quasar | 8a31693ddf8924f144ba19a8802766188bd13f1ed7eea7c226eb0e01a9e47685

Analysis

max time kernel
226s
max time network
227s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
25-11-2024 05:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PORQUEPUTASYANOSIRVE.7z
Size

923KB
MD5

d757d40193d311216967491e36fc2ba4
SHA1

2dd90fa74c489da4f85bdf301053230b480a31fa
SHA256

8a31693ddf8924f144ba19a8802766188bd13f1ed7eea7c226eb0e01a9e47685
SHA512

9be26ab222457605eea0c42a4dbcfa80154cb384e6abf0db6a010fcca172a0eda8792b9e3fff9d67717f095f67448d9310c7e049f7fea8dd5907afe8bd462921
SSDEEP

24576:q9gl2kNvEE7GFdGqXsShFTAkBojKLUI56eGk:46vbIGqXscAkW+h1

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

azxq0ap.localto.net:3425

Mutex

e51e2b65-e963-4051-9736-67d57ed46798

Attributes

encryption_key
AEA258EF65BF1786F0F767C0BE2497ECC304C46F
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001d00000002aab4-5.dat	family_quasar
behavioral1/memory/1576-7-0x0000000000830000-0x0000000000B54000-memory.dmp	family_quasar

Executes dropped EXE 2 IoCs

pid	Process
1576	PORQUEPUTASYANOSIRVE.exe
2224	Client.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133769874425580204"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4352	schtasks.exe
1892	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1080	chrome.exe
1080	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2368	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2368	7zFM.exe
Token: 35	2368	7zFM.exe
Token: SeSecurityPrivilege	2368	7zFM.exe
Token: SeSecurityPrivilege	2368	7zFM.exe
Token: SeDebugPrivilege	1576	PORQUEPUTASYANOSIRVE.exe
Token: SeDebugPrivilege	2224	Client.exe
Token: SeShutdownPrivilege	1080	chrome.exe
Token: SeCreatePagefilePrivilege	1080	chrome.exe
Token: SeShutdownPrivilege	1080	chrome.exe
Token: SeCreatePagefilePrivilege	1080	chrome.exe
Token: SeShutdownPrivilege	1080	chrome.exe
Token: SeCreatePagefilePrivilege	1080	chrome.exe
Token: SeShutdownPrivilege	1080	chrome.exe
Token: SeCreatePagefilePrivilege	1080	chrome.exe
Token: SeShutdownPrivilege	1080	chrome.exe
Token: SeCreatePagefilePrivilege	1080	chrome.exe
Token: SeShutdownPrivilege	1080	chrome.exe
Token: SeCreatePagefilePrivilege	1080	chrome.exe
Token: SeShutdownPrivilege	1080	chrome.exe
Token: SeCreatePagefilePrivilege	1080	chrome.exe
Token: SeShutdownPrivilege	1080	chrome.exe
Token: SeCreatePagefilePrivilege	1080	chrome.exe
Token: SeShutdownPrivilege	1080	chrome.exe
Token: SeCreatePagefilePrivilege	1080	chrome.exe
Token: SeShutdownPrivilege	1080	chrome.exe
Token: SeCreatePagefilePrivilege	1080	chrome.exe
Token: SeShutdownPrivilege	1080	chrome.exe
Token: SeCreatePagefilePrivilege	1080	chrome.exe
Token: SeShutdownPrivilege	1080	chrome.exe
Token: SeCreatePagefilePrivilege	1080	chrome.exe
Token: SeShutdownPrivilege	1080	chrome.exe
Token: SeCreatePagefilePrivilege	1080	chrome.exe
Token: SeShutdownPrivilege	1080	chrome.exe
Token: SeCreatePagefilePrivilege	1080	chrome.exe
Token: SeShutdownPrivilege	1080	chrome.exe
Token: SeCreatePagefilePrivilege	1080	chrome.exe
Token: SeShutdownPrivilege	1080	chrome.exe
Token: SeCreatePagefilePrivilege	1080	chrome.exe
Token: SeShutdownPrivilege	1080	chrome.exe
Token: SeCreatePagefilePrivilege	1080	chrome.exe
Token: SeShutdownPrivilege	1080	chrome.exe
Token: SeCreatePagefilePrivilege	1080	chrome.exe
Token: SeShutdownPrivilege	1080	chrome.exe
Token: SeCreatePagefilePrivilege	1080	chrome.exe
Token: SeShutdownPrivilege	1080	chrome.exe
Token: SeCreatePagefilePrivilege	1080	chrome.exe
Token: SeShutdownPrivilege	1080	chrome.exe
Token: SeCreatePagefilePrivilege	1080	chrome.exe
Token: SeShutdownPrivilege	1080	chrome.exe
Token: SeCreatePagefilePrivilege	1080	chrome.exe
Token: SeShutdownPrivilege	1080	chrome.exe
Token: SeCreatePagefilePrivilege	1080	chrome.exe
Token: SeShutdownPrivilege	1080	chrome.exe
Token: SeCreatePagefilePrivilege	1080	chrome.exe
Token: SeShutdownPrivilege	1080	chrome.exe
Token: SeCreatePagefilePrivilege	1080	chrome.exe
Token: SeShutdownPrivilege	1080	chrome.exe
Token: SeCreatePagefilePrivilege	1080	chrome.exe
Token: SeShutdownPrivilege	1080	chrome.exe
Token: SeCreatePagefilePrivilege	1080	chrome.exe
Token: SeShutdownPrivilege	1080	chrome.exe
Token: SeCreatePagefilePrivilege	1080	chrome.exe
Token: SeShutdownPrivilege	1080	chrome.exe
Token: SeCreatePagefilePrivilege	1080	chrome.exe

Suspicious use of FindShellTrayWindow 55 IoCs

pid	Process
2368	7zFM.exe
2368	7zFM.exe
2368	7zFM.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2224	Client.exe
1644	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1576 wrote to memory of 4352	1576	PORQUEPUTASYANOSIRVE.exe	84
PID 1576 wrote to memory of 4352	1576	PORQUEPUTASYANOSIRVE.exe	84
PID 1576 wrote to memory of 2224	1576	PORQUEPUTASYANOSIRVE.exe	86
PID 1576 wrote to memory of 2224	1576	PORQUEPUTASYANOSIRVE.exe	86
PID 2224 wrote to memory of 1892	2224	Client.exe	87
PID 2224 wrote to memory of 1892	2224	Client.exe	87
PID 1080 wrote to memory of 2864	1080	chrome.exe	91
PID 1080 wrote to memory of 2864	1080	chrome.exe	91
PID 1080 wrote to memory of 1876	1080	chrome.exe	92
PID 1080 wrote to memory of 1876	1080	chrome.exe	92
PID 1080 wrote to memory of 1876	1080	chrome.exe	92
PID 1080 wrote to memory of 1876	1080	chrome.exe	92
PID 1080 wrote to memory of 1876	1080	chrome.exe	92
PID 1080 wrote to memory of 1876	1080	chrome.exe	92
PID 1080 wrote to memory of 1876	1080	chrome.exe	92
PID 1080 wrote to memory of 1876	1080	chrome.exe	92
PID 1080 wrote to memory of 1876	1080	chrome.exe	92
PID 1080 wrote to memory of 1876	1080	chrome.exe	92
PID 1080 wrote to memory of 1876	1080	chrome.exe	92
PID 1080 wrote to memory of 1876	1080	chrome.exe	92
PID 1080 wrote to memory of 1876	1080	chrome.exe	92
PID 1080 wrote to memory of 1876	1080	chrome.exe	92
PID 1080 wrote to memory of 1876	1080	chrome.exe	92
PID 1080 wrote to memory of 1876	1080	chrome.exe	92
PID 1080 wrote to memory of 1876	1080	chrome.exe	92
PID 1080 wrote to memory of 1876	1080	chrome.exe	92
PID 1080 wrote to memory of 1876	1080	chrome.exe	92
PID 1080 wrote to memory of 1876	1080	chrome.exe	92
PID 1080 wrote to memory of 1876	1080	chrome.exe	92
PID 1080 wrote to memory of 1876	1080	chrome.exe	92
PID 1080 wrote to memory of 1876	1080	chrome.exe	92
PID 1080 wrote to memory of 1876	1080	chrome.exe	92
PID 1080 wrote to memory of 1876	1080	chrome.exe	92
PID 1080 wrote to memory of 1876	1080	chrome.exe	92
PID 1080 wrote to memory of 1876	1080	chrome.exe	92
PID 1080 wrote to memory of 1876	1080	chrome.exe	92
PID 1080 wrote to memory of 1876	1080	chrome.exe	92
PID 1080 wrote to memory of 1876	1080	chrome.exe	92
PID 1080 wrote to memory of 2424	1080	chrome.exe	93
PID 1080 wrote to memory of 2424	1080	chrome.exe	93
PID 1080 wrote to memory of 3120	1080	chrome.exe	94
PID 1080 wrote to memory of 3120	1080	chrome.exe	94
PID 1080 wrote to memory of 3120	1080	chrome.exe	94
PID 1080 wrote to memory of 3120	1080	chrome.exe	94
PID 1080 wrote to memory of 3120	1080	chrome.exe	94
PID 1080 wrote to memory of 3120	1080	chrome.exe	94
PID 1080 wrote to memory of 3120	1080	chrome.exe	94
PID 1080 wrote to memory of 3120	1080	chrome.exe	94
PID 1080 wrote to memory of 3120	1080	chrome.exe	94
PID 1080 wrote to memory of 3120	1080	chrome.exe	94
PID 1080 wrote to memory of 3120	1080	chrome.exe	94
PID 1080 wrote to memory of 3120	1080	chrome.exe	94
PID 1080 wrote to memory of 3120	1080	chrome.exe	94
PID 1080 wrote to memory of 3120	1080	chrome.exe	94
PID 1080 wrote to memory of 3120	1080	chrome.exe	94
PID 1080 wrote to memory of 3120	1080	chrome.exe	94
PID 1080 wrote to memory of 3120	1080	chrome.exe	94
PID 1080 wrote to memory of 3120	1080	chrome.exe	94
PID 1080 wrote to memory of 3120	1080	chrome.exe	94
PID 1080 wrote to memory of 3120	1080	chrome.exe	94
PID 1080 wrote to memory of 3120	1080	chrome.exe	94
PID 1080 wrote to memory of 3120	1080	chrome.exe	94
PID 1080 wrote to memory of 3120	1080	chrome.exe	94
PID 1080 wrote to memory of 3120	1080	chrome.exe	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\PORQUEPUTASYANOSIRVE.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2368

C:\Users\Admin\Desktop\PORQUEPUTASYANOSIRVE.exe
"C:\Users\Admin\Desktop\PORQUEPUTASYANOSIRVE.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4352
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa49b0cc40,0x7ffa49b0cc4c,0x7ffa49b0cc58
  2⤵
  PID:2864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1964,i,4773728329209888300,3632854850668044082,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1960 /prefetch:2
  2⤵
  PID:1876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1720,i,4773728329209888300,3632854850668044082,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2008 /prefetch:3
  2⤵
  PID:2424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1352,i,4773728329209888300,3632854850668044082,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2220 /prefetch:8
  2⤵
  PID:3120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3068,i,4773728329209888300,3632854850668044082,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3084 /prefetch:1
  2⤵
  PID:2464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3092,i,4773728329209888300,3632854850668044082,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3128 /prefetch:1
  2⤵
  PID:384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4492,i,4773728329209888300,3632854850668044082,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4408 /prefetch:1
  2⤵
  PID:4460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4664,i,4773728329209888300,3632854850668044082,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4396 /prefetch:1
  2⤵
  PID:4628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4984,i,4773728329209888300,3632854850668044082,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4488 /prefetch:8
  2⤵
  PID:4528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5028,i,4773728329209888300,3632854850668044082,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5036 /prefetch:8
  2⤵
  PID:4828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:2388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ffa49b0cc40,0x7ffa49b0cc4c,0x7ffa49b0cc58
  2⤵
  PID:1536

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2280

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
98bb667fc7d700c6b6144094a975d080

SHA1
ea1dfb79b1db7e3973a14a32085445fc21531386

SHA256
ff23a8c24c462246355cd95d7be8ec577adfa213f5394990f7312090cbc08224

SHA512
473c734953eff7ed5e371c5b6db90e4ddebd0c0ddc67da0b4196dd7bc61c683908dc2b0fc90b324190377e8ad52c67e35b2d5752ea0744f77f18ad77df34a8ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
5bea0ccd28c3ae746166f9443efcb110

SHA1
7e22c41007b3372cb179bdd1652e6a7a8b03114f

SHA256
b2b72a64ad5bc6cf8915d1c2ff17013b8e99b7f48434d7c50121654c25faaac1

SHA512
ed6404a6beba3611ffb3e096a18c82508fe40bcffc611edf5297d7eaf1d3df0a6d0b3f24b08af738521da0769a8877b2f7739c0f62f9953c9ac0ec7617cc13b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000d

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
ec619e1fa9ccafa7153184a269d8824b

SHA1
ce41bc2c5f428d7d748e44fc4180ffeca74962ee

SHA256
d7b56b0b3d7b5750cd3afd3812bc31384a055e2acfbb777aca9eaf3c92055aaf

SHA512
b4a581695e44173ad2bb6f812a970e3d5b72d4ce0b24d1fabf2553f30dbbcffd2c2c59c5cf81d3064a966f02a40e471f6f3d2e8fff53c24bb3b4c61e89b2ef99

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
3821613636896b76c53f83ee1477e05f

SHA1
3e7108f5d09ee8da087bf74fd53cc7b82bc2ae43

SHA256
950751824ec6dbb6e3886b08646e073948e641dc8e66568970ff1dca5a1b01ea

SHA512
73da8de8bccdaf4f79e7e27bd4a55886dffb6f19ad5ef0d483a2bb3177399878bb9c784966f69f30844b846ae71632e39e8feef55010cddab66a0f2b35669b7b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
0da28a4d66f198f9849e2b2616a8dfe1

SHA1
315fe88eddce60e925a4efd45bbf074222ea3b6c

SHA256
200e462378903aaa9a70fe3b3f69cb280aa3692c9e082e6656fde89615e516aa

SHA512
f149a0309ac062358dbea95aec7c5ce3f1b839119d2bcaf713cd00bd260320c7b849b1beaa0f4ddf40ed4e7eaeceb8c1cf0dc5f0037536f9bb02f7ed27a67367

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
4f415ff79e5b3a18830e8ba2e9e86e89

SHA1
76f602a3ff1725ac607dd892ccae41ef6ac7f128

SHA256
cf14d9a6337e9f5432ff003ae99ff6a08370b27f00355f8a453fde2dd2172215

SHA512
4a16fba09cdbc91d935964e07a2b963289a5ad42342a0cc686000e53bb9c81475d412f22624af4029a1c3805db149206b440d5462b1daebad01803b6fbf23b08

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
6b8626c2666729fb5523cffe4d71dded

SHA1
08e2d7fb5f37b7720fb4e7963beffeef0fac5121

SHA256
49c18f46d61b2c4f56c554e04d501e1eb29c757778762c3bf0b836c5049815d8

SHA512
46d649385cf8972d32bd2b079084281ad2410da86e734f28e3286620949b56d65f9475caf0ef0bad005772a4716071b4cec1796d7232dcd1c41701cba5ba76f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b265fb3c051956138f453f3e2157b43e

SHA1
c6dd3051cb262d7e1971024aff9238b11fc85c1d

SHA256
5ca56cf9aafe7f615d0e03e22cd58b9e74d1a96417ba83ac7d87d1824f01783e

SHA512
a9c2c3b48848d9d659a383f9dcf8c3e992179f6e236270acf13d55cb2a4f365e4b78aa85c9cbbc8e77489646f6592e9267ce2992b9d4d12a52657d82ba4ba1c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
86324adee1af1a4b2d7c9cacae21d29d

SHA1
57e0357a7f01aecdd965d0acf00e8cb2ef4c122f

SHA256
6a1b9910848e3ebc0115dd91aa2acdcaead69ba04d827866bd69f06a31f44d54

SHA512
b2e742a7aac1697fb4782dabd10105833798c9e5e523ae37eb469df6d9a5b52f33268fbf3eda4c6bac69b07fd91679cfe0c34239d9b36e2486911bc6a2f18b1f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e6ca323cb62641112a6b17ae7190e617

SHA1
1cfca891df10ba692460ec9767ec28a060f4effe

SHA256
b681e1f1b9e451369ff29d9f38ac81e9cc64e71dcf800c91e65ebbb2aa9a76d5

SHA512
f71b09a27e9969b1467b41a5968b44ca732df4d57e4cbe23202028a38e1a007c31d89517986a659ab243db9bc75222c22810ef5ede16d8556a96ccd8acb4d8d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0d6247ac73b6f1aae019bd7834499918

SHA1
bc9e22f7d144d27d66c7815e573afcd8531ba0cc

SHA256
cb3fe67a2199f94ca7c0a5bd69437de2ef5f9230ca6a75f3ec19fc63276d4ad0

SHA512
139cfb6bb28fe6e41c292a6fe496b47f8587b85e53a241bf6911c5f5b4dbf828f05fe886bdc763857a58560ac0e675337d9c28542a31f1ca7e250ac1f2459c1f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5fd55f55442417d92b1b4a5f44c0bba2

SHA1
ab684dcd7095422cdb5694e527f6dbd0d4d6f31f

SHA256
0299a29d9dc135318fbc155de93425b05bbb60e5fe389d8bc2df98a3f2d562b4

SHA512
82344cb02bed8537fd65d81a45f63e4736131381b2c82d3589a478f937647aff05322dea72140e7d1b41ebf34ec9b0699bb430bc80204930190fb632c0f3192c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
714f111792eed9806f8b3a8d15d0a7be

SHA1
59f8300bb5b7955e8afcdeb4f8bc6b61df24bcb5

SHA256
c11082e0020a10f53f09095a6667bca0c3b5e54997dcedd2882eb72cc70b2217

SHA512
e69ff83ac074e635ecc190f13610ed996cacc6bec485920c97b1a6ae20f72dbae283a85fe1b4189678ab7653c583f7e7772c8ba50032bb58f39d05aef0915665

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
ef584f26f82ce4cbcfcbd9c36a0626e9

SHA1
3424d9e81d2819729f9c7c74d06d39da260b88a7

SHA256
0a1c72bf6384c1925c4cf9746bb878c5021e3892883c8bbfd86f85cd5231c2bd

SHA512
b20dc7df057289d736c4fef0d29eca85810c87bb135f578599ac37782a78ddb4fd825c5f484cc1e4525b5a67e6c9f3e6f03b89422fe9009a0cf006b5dfc2c7bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
a993fab84b8916346c2cb58e37443ead

SHA1
9610358fb82d001d982af3be5d164eb5b4d20507

SHA256
48a962feb31fad8fff3887d1ea8849c026013e3ab6232853ac40f70540b76a4d

SHA512
6af88a7fdb97dc4d878d1761909849e4adc92011ca460f84eb854edc17d5fafe196336178f97428237d28461b7151cb946c4b0e6bfb074bda15fefe25d24ba37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
fe45af214c3a40cda67e5d08a5e16dd1

SHA1
64a049727a04cc65f2d9619e0d3e21cd6d2c6cb0

SHA256
b72cd5bed6929b2a319497b2143a6e4cd93795c47626e0d7af3e5a0376246507

SHA512
06d584374d146e1ea5b89038f7ed968d88a6e9ed3b58428eaf68b51b32048fb8fa3a44ba4f17e231b8cc62daea28930d55f81d0de100bacddd2f53325daaaae0

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
b66799d715b113faf28da5aaba5528ef

SHA1
1b20576808d17c24f7abf2c49a7facfbc1480da4

SHA256
bb7ed85e7a1833e5a31d62882937ee6b094f2421b9d1c8d9b6e64b9845b29868

SHA512
93d4708a2f4bb3ca7b5bcb0f3dc13eb5e93bfa5e485845822d67770e4c0217797f330ab9395598b1d7452cc8191e4d3848a1b268a6cd1b7a5001266ce53794d6

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
77a8b2c86dd26c214bc11c989789b62d

SHA1
8b0f2d9d0ded2d7f9bff8aed6aefd6b3fdd1a499

SHA256
e288c02cbba393c9703519e660bf8709331f11978c6d994ea2a1346eef462cb8

SHA512
c287e3ae580343c43a5354347ca5444f54840fba127a2b1edc897b1dfea286fa37b5808f6e89f535c4022db8b3f29448aa4cc2f41ab0f308eec525a99fac4e5e

Download Submit
C:\Users\Admin\Desktop\PORQUEPUTASYANOSIRVE.exe

Filesize
3.1MB

MD5
73565f33ed4d8741291cbb30409f1727

SHA1
4d3a54b28f3ea80f884a25905e27165bdc353109

SHA256
aafe953e627f9e733e101d7211f0c9594dbdf82ec4019b2c9aa361cbc478f0de

SHA512
d897b098ddcdc94ac9177bc9a90b700c8b9a7cfafa74f729beebf74a094f76a7bd69e764711bdfedcdd231465daef16e937676e391ca2c010df03fecc863b583

Download Submit
memory/1576-15-0x00007FFA503A0000-0x00007FFA50E62000-memory.dmp

Filesize
10.8MB

Download
memory/1576-8-0x00007FFA503A0000-0x00007FFA50E62000-memory.dmp

Filesize
10.8MB

Download
memory/1576-7-0x0000000000830000-0x0000000000B54000-memory.dmp

Filesize
3.1MB

Download
memory/1576-6-0x00007FFA503A3000-0x00007FFA503A5000-memory.dmp

Filesize
8KB

Download
memory/2224-52-0x000000001D150000-0x000000001D678000-memory.dmp

Filesize
5.2MB

Download
memory/2224-21-0x000000001C670000-0x000000001C6AC000-memory.dmp

Filesize
240KB

Download
memory/2224-20-0x000000001BF00000-0x000000001BF12000-memory.dmp

Filesize
72KB

Download
memory/2224-17-0x000000001BF60000-0x000000001C012000-memory.dmp

Filesize
712KB

Download
memory/2224-16-0x000000001B330000-0x000000001B380000-memory.dmp

Filesize
320KB

Download