54b0fd839602654fa334fd9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
0dcd6aaf77628a630be43c18d865c3c1

SHA1
2dcfad96ea7055ee17f146f1a632dd00ffd1f639

SHA256
67852fafafb86f88fb8dc98fa57980d9b651a8b810378760bbc2518ac68f3b3c

SHA512
bc2af82cafb414c098625ffd2e78c64d2f98e91b45b73c7bb97e16b7945dfbb14a66884bb9d765b2625ca6839bbe8be7125efc65760b7822baca6bc8ad56db49

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
f66525d334d82ab3d983bf9f49fb395d

SHA1
4f3379353053c0e7442071d981513cb3f261b61f

SHA256
8f46efb4d320b43532f498d442382b43067ac6d13a69f68b3ea7af5b46233464

SHA512
073a700f2e486bf11ca6aceac38abcf73f8e77ac328ea02cdef7b2ded199b7c0ffe6884886f0512da4cce19b6c28d2025f1dd7d54f489ddbc4306218586cf025

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cc63ca7d1611a3d72160fa49aa7a2f3a

SHA1
616e2f2ccedbf7cd4f88c8ea21409c65f4d95c38

SHA256
c522f6b82eec36704f668aac19b589189616440aa847fc63a143cab62df15b2c

SHA512
8188dc3e7cf58d240c2caae5d233f139ddd98d04eecf62b8b3baeb480edfc2c88ba1a7e36f44fe13f5421fcc30fded634b890d91a4698f256e960de43eeb6f99

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
16bc5649f6012e32101adeecfd996605

SHA1
1e7ef28240c6955af17be6957e1a939167ab6a67

SHA256
2ee56d82d60b57ac9ec6d23cadb3d67f81686c2f7b213185b2c0f12e61772e37

SHA512
75f8b9998ea4e5d845aad901f41dd6a228c8c1b8876f732ac39e6068bbca91f36f701d06bc99d7625501f56619025f74c229411ebcfe156a32ac4724cec392bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
58c73d8fec75634824e7fa8957e15645

SHA1
cb6d997e18f74b7529f43674fbe57e4ada4a2850

SHA256
be20973fa1f7bdde217677050e6080e0be20a298cf383fa52f62d7a5a8f360f2

SHA512
4b8814305b21206eb991e7805684580f67c8b3022c2c3a3fad5c2e38337d1cb3f76a1cd74703ced84ecd9b80801e0fbb87d2988b254b9e1abda03e2bf5d231ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
4601fd8e241337755b01d16a631916b2

SHA1
c79da33dd64c8d3db5914922df36775c7036d2f0

SHA256
cf446ccc1556bf10e96a05a85c5db12dcf65668faca99f595e2e8cc52e653a97

SHA512
3d08d66ea600291f6329f3c807ab54d2a4c50228b84fd5658213fc4c1987af78401eac319927ab1f4c4e8604def72ceefc75ccd6bda9f8043c518f949c4f1adf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
269KB

MD5
7507b9e361f531df84b691954c2f96af

SHA1
306bbf10a01f0bd0b0c1e85949e3981e908b839f

SHA256
d2e9e04a7bdb611d699a8d64f3756974face490c8d9dcb43144c28dd8b71b060

SHA512
f831d89a6b853f06152c0caea93b55530feb200d9e4453f39597d72e779dae7832a17ee2b9208bbc4c245b15272c37b9fcce31990a179712412fc29a1e9d7364

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
239KB

MD5
32cfe468b8c3d292efc67dfbc43e8b7c

SHA1
42ec0a24979f0092ab29b8191302020b029533c5

SHA256
4b5f829090f7fe541c30546d54c8f7696b37288e78da6a62339553d1e856348d

SHA512
d10e904c56d2a7d0b3fa57210d0fe42e9c5c4b418771f30ec92c8aceb05002e0bdff9b7fc5ae44730eba88ceb555ad64fbb6a2f53211fe9bd626e801e196dd08

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
238KB

MD5
9d49c00b8dcb3c4de37794c19ecb84ab

SHA1
57f4c3256e1520e1322dbb1c83141edf5e5a6b93

SHA256
54dddfbbac6ae479c0530ee14c74f8d381893b2f82e804be89df322e582f5757

SHA512
09d0cc82e8b09cb2badb818dbceebf5fa3644be97d605f81da985ab493ea84299693b6a5d3d62ee76c42a2a07abf07bf6c56ee4ae0819126f6c7151014d2a4dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
120KB

MD5
2269c0420895fd77b58f2ad9c432ce59

SHA1
7a904dc419ea8ced7615bf8c7e075e899bc511bb

SHA256
18a3dadf79b1afc24001ee1bab091dd639fbb91ade0203ab18b5706438abb6bd

SHA512
e1b239de725e0efa740120a28ee6828463c609637c40d14c924180325c13a5a3ab9ef4038ca1f8e69dde97e0cf75f214dad913c0951fafef1db5b4357716e588

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
238KB

MD5
bad6d65faf86c34179340386c2ba26d0

SHA1
a96e97df1d69dc17fba69b660cb231edc862bf4b

SHA256
2f3c9d997add83abff613566adad71fa7809df8c94aaa9c21d4ebdfdfa349e35

SHA512
b85fe5d4ded045f3dcbb08bc40b23c22be496bb21d6fd5345e07a1966ec484bf7c3821d53ddc09e6b26fc6fbce2cffa7e8a3e9754277a54dc24197a5d40dd487

Download Submit
C:\Users\Admin\Desktop\PORQUEPUTASYANOSIRVE.exe

Filesize
3.1MB

MD5
73565f33ed4d8741291cbb30409f1727

SHA1
4d3a54b28f3ea80f884a25905e27165bdc353109

SHA256
aafe953e627f9e733e101d7211f0c9594dbdf82ec4019b2c9aa361cbc478f0de

SHA512
d897b098ddcdc94ac9177bc9a90b700c8b9a7cfafa74f729beebf74a094f76a7bd69e764711bdfedcdd231465daef16e937676e391ca2c010df03fecc863b583

Download Submit
memory/2228-14-0x000000001C720000-0x000000001C732000-memory.dmp

Filesize
72KB

Download
memory/2228-15-0x000000001C780000-0x000000001C7BC000-memory.dmp

Filesize
240KB

Download
memory/2228-11-0x000000001C7E0000-0x000000001C892000-memory.dmp

Filesize
712KB

Download
memory/2228-10-0x000000001C6D0000-0x000000001C720000-memory.dmp

Filesize
320KB

Download
memory/2228-48-0x000000001E8C0000-0x000000001EDE8000-memory.dmp

Filesize
5.2MB

Download
memory/2340-9-0x00007FF825DA0000-0x00007FF826862000-memory.dmp

Filesize
10.8MB

Download
memory/2340-6-0x00007FF825DA0000-0x00007FF826862000-memory.dmp

Filesize
10.8MB

Download
memory/2340-5-0x00000000004C0000-0x00000000007E4000-memory.dmp

Filesize
3.1MB

Download
memory/2340-4-0x00007FF825DA3000-0x00007FF825DA5000-memory.dmp

Filesize
8KB

Download