Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2024 16:21
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win7-20240903-en
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
2475d4da177970b8a4a500d9aaba32f3
-
SHA1
6caf1ec2a2b6113d583ed73b95386b9674e5a0d3
-
SHA256
89688b868e42a966640988359b5f06cbfea2f93cb28415e12238d213e0e0a317
-
SHA512
d2b2fa6e589d8cc82343e1b4bff8ea85766722f8b374061ad9f77fd21f136de75751099611f7e478f91eb0a91f3aba8f4b9de1dbcb48360424f9b09ae8535044
-
SSDEEP
49152:humhH2eraca7APllSGNmeGwTK0G21E3oGvQkTHHB72eh2NT:huaH2eraca7APllSGN3GwTK0G21a
Malware Config
Extracted
quasar
1.4.1
nigger
85.209.133.15:111
95ddd19c-037b-4e62-8c64-298b31d663b8
-
encryption_key
43DE31297B50FED5B1E6867AE89B621C68EF71E2
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 1 IoCs
resource yara_rule behavioral2/memory/3232-1-0x0000000000060000-0x0000000000384000-memory.dmp family_quasar -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation Client-built.exe -
Executes dropped EXE 1 IoCs
pid Process 4420 f60DWDTB9UEF.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f60DWDTB9UEF.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4488 ScreenClippingHost.exe 3984 PING.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133795310017126178" chrome.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3984 PING.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 3232 Client-built.exe 3232 Client-built.exe 3232 Client-built.exe 3484 chrome.exe 3484 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
pid Process 3484 chrome.exe 3484 chrome.exe 3484 chrome.exe 3484 chrome.exe 3484 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3232 Client-built.exe Token: SeDebugPrivilege 4420 f60DWDTB9UEF.exe Token: 33 1532 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1532 AUDIODG.EXE Token: SeShutdownPrivilege 3484 chrome.exe Token: SeCreatePagefilePrivilege 3484 chrome.exe Token: SeShutdownPrivilege 3484 chrome.exe Token: SeCreatePagefilePrivilege 3484 chrome.exe Token: SeShutdownPrivilege 3484 chrome.exe Token: SeCreatePagefilePrivilege 3484 chrome.exe Token: SeShutdownPrivilege 3484 chrome.exe Token: SeCreatePagefilePrivilege 3484 chrome.exe Token: SeShutdownPrivilege 3484 chrome.exe Token: SeCreatePagefilePrivilege 3484 chrome.exe Token: SeShutdownPrivilege 3484 chrome.exe Token: SeCreatePagefilePrivilege 3484 chrome.exe Token: SeShutdownPrivilege 3484 chrome.exe Token: SeCreatePagefilePrivilege 3484 chrome.exe Token: SeShutdownPrivilege 3484 chrome.exe Token: SeCreatePagefilePrivilege 3484 chrome.exe Token: SeShutdownPrivilege 3484 chrome.exe Token: SeCreatePagefilePrivilege 3484 chrome.exe Token: SeShutdownPrivilege 3484 chrome.exe Token: SeCreatePagefilePrivilege 3484 chrome.exe Token: SeShutdownPrivilege 3484 chrome.exe Token: SeCreatePagefilePrivilege 3484 chrome.exe Token: SeShutdownPrivilege 3484 chrome.exe Token: SeCreatePagefilePrivilege 3484 chrome.exe Token: SeShutdownPrivilege 3484 chrome.exe Token: SeCreatePagefilePrivilege 3484 chrome.exe Token: SeShutdownPrivilege 3484 chrome.exe Token: SeCreatePagefilePrivilege 3484 chrome.exe Token: SeShutdownPrivilege 3484 chrome.exe Token: SeCreatePagefilePrivilege 3484 chrome.exe Token: SeShutdownPrivilege 3484 chrome.exe Token: SeCreatePagefilePrivilege 3484 chrome.exe Token: SeShutdownPrivilege 3484 chrome.exe Token: SeCreatePagefilePrivilege 3484 chrome.exe Token: SeShutdownPrivilege 3484 chrome.exe Token: SeCreatePagefilePrivilege 3484 chrome.exe Token: SeShutdownPrivilege 3484 chrome.exe Token: SeCreatePagefilePrivilege 3484 chrome.exe Token: SeShutdownPrivilege 3484 chrome.exe Token: SeCreatePagefilePrivilege 3484 chrome.exe Token: SeShutdownPrivilege 3484 chrome.exe Token: SeCreatePagefilePrivilege 3484 chrome.exe Token: SeShutdownPrivilege 3484 chrome.exe Token: SeCreatePagefilePrivilege 3484 chrome.exe Token: SeShutdownPrivilege 3484 chrome.exe Token: SeCreatePagefilePrivilege 3484 chrome.exe Token: SeShutdownPrivilege 3484 chrome.exe Token: SeCreatePagefilePrivilege 3484 chrome.exe Token: SeShutdownPrivilege 3484 chrome.exe Token: SeCreatePagefilePrivilege 3484 chrome.exe Token: 33 2920 SpeechUXWiz.exe Token: SeIncBasePriorityPrivilege 2920 SpeechUXWiz.exe Token: SeShutdownPrivilege 3484 chrome.exe Token: SeCreatePagefilePrivilege 3484 chrome.exe Token: SeShutdownPrivilege 3484 chrome.exe Token: SeCreatePagefilePrivilege 3484 chrome.exe Token: SeShutdownPrivilege 3484 chrome.exe Token: SeCreatePagefilePrivilege 3484 chrome.exe Token: SeShutdownPrivilege 3484 chrome.exe Token: SeCreatePagefilePrivilege 3484 chrome.exe -
Suspicious use of FindShellTrayWindow 29 IoCs
pid Process 3232 Client-built.exe 3232 Client-built.exe 3484 chrome.exe 3484 chrome.exe 3484 chrome.exe 3484 chrome.exe 3484 chrome.exe 3484 chrome.exe 3484 chrome.exe 3484 chrome.exe 3484 chrome.exe 3484 chrome.exe 3484 chrome.exe 3484 chrome.exe 3484 chrome.exe 3484 chrome.exe 3484 chrome.exe 3484 chrome.exe 3484 chrome.exe 3484 chrome.exe 3484 chrome.exe 3484 chrome.exe 3484 chrome.exe 3484 chrome.exe 3484 chrome.exe 3484 chrome.exe 3484 chrome.exe 3484 chrome.exe 3232 Client-built.exe -
Suspicious use of SendNotifyMessage 27 IoCs
pid Process 3232 Client-built.exe 3232 Client-built.exe 3484 chrome.exe 3484 chrome.exe 3484 chrome.exe 3484 chrome.exe 3484 chrome.exe 3484 chrome.exe 3484 chrome.exe 3484 chrome.exe 3484 chrome.exe 3484 chrome.exe 3484 chrome.exe 3484 chrome.exe 3484 chrome.exe 3484 chrome.exe 3484 chrome.exe 3484 chrome.exe 3484 chrome.exe 3484 chrome.exe 3484 chrome.exe 3484 chrome.exe 3484 chrome.exe 3484 chrome.exe 3484 chrome.exe 3484 chrome.exe 3232 Client-built.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4488 ScreenClippingHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3232 wrote to memory of 4420 3232 Client-built.exe 89 PID 3232 wrote to memory of 4420 3232 Client-built.exe 89 PID 3232 wrote to memory of 4420 3232 Client-built.exe 89 PID 3484 wrote to memory of 4836 3484 chrome.exe 96 PID 3484 wrote to memory of 4836 3484 chrome.exe 96 PID 3484 wrote to memory of 4180 3484 chrome.exe 97 PID 3484 wrote to memory of 4180 3484 chrome.exe 97 PID 3484 wrote to memory of 4180 3484 chrome.exe 97 PID 3484 wrote to memory of 4180 3484 chrome.exe 97 PID 3484 wrote to memory of 4180 3484 chrome.exe 97 PID 3484 wrote to memory of 4180 3484 chrome.exe 97 PID 3484 wrote to memory of 4180 3484 chrome.exe 97 PID 3484 wrote to memory of 4180 3484 chrome.exe 97 PID 3484 wrote to memory of 4180 3484 chrome.exe 97 PID 3484 wrote to memory of 4180 3484 chrome.exe 97 PID 3484 wrote to memory of 4180 3484 chrome.exe 97 PID 3484 wrote to memory of 4180 3484 chrome.exe 97 PID 3484 wrote to memory of 4180 3484 chrome.exe 97 PID 3484 wrote to memory of 4180 3484 chrome.exe 97 PID 3484 wrote to memory of 4180 3484 chrome.exe 97 PID 3484 wrote to memory of 4180 3484 chrome.exe 97 PID 3484 wrote to memory of 4180 3484 chrome.exe 97 PID 3484 wrote to memory of 4180 3484 chrome.exe 97 PID 3484 wrote to memory of 4180 3484 chrome.exe 97 PID 3484 wrote to memory of 4180 3484 chrome.exe 97 PID 3484 wrote to memory of 4180 3484 chrome.exe 97 PID 3484 wrote to memory of 4180 3484 chrome.exe 97 PID 3484 wrote to memory of 4180 3484 chrome.exe 97 PID 3484 wrote to memory of 4180 3484 chrome.exe 97 PID 3484 wrote to memory of 4180 3484 chrome.exe 97 PID 3484 wrote to memory of 4180 3484 chrome.exe 97 PID 3484 wrote to memory of 4180 3484 chrome.exe 97 PID 3484 wrote to memory of 4180 3484 chrome.exe 97 PID 3484 wrote to memory of 4180 3484 chrome.exe 97 PID 3484 wrote to memory of 4180 3484 chrome.exe 97 PID 3484 wrote to memory of 2944 3484 chrome.exe 98 PID 3484 wrote to memory of 2944 3484 chrome.exe 98 PID 3484 wrote to memory of 3688 3484 chrome.exe 99 PID 3484 wrote to memory of 3688 3484 chrome.exe 99 PID 3484 wrote to memory of 3688 3484 chrome.exe 99 PID 3484 wrote to memory of 3688 3484 chrome.exe 99 PID 3484 wrote to memory of 3688 3484 chrome.exe 99 PID 3484 wrote to memory of 3688 3484 chrome.exe 99 PID 3484 wrote to memory of 3688 3484 chrome.exe 99 PID 3484 wrote to memory of 3688 3484 chrome.exe 99 PID 3484 wrote to memory of 3688 3484 chrome.exe 99 PID 3484 wrote to memory of 3688 3484 chrome.exe 99 PID 3484 wrote to memory of 3688 3484 chrome.exe 99 PID 3484 wrote to memory of 3688 3484 chrome.exe 99 PID 3484 wrote to memory of 3688 3484 chrome.exe 99 PID 3484 wrote to memory of 3688 3484 chrome.exe 99 PID 3484 wrote to memory of 3688 3484 chrome.exe 99 PID 3484 wrote to memory of 3688 3484 chrome.exe 99 PID 3484 wrote to memory of 3688 3484 chrome.exe 99 PID 3484 wrote to memory of 3688 3484 chrome.exe 99 PID 3484 wrote to memory of 3688 3484 chrome.exe 99 PID 3484 wrote to memory of 3688 3484 chrome.exe 99 PID 3484 wrote to memory of 3688 3484 chrome.exe 99 PID 3484 wrote to memory of 3688 3484 chrome.exe 99 PID 3484 wrote to memory of 3688 3484 chrome.exe 99 PID 3484 wrote to memory of 3688 3484 chrome.exe 99 PID 3484 wrote to memory of 3688 3484 chrome.exe 99 PID 3484 wrote to memory of 3688 3484 chrome.exe 99 PID 3484 wrote to memory of 3688 3484 chrome.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Users\Admin\AppData\Local\Temp\f60DWDTB9UEF.exe"C:\Users\Admin\AppData\Local\Temp\f60DWDTB9UEF.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4420
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bDGdRGpO0dkr.bat" "2⤵PID:4240
-
C:\Windows\system32\chcp.comchcp 650013⤵PID:3172
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3984
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x300 0x3081⤵
- Suspicious use of AdjustPrivilegeToken
PID:1532
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff8f327cc40,0x7ff8f327cc4c,0x7ff8f327cc582⤵PID:4836
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1800,i,6682379735155964732,6728881129307026839,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1796 /prefetch:22⤵PID:4180
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1984,i,6682379735155964732,6728881129307026839,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1996 /prefetch:32⤵PID:2944
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2280,i,6682379735155964732,6728881129307026839,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2404 /prefetch:82⤵PID:3688
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3124,i,6682379735155964732,6728881129307026839,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3144 /prefetch:12⤵PID:3228
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3296,i,6682379735155964732,6728881129307026839,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3288 /prefetch:12⤵PID:3224
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4528,i,6682379735155964732,6728881129307026839,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4588 /prefetch:12⤵PID:4864
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4824,i,6682379735155964732,6728881129307026839,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4836 /prefetch:82⤵PID:5056
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4948,i,6682379735155964732,6728881129307026839,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4876 /prefetch:82⤵PID:3496
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5152,i,6682379735155964732,6728881129307026839,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5112 /prefetch:82⤵PID:1696
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5204,i,6682379735155964732,6728881129307026839,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5128 /prefetch:82⤵PID:3932
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5208,i,6682379735155964732,6728881129307026839,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5316 /prefetch:82⤵PID:2908
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4368,i,6682379735155964732,6728881129307026839,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5184 /prefetch:82⤵PID:4176
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5432,i,6682379735155964732,6728881129307026839,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5064 /prefetch:22⤵PID:1444
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5352,i,6682379735155964732,6728881129307026839,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5320 /prefetch:12⤵PID:3584
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:2820
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:388
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\ScreenClipping\ScreenClippingHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\ScreenClipping\ScreenClippingHost.exe" -ServerName:ScreenClipping.AppXyz3w1x599ya8gjvt9jprqjvttt0dxhd7.mca1⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of SetWindowsHookEx
PID:4488
-
C:\Windows\Speech\Common\sapisvr.exe"C:\Windows\Speech\Common\sapisvr.exe" -SpeechUX1⤵PID:1484
-
C:\Windows\system32\Speech\SpeechUX\SpeechUXWiz.exe"C:\Windows\system32\Speech\SpeechUX\SpeechUXWiz.exe" UserEnrollment,en-US,HKEY_CURRENT_USER\SOFTWARE\Microsoft\Speech\RecoProfiles\Tokens\{D18EF7EA-33B6-4068-8EA5-AAB5469615E8},65552,0,""2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2920
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
649B
MD5b54fd2dc78b9932e0b0d0605616d1aaf
SHA17f181246a3a26cc4e8a3cbd84d6d908134b449d8
SHA2569fab5e6c288454e65496033ad566edd5f9d8076c0c7cd8ed642ba77d97f55776
SHA5126ed1b086ad290e832a545260823b4d761a756c5e65f086f73db9680a22609ad38d23dae94f69ddb30c9133a43498880c4ab179ed1fb5504fd4a9dc3aa3c5c46f
-
Filesize
215KB
MD5d79b35ccf8e6af6714eb612714349097
SHA1eb3ccc9ed29830df42f3fd129951cb8b791aaf98
SHA256c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365
SHA512f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a
-
Filesize
216B
MD55e27e3fe4cd7f52dac902e5ea6ac9d87
SHA100ec10e42ebcf8816083079c74e1c849c9743522
SHA2562aa5e6ca5a10f8ad4b68ecac386672a1698df50fa602711c544f4f745bf9c7ed
SHA512893a8774ec67cc9fc68161aa3548b6eee7ba37306bfe93d3dde155b79ab8815ec49cd57f74b39ad614ad278a68dfb270146ef00a1dcda0b27cfa9dc366e014bf
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json
Filesize851B
MD507ffbe5f24ca348723ff8c6c488abfb8
SHA16dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA2566895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA5127ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json
Filesize854B
MD54ec1df2da46182103d2ffc3b92d20ca5
SHA1fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA2566c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD5656858d1c2f0c2a36f37849a0432761e
SHA13174ffde384fa5c16c6d6d4bd5933ad1e2ee8cea
SHA256d6de218a15b9c84236a70397074779aff792fc1ed890c002206bdffed8e0469d
SHA512bef239a91855cb684b31c9c6faffc1f04af7b0d1ac6d3dffd2acc84b1dc6b4bab380ee9e53dda1885ec2b78da6b01273dbe64f49bbe44db634f8e3560346e326
-
Filesize
9KB
MD54972761b456e87f1c402233a2280d2b7
SHA14f1a72ade2361c285deef3bbc5f385cc0ae3f2b1
SHA2564b62ebb4926a70bf5623c0fe2f87f1cda9af408213c2d8992a5e9ba115920ab9
SHA512c267437a7e9cea681ad50ec865dd3b375f8cbe9e9cb32249963b4759e5e97f98dc36041c1c85f3208cbee12ef3fbae79209923b6f3529626eecc57486a940b12
-
Filesize
9KB
MD50569ee2b3845341e35b1eb92b7c10bb0
SHA14e7f2447f2a86434ca57a1507f8214decaa53cb5
SHA2566cbf5e5fa7ddad8686a76ae5fb43e436ca879095c5fd65168f5ae7a4e074aaa2
SHA512a7546bac5d61644229e10cb57e1e0381c6ac7419d404348e53a2bf066c15f8147d5b977f69e576e915aa66e3452acb2e51dbe5ec843adb813d469a537fd7f86b
-
Filesize
9KB
MD56694f7a68149d677a4ab2ae78d672af6
SHA11c89722d23a7b74c1b5eb1475d3e1c612046efbd
SHA2562462e76805b9633278b08e0703020a39a348e70a3d387f4fa97d024e72bb5a20
SHA512e7b908c23420864fce8473723262d0b495168ccd50fc3c54b006a666a9dc2b4d73dfad0649c6aa548503d1d49316e4cb9e6c0e274b813179ad974c6f8b969129
-
Filesize
15KB
MD5daa26ab86672b2024c4cad73080572e9
SHA1460d29dfb5d8caf6aa660a5508b873abd5c4f767
SHA25608bac392d215cc3ae7766973df82e6268145fc0874f12e3f7f02272a293158a2
SHA512b07320a5e9b79be3c71597ec2828eb3ce8128eefce789ca709360799a9c5e4f4cf5a471093b4d3b54cc29d880b07c4f2f9352e9d30ea5f769f30f33e3643c699
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD528f0122c9d1b2e8f98abeaac80e7bc4b
SHA1634c2d9c6e61e506102db2bb6f6e95ed2f0de8c3
SHA256f11d832ad79fb6ca0af7ff2bd43e9cc41ef753f197e0e1209825e6dfac196fdf
SHA5129681e1dd2cef7bb3fe08e90a3901666a492c81b4514f1a4bdbc4a38d54fe378e1d4a422724983f76bd0d70e541e12fec9094db7f0a0704fa965a8eba9c93087a
-
Filesize
231KB
MD59fed86e90620e88039ce794e2b85f65e
SHA18a12f56f81082f68420f1160c0fbe00b3dafb071
SHA2569b4801d3972f2d18a403af66e67aa503444b7c8bd78cb5033de61b7a6a9d53d4
SHA512895afcf0e756d4d3f4172f13899f6ace3d76d55753b55e1da0b87e477c5456a21353ebb7658a0fca44356ece133a2b66ba733f715893ff8a312614e975a44397
-
Filesize
231KB
MD5ed41ce24e5334f0a5ff67b34f0947245
SHA1b938ed5d40fc4d226d9db5f66d8d3d905d25d8c5
SHA256126153943118f27a4b768937bda8b8805743ed47b127af0f4f87e1d265e9adaa
SHA512387b329163e955f39ca380b24ba2db14ba71770e5c3344b805908371d8456f53a78e2ed50e6ea4655cf604dd20773d2295bc65d534975850589b46aa5d819b79
-
Filesize
213B
MD588cc6386d8a4a7402f9ab66173b0e7da
SHA1620f96d60022ff2a7e735830d4544f91652ead77
SHA2563a0090634b8d2ab8e00546e183a1d554b8ed3c2e15f741b833d49814e5b46be2
SHA512f80fbb3d85166015728fc570b65aba98eee9838a62d7066ce578ce09ae73a8b664f11ee1542faebfd6c6380549271276e0aeea9a3ff30f0405e276f2c06c0542
-
Filesize
854KB
MD55fdbb633c00c6ae9a7f850236e0eb4c4
SHA13779b3e58e64b7045abd0ab8764918285b2e24d4
SHA256ec2fc127825e04f42d45c436cf7ee484aac78bdb94b4ea4d077d6b7c88379037
SHA512710ea49f9a1aea061c5c887d6025da86be6ce0cbd40a42c71c8f1c78438ffdbbbe34ed4b8853f1e3468e3ae3e629ef147b271dbceac0b83542ece08dfcd12e61
-
Filesize
150KB
MD514937b985303ecce4196154a24fc369a
SHA1ecfe89e11a8d08ce0c8745ff5735d5edad683730
SHA25671006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff
SHA5121d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c
-
Filesize
711B
MD5558659936250e03cc14b60ebf648aa09
SHA132f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA2562445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA5121632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727
-
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_8CFCD673DF954EB9BAD73DD15F1E23D4.dat
Filesize940B
MD5d227e1f7b0b0efa7b4e3154b8807865f
SHA1f0ada12bc99ed546a6613e17b1f7685e9655a24b
SHA256eb78310ae68e7cc893eb5757bb69cb1837e0ad90d9611b8437b6c34d16aff25a
SHA5121085b5c92eef5a1471252f41730e228c063e91533c899ff82c79f75da8d8a214d64b1f07aa6414dfaace43e90071719c04ffb571a1c24779d5618a5aa4240f7c