Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
04-12-2024 05:32
Static task
static1
General
-
Target
PORQUEPUTASYANOSIRVE.7z
-
Size
923KB
-
MD5
d757d40193d311216967491e36fc2ba4
-
SHA1
2dd90fa74c489da4f85bdf301053230b480a31fa
-
SHA256
8a31693ddf8924f144ba19a8802766188bd13f1ed7eea7c226eb0e01a9e47685
-
SHA512
9be26ab222457605eea0c42a4dbcfa80154cb384e6abf0db6a010fcca172a0eda8792b9e3fff9d67717f095f67448d9310c7e049f7fea8dd5907afe8bd462921
-
SSDEEP
24576:q9gl2kNvEE7GFdGqXsShFTAkBojKLUI56eGk:46vbIGqXscAkW+h1
Malware Config
Extracted
quasar
1.4.1
Office04
azxq0ap.localto.net:3425
e51e2b65-e963-4051-9736-67d57ed46798
-
encryption_key
AEA258EF65BF1786F0F767C0BE2497ECC304C46F
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x00280000000450b8-2.dat family_quasar behavioral1/memory/1664-5-0x0000000000290000-0x00000000005B4000-memory.dmp family_quasar -
Executes dropped EXE 2 IoCs
Processes:
PORQUEPUTASYANOSIRVE.exeClient.exepid Process 1664 PORQUEPUTASYANOSIRVE.exe 3204 Client.exe -
Drops file in Windows directory 1 IoCs
Processes:
chrome.exedescription ioc Process File opened for modification C:\Windows\SystemTemp chrome.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133777640920285545" chrome.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid Process 2404 schtasks.exe 1484 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
chrome.exepid Process 3796 chrome.exe 3796 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
Processes:
chrome.exepid Process 3796 chrome.exe 3796 chrome.exe 3796 chrome.exe 3796 chrome.exe 3796 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
7zFM.exePORQUEPUTASYANOSIRVE.exeClient.exechrome.exedescription pid Process Token: SeRestorePrivilege 1644 7zFM.exe Token: 35 1644 7zFM.exe Token: SeSecurityPrivilege 1644 7zFM.exe Token: SeDebugPrivilege 1664 PORQUEPUTASYANOSIRVE.exe Token: SeDebugPrivilege 3204 Client.exe Token: SeShutdownPrivilege 3796 chrome.exe Token: SeCreatePagefilePrivilege 3796 chrome.exe Token: SeShutdownPrivilege 3796 chrome.exe Token: SeCreatePagefilePrivilege 3796 chrome.exe Token: SeShutdownPrivilege 3796 chrome.exe Token: SeCreatePagefilePrivilege 3796 chrome.exe Token: SeShutdownPrivilege 3796 chrome.exe Token: SeCreatePagefilePrivilege 3796 chrome.exe Token: SeShutdownPrivilege 3796 chrome.exe Token: SeCreatePagefilePrivilege 3796 chrome.exe Token: SeShutdownPrivilege 3796 chrome.exe Token: SeCreatePagefilePrivilege 3796 chrome.exe Token: SeShutdownPrivilege 3796 chrome.exe Token: SeCreatePagefilePrivilege 3796 chrome.exe Token: SeShutdownPrivilege 3796 chrome.exe Token: SeCreatePagefilePrivilege 3796 chrome.exe Token: SeShutdownPrivilege 3796 chrome.exe Token: SeCreatePagefilePrivilege 3796 chrome.exe Token: SeShutdownPrivilege 3796 chrome.exe Token: SeCreatePagefilePrivilege 3796 chrome.exe Token: SeShutdownPrivilege 3796 chrome.exe Token: SeCreatePagefilePrivilege 3796 chrome.exe Token: SeShutdownPrivilege 3796 chrome.exe Token: SeCreatePagefilePrivilege 3796 chrome.exe Token: SeShutdownPrivilege 3796 chrome.exe Token: SeCreatePagefilePrivilege 3796 chrome.exe Token: SeShutdownPrivilege 3796 chrome.exe Token: SeCreatePagefilePrivilege 3796 chrome.exe Token: SeShutdownPrivilege 3796 chrome.exe Token: SeCreatePagefilePrivilege 3796 chrome.exe Token: SeShutdownPrivilege 3796 chrome.exe Token: SeCreatePagefilePrivilege 3796 chrome.exe Token: SeShutdownPrivilege 3796 chrome.exe Token: SeCreatePagefilePrivilege 3796 chrome.exe Token: SeShutdownPrivilege 3796 chrome.exe Token: SeCreatePagefilePrivilege 3796 chrome.exe Token: SeShutdownPrivilege 3796 chrome.exe Token: SeCreatePagefilePrivilege 3796 chrome.exe Token: SeShutdownPrivilege 3796 chrome.exe Token: SeCreatePagefilePrivilege 3796 chrome.exe Token: SeShutdownPrivilege 3796 chrome.exe Token: SeCreatePagefilePrivilege 3796 chrome.exe Token: SeShutdownPrivilege 3796 chrome.exe Token: SeCreatePagefilePrivilege 3796 chrome.exe Token: SeShutdownPrivilege 3796 chrome.exe Token: SeCreatePagefilePrivilege 3796 chrome.exe Token: SeShutdownPrivilege 3796 chrome.exe Token: SeCreatePagefilePrivilege 3796 chrome.exe Token: SeShutdownPrivilege 3796 chrome.exe Token: SeCreatePagefilePrivilege 3796 chrome.exe Token: SeShutdownPrivilege 3796 chrome.exe Token: SeCreatePagefilePrivilege 3796 chrome.exe Token: SeShutdownPrivilege 3796 chrome.exe Token: SeCreatePagefilePrivilege 3796 chrome.exe Token: SeShutdownPrivilege 3796 chrome.exe Token: SeCreatePagefilePrivilege 3796 chrome.exe Token: SeShutdownPrivilege 3796 chrome.exe Token: SeCreatePagefilePrivilege 3796 chrome.exe Token: SeShutdownPrivilege 3796 chrome.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
Processes:
7zFM.exechrome.exepid Process 1644 7zFM.exe 1644 7zFM.exe 3796 chrome.exe 3796 chrome.exe 3796 chrome.exe 3796 chrome.exe 3796 chrome.exe 3796 chrome.exe 3796 chrome.exe 3796 chrome.exe 3796 chrome.exe 3796 chrome.exe 3796 chrome.exe 3796 chrome.exe 3796 chrome.exe 3796 chrome.exe 3796 chrome.exe 3796 chrome.exe 3796 chrome.exe 3796 chrome.exe 3796 chrome.exe 3796 chrome.exe 3796 chrome.exe 3796 chrome.exe 3796 chrome.exe 3796 chrome.exe 3796 chrome.exe 3796 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
chrome.exepid Process 3796 chrome.exe 3796 chrome.exe 3796 chrome.exe 3796 chrome.exe 3796 chrome.exe 3796 chrome.exe 3796 chrome.exe 3796 chrome.exe 3796 chrome.exe 3796 chrome.exe 3796 chrome.exe 3796 chrome.exe 3796 chrome.exe 3796 chrome.exe 3796 chrome.exe 3796 chrome.exe 3796 chrome.exe 3796 chrome.exe 3796 chrome.exe 3796 chrome.exe 3796 chrome.exe 3796 chrome.exe 3796 chrome.exe 3796 chrome.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Client.exepid Process 3204 Client.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
PORQUEPUTASYANOSIRVE.exeClient.exechrome.exedescription pid Process procid_target PID 1664 wrote to memory of 1484 1664 PORQUEPUTASYANOSIRVE.exe 91 PID 1664 wrote to memory of 1484 1664 PORQUEPUTASYANOSIRVE.exe 91 PID 1664 wrote to memory of 3204 1664 PORQUEPUTASYANOSIRVE.exe 93 PID 1664 wrote to memory of 3204 1664 PORQUEPUTASYANOSIRVE.exe 93 PID 3204 wrote to memory of 2404 3204 Client.exe 94 PID 3204 wrote to memory of 2404 3204 Client.exe 94 PID 3796 wrote to memory of 928 3796 chrome.exe 98 PID 3796 wrote to memory of 928 3796 chrome.exe 98 PID 3796 wrote to memory of 4240 3796 chrome.exe 99 PID 3796 wrote to memory of 4240 3796 chrome.exe 99 PID 3796 wrote to memory of 4240 3796 chrome.exe 99 PID 3796 wrote to memory of 4240 3796 chrome.exe 99 PID 3796 wrote to memory of 4240 3796 chrome.exe 99 PID 3796 wrote to memory of 4240 3796 chrome.exe 99 PID 3796 wrote to memory of 4240 3796 chrome.exe 99 PID 3796 wrote to memory of 4240 3796 chrome.exe 99 PID 3796 wrote to memory of 4240 3796 chrome.exe 99 PID 3796 wrote to memory of 4240 3796 chrome.exe 99 PID 3796 wrote to memory of 4240 3796 chrome.exe 99 PID 3796 wrote to memory of 4240 3796 chrome.exe 99 PID 3796 wrote to memory of 4240 3796 chrome.exe 99 PID 3796 wrote to memory of 4240 3796 chrome.exe 99 PID 3796 wrote to memory of 4240 3796 chrome.exe 99 PID 3796 wrote to memory of 4240 3796 chrome.exe 99 PID 3796 wrote to memory of 4240 3796 chrome.exe 99 PID 3796 wrote to memory of 4240 3796 chrome.exe 99 PID 3796 wrote to memory of 4240 3796 chrome.exe 99 PID 3796 wrote to memory of 4240 3796 chrome.exe 99 PID 3796 wrote to memory of 4240 3796 chrome.exe 99 PID 3796 wrote to memory of 4240 3796 chrome.exe 99 PID 3796 wrote to memory of 4240 3796 chrome.exe 99 PID 3796 wrote to memory of 4240 3796 chrome.exe 99 PID 3796 wrote to memory of 4240 3796 chrome.exe 99 PID 3796 wrote to memory of 4240 3796 chrome.exe 99 PID 3796 wrote to memory of 4240 3796 chrome.exe 99 PID 3796 wrote to memory of 4240 3796 chrome.exe 99 PID 3796 wrote to memory of 4240 3796 chrome.exe 99 PID 3796 wrote to memory of 4240 3796 chrome.exe 99 PID 3796 wrote to memory of 3240 3796 chrome.exe 100 PID 3796 wrote to memory of 3240 3796 chrome.exe 100 PID 3796 wrote to memory of 3932 3796 chrome.exe 101 PID 3796 wrote to memory of 3932 3796 chrome.exe 101 PID 3796 wrote to memory of 3932 3796 chrome.exe 101 PID 3796 wrote to memory of 3932 3796 chrome.exe 101 PID 3796 wrote to memory of 3932 3796 chrome.exe 101 PID 3796 wrote to memory of 3932 3796 chrome.exe 101 PID 3796 wrote to memory of 3932 3796 chrome.exe 101 PID 3796 wrote to memory of 3932 3796 chrome.exe 101 PID 3796 wrote to memory of 3932 3796 chrome.exe 101 PID 3796 wrote to memory of 3932 3796 chrome.exe 101 PID 3796 wrote to memory of 3932 3796 chrome.exe 101 PID 3796 wrote to memory of 3932 3796 chrome.exe 101 PID 3796 wrote to memory of 3932 3796 chrome.exe 101 PID 3796 wrote to memory of 3932 3796 chrome.exe 101 PID 3796 wrote to memory of 3932 3796 chrome.exe 101 PID 3796 wrote to memory of 3932 3796 chrome.exe 101 PID 3796 wrote to memory of 3932 3796 chrome.exe 101 PID 3796 wrote to memory of 3932 3796 chrome.exe 101 PID 3796 wrote to memory of 3932 3796 chrome.exe 101 PID 3796 wrote to memory of 3932 3796 chrome.exe 101 PID 3796 wrote to memory of 3932 3796 chrome.exe 101 PID 3796 wrote to memory of 3932 3796 chrome.exe 101 PID 3796 wrote to memory of 3932 3796 chrome.exe 101 PID 3796 wrote to memory of 3932 3796 chrome.exe 101 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\PORQUEPUTASYANOSIRVE.7z"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1644
-
C:\Users\Admin\Desktop\PORQUEPUTASYANOSIRVE.exe"C:\Users\Admin\Desktop\PORQUEPUTASYANOSIRVE.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:1484
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2404
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3796 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ffa4339cc40,0x7ffa4339cc4c,0x7ffa4339cc582⤵PID:928
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2056,i,1830776311769057763,7410945073731611564,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2052 /prefetch:22⤵PID:4240
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1832,i,1830776311769057763,7410945073731611564,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2416 /prefetch:32⤵PID:3240
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2124,i,1830776311769057763,7410945073731611564,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2444 /prefetch:82⤵PID:3932
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3152,i,1830776311769057763,7410945073731611564,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3172 /prefetch:12⤵PID:2584
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3180,i,1830776311769057763,7410945073731611564,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3204 /prefetch:12⤵PID:3172
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4532,i,1830776311769057763,7410945073731611564,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4584 /prefetch:12⤵PID:2184
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4888,i,1830776311769057763,7410945073731611564,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4900 /prefetch:82⤵PID:2980
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5004,i,1830776311769057763,7410945073731611564,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5012 /prefetch:82⤵PID:4280
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4932,i,1830776311769057763,7410945073731611564,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4896 /prefetch:82⤵PID:1744
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4904,i,1830776311769057763,7410945073731611564,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4900 /prefetch:82⤵PID:4796
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5048,i,1830776311769057763,7410945073731611564,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4896 /prefetch:82⤵PID:3504
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5084,i,1830776311769057763,7410945073731611564,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5276 /prefetch:82⤵PID:5016
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5388,i,1830776311769057763,7410945073731611564,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5504 /prefetch:22⤵PID:376
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5020,i,1830776311769057763,7410945073731611564,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5092 /prefetch:12⤵PID:116
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:2028
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:2460
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
649B
MD5ba97be0e0dc77d33b6c59b75fa1c80e9
SHA172635ded684a57b2645e8be373069a80ef6d220d
SHA256460a7dcb5fc004c41d023d392f601d35e2cbf1d3773cfa341c4c16f8685bc09f
SHA51274d3a6599ac711d77c31f9b6f1e6c761cb3ac80bdd7bfb248e453e62c4291ebee00b2caf858a6717b97817f0907874d1d898326e21fb88539c734814392c1d3a
-
Filesize
215KB
MD52be38925751dc3580e84c3af3a87f98d
SHA18a390d24e6588bef5da1d3db713784c11ca58921
SHA2561412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b
SHA5121341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.84.1_0\_locales\en_CA\messages.json
Filesize851B
MD507ffbe5f24ca348723ff8c6c488abfb8
SHA16dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA2566895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA5127ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.84.1_0\dasherSettingSchema.json
Filesize854B
MD54ec1df2da46182103d2ffc3b92d20ca5
SHA1fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA2566c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
354B
MD5f773c10cb6fbc54118f8f18f864a5cf4
SHA1cf872c5a7afaf270b5e61c95ab0f2ef2bd432858
SHA2566586f4b8122c68613106187b212b5a41f87dafc57e4943f11f4150af4e9d1855
SHA5122046a6bcad47ec54c1cf7152e20a7415f5de017c6142033502df90f88e97bd16e4e2594d3c3311a6caaa00e7e319a54e1ee3c23106a27219cfd34db5f7f40421
-
Filesize
354B
MD56fa84b3ee81e02e924274e6f67f487ca
SHA13701f376ae91a8f842a41352cb7e9162ca453e2b
SHA25637af6d88a3510cc35f83531f703aaadbc49128f744cb52451ee53d5ad7d311c7
SHA51270ede222b8a1f0e93e2a91503b7fbaa3a22bc2202d8293fbeced88d7c887d81f6c5a3595f235b6f19cc9fcae1b2821ca4f4ccff8c01b9853a906a6dc9d319c1d
-
Filesize
9KB
MD5f437d13ae8a046a883082631e5123e93
SHA1fc9011687f6f827600f7e6efb72698fba0f75d42
SHA256e10765b05e4c8283d2cf1d0e71f323392f0791fcf0ce6783494c8b513b0e49c9
SHA512e7c8298c731bb140fc3f744c0779c259ff8253daec78721c44419d51d67d2f1fe221c7559a0b5a559e343e13b6a478bd6294d747b8d7046638f3d4f54d144e83
-
Filesize
9KB
MD509b5f48a87d2decd497464a3d678b77f
SHA1a1366be4572522bea1a332e8a1e75e1b43f394f7
SHA2566fd93cf6c196abd5d091e9a84c381fc19a19ecf7a2af7cf1f4baff5bdf9094bc
SHA512d24721b3f4d04b77396eb60652eaa2cd5ed39ea5f893597f9289880c68e74522f8e51991e8c1c42cb7d38c36b28ca9422b4afdd362e28f5db1474f130e457146
-
Filesize
15KB
MD572462df13c9e84362021db987a8b5eb8
SHA131a1035c159d2317fd0e573477cc73441d9797f0
SHA256dc660c10cd452cc2b414909b4f9cddb84305b9cda4bab1d6300af239c6cbc22e
SHA5122efb990ed8043d1a3e4b658310ac1a82e254b3e4f44c857289bf7cdedd73bb33dbc595ede30122aa6e4a2d602b9e3c502db7b1a61aa1638a919beb73f9ce69e7
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD51dd38c7754507783a4084d147e8ba4ac
SHA12eadd997a2bcf9000986da787a9d2b181a4d8607
SHA2561f2bb154fd89dbc4845b48ae0e8fc570203958ca793b216bdf19bf8cd6429fb3
SHA512f5125bda7fdce193a50f3fb36d0397430c3e829d3890717d2fbb15d9b5d65ed9c155debfbb1d09e7582ba23616d92611a6fdab8470ec700f614a896fea1d6f59
-
Filesize
236KB
MD50144d4b621daa302cdf5093edf1b1e9f
SHA1d634daa56bc8ef8b05349f669e9e6e2b362a68a7
SHA2564f7a64c3a3ddfde53547b887e801ef137137563da45e4c201665809bd41197a1
SHA512b04e95ab0118a3b86315c1aa83f892d91ec5de97293a5243e18e6ab3881cd072f6edddfdffa0a4e78e8fadf83f53987226d9242f43ed7a268d992e7f307ddbc8
-
Filesize
711B
MD5558659936250e03cc14b60ebf648aa09
SHA132f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA2562445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA5121632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727
-
Filesize
3.1MB
MD573565f33ed4d8741291cbb30409f1727
SHA14d3a54b28f3ea80f884a25905e27165bdc353109
SHA256aafe953e627f9e733e101d7211f0c9594dbdf82ec4019b2c9aa361cbc478f0de
SHA512d897b098ddcdc94ac9177bc9a90b700c8b9a7cfafa74f729beebf74a094f76a7bd69e764711bdfedcdd231465daef16e937676e391ca2c010df03fecc863b583
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e