quasar | 8a31693ddf8924f144ba19a8802766188bd13f1ed7eea7c226eb0e01a9e47685

Analysis

max time kernel
190s
max time network
190s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
01/12/2024, 03:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

PORQUEPUTASYANOSIRVE.7z
Size

923KB
MD5

d757d40193d311216967491e36fc2ba4
SHA1

2dd90fa74c489da4f85bdf301053230b480a31fa
SHA256

8a31693ddf8924f144ba19a8802766188bd13f1ed7eea7c226eb0e01a9e47685
SHA512

9be26ab222457605eea0c42a4dbcfa80154cb384e6abf0db6a010fcca172a0eda8792b9e3fff9d67717f095f67448d9310c7e049f7fea8dd5907afe8bd462921
SSDEEP

24576:q9gl2kNvEE7GFdGqXsShFTAkBojKLUI56eGk:46vbIGqXscAkW+h1

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

azxq0ap.localto.net:3425

Mutex

e51e2b65-e963-4051-9736-67d57ed46798

Attributes

encryption_key
AEA258EF65BF1786F0F767C0BE2497ECC304C46F
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00290000000450a3-2.dat	family_quasar
behavioral1/memory/5288-5-0x00000000004E0000-0x0000000000804000-memory.dmp	family_quasar

Executes dropped EXE 2 IoCs

pid	Process
5288	PORQUEPUTASYANOSIRVE.exe
1620	Client.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133774957366601239"	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
100	schtasks.exe
5236	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
5716	chrome.exe
5716	chrome.exe
5716	chrome.exe
5716	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	1324	7zFM.exe
Token: 35	1324	7zFM.exe
Token: SeSecurityPrivilege	1324	7zFM.exe
Token: SeDebugPrivilege	5288	PORQUEPUTASYANOSIRVE.exe
Token: SeDebugPrivilege	1620	Client.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
1324	7zFM.exe
1324	7zFM.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1620	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5288 wrote to memory of 100	5288	PORQUEPUTASYANOSIRVE.exe	91
PID 5288 wrote to memory of 100	5288	PORQUEPUTASYANOSIRVE.exe	91
PID 5288 wrote to memory of 1620	5288	PORQUEPUTASYANOSIRVE.exe	93
PID 5288 wrote to memory of 1620	5288	PORQUEPUTASYANOSIRVE.exe	93
PID 1620 wrote to memory of 5236	1620	Client.exe	94
PID 1620 wrote to memory of 5236	1620	Client.exe	94
PID 4356 wrote to memory of 796	4356	chrome.exe	100
PID 4356 wrote to memory of 796	4356	chrome.exe	100
PID 4356 wrote to memory of 1660	4356	chrome.exe	101
PID 4356 wrote to memory of 1660	4356	chrome.exe	101
PID 4356 wrote to memory of 1660	4356	chrome.exe	101
PID 4356 wrote to memory of 1660	4356	chrome.exe	101
PID 4356 wrote to memory of 1660	4356	chrome.exe	101
PID 4356 wrote to memory of 1660	4356	chrome.exe	101
PID 4356 wrote to memory of 1660	4356	chrome.exe	101
PID 4356 wrote to memory of 1660	4356	chrome.exe	101
PID 4356 wrote to memory of 1660	4356	chrome.exe	101
PID 4356 wrote to memory of 1660	4356	chrome.exe	101
PID 4356 wrote to memory of 1660	4356	chrome.exe	101
PID 4356 wrote to memory of 1660	4356	chrome.exe	101
PID 4356 wrote to memory of 1660	4356	chrome.exe	101
PID 4356 wrote to memory of 1660	4356	chrome.exe	101
PID 4356 wrote to memory of 1660	4356	chrome.exe	101
PID 4356 wrote to memory of 1660	4356	chrome.exe	101
PID 4356 wrote to memory of 1660	4356	chrome.exe	101
PID 4356 wrote to memory of 1660	4356	chrome.exe	101
PID 4356 wrote to memory of 1660	4356	chrome.exe	101
PID 4356 wrote to memory of 1660	4356	chrome.exe	101
PID 4356 wrote to memory of 1660	4356	chrome.exe	101
PID 4356 wrote to memory of 1660	4356	chrome.exe	101
PID 4356 wrote to memory of 1660	4356	chrome.exe	101
PID 4356 wrote to memory of 1660	4356	chrome.exe	101
PID 4356 wrote to memory of 1660	4356	chrome.exe	101
PID 4356 wrote to memory of 1660	4356	chrome.exe	101
PID 4356 wrote to memory of 1660	4356	chrome.exe	101
PID 4356 wrote to memory of 1660	4356	chrome.exe	101
PID 4356 wrote to memory of 1660	4356	chrome.exe	101
PID 4356 wrote to memory of 1660	4356	chrome.exe	101
PID 4356 wrote to memory of 800	4356	chrome.exe	102
PID 4356 wrote to memory of 800	4356	chrome.exe	102
PID 4356 wrote to memory of 5688	4356	chrome.exe	103
PID 4356 wrote to memory of 5688	4356	chrome.exe	103
PID 4356 wrote to memory of 5688	4356	chrome.exe	103
PID 4356 wrote to memory of 5688	4356	chrome.exe	103
PID 4356 wrote to memory of 5688	4356	chrome.exe	103
PID 4356 wrote to memory of 5688	4356	chrome.exe	103
PID 4356 wrote to memory of 5688	4356	chrome.exe	103
PID 4356 wrote to memory of 5688	4356	chrome.exe	103
PID 4356 wrote to memory of 5688	4356	chrome.exe	103
PID 4356 wrote to memory of 5688	4356	chrome.exe	103
PID 4356 wrote to memory of 5688	4356	chrome.exe	103
PID 4356 wrote to memory of 5688	4356	chrome.exe	103
PID 4356 wrote to memory of 5688	4356	chrome.exe	103
PID 4356 wrote to memory of 5688	4356	chrome.exe	103
PID 4356 wrote to memory of 5688	4356	chrome.exe	103
PID 4356 wrote to memory of 5688	4356	chrome.exe	103
PID 4356 wrote to memory of 5688	4356	chrome.exe	103
PID 4356 wrote to memory of 5688	4356	chrome.exe	103
PID 4356 wrote to memory of 5688	4356	chrome.exe	103
PID 4356 wrote to memory of 5688	4356	chrome.exe	103
PID 4356 wrote to memory of 5688	4356	chrome.exe	103
PID 4356 wrote to memory of 5688	4356	chrome.exe	103
PID 4356 wrote to memory of 5688	4356	chrome.exe	103
PID 4356 wrote to memory of 5688	4356	chrome.exe	103

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\PORQUEPUTASYANOSIRVE.7z"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1324

C:\Users\Admin\Desktop\PORQUEPUTASYANOSIRVE.exe
"C:\Users\Admin\Desktop\PORQUEPUTASYANOSIRVE.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5288
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:100
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ffc0fb1cc40,0x7ffc0fb1cc4c,0x7ffc0fb1cc58
  2⤵
  PID:796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2012,i,12299403599354117714,7312826288000431029,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2044 /prefetch:2
  2⤵
  PID:1660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1560,i,12299403599354117714,7312826288000431029,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2096 /prefetch:3
  2⤵
  PID:800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2304,i,12299403599354117714,7312826288000431029,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2552 /prefetch:8
  2⤵
  PID:5688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,12299403599354117714,7312826288000431029,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:1232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3184,i,12299403599354117714,7312826288000431029,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:3172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4576,i,12299403599354117714,7312826288000431029,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3728 /prefetch:1
  2⤵
  PID:5920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4852,i,12299403599354117714,7312826288000431029,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4864 /prefetch:8
  2⤵
  PID:3856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4972,i,12299403599354117714,7312826288000431029,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4980 /prefetch:8
  2⤵
  PID:1924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4872,i,12299403599354117714,7312826288000431029,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4868 /prefetch:1
  2⤵
  PID:2648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3308,i,12299403599354117714,7312826288000431029,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:3604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4492,i,12299403599354117714,7312826288000431029,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4520 /prefetch:8
  2⤵
  PID:4984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4064,i,12299403599354117714,7312826288000431029,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3180 /prefetch:8
  2⤵
  PID:2336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=504,i,12299403599354117714,7312826288000431029,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3240 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5716

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
efe3e1f0878945155112237cf0fc2164

SHA1
60db9f7ba407b8080b371dbdeb9f5eb612280d35

SHA256
2569d957f07541e2a1df40d2208fd0de5bc71e61ef53a2e3bb598af7055fcb6d

SHA512
82f088354273fc918932633c69939748c6b269e8c1b1542b6609a0536dd7f76a43a1a88e1655cc18dfbab9eb715c94c7c2837a30714473fc8f4513500b442418

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
312B

MD5
7855406783012e8d63b599460c21f24d

SHA1
94061b2f7949869674ae43c3c84006e559da50d5

SHA256
c2e0fb05bdbd8ba6e3500f9ac9bf728597a81a74e7a2ba6963a77979f0a588fe

SHA512
5b9e95e7fbcf89e5eaf23f4beb4c81e42840d69e871106ca543ca6835e928240e644cce29f89092372002561ae9878eaa0d6989bd50e61fb13dba113644e9664

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
3eb0ef1f920dff0cc99ccb67234d084d

SHA1
98b6f6e69200513e464dd3d89d7ad73557d6bf1e

SHA256
061c263a548305bfe53797581dc6e4454708c29a0c6cb4da4fa9ce0b08294e65

SHA512
f21806a0289c99fc159f1b84a2d94c61fe3cf16096c966d53526b6b1e0e4cbec6f790f7ab2971caffd7f690d26101257f7f63901dc8a3b65833ad6253184a3a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
3446cc2dd4ecfd0355c882fa983261c1

SHA1
d71d66e411ad32d89194b9f235250e1a0e658801

SHA256
8d4cb12986aaf9da374279cd71d2eb02a10251f9e4bf22c59294712dedc9a665

SHA512
0fbc9ada74b61299273a266b96cb93e2b3f5d942c6d4cfa3af3eaf2acf253e09f95ce64537dc074b0a826c57db4eb1c0c3449792f9345c97ec81a0e53ea4d959

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
c54ec9d43f0c680a9dfe8ddeebbea1fd

SHA1
64f62486faac19f5e682b14c76b1ced77c356540

SHA256
603e9caa7deafc41795e4bb830fe4da3922de669180e77de1937b9458c22dddc

SHA512
20017a36faa54e8f1a61f2249bdcabc9980c0f860daf7d349420a49e45499d8e95f5500dfc6cb5365fc515d591a11b7f01597a7b830236ed4f94dfb368618634

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
46d6b4a449962a835befd53a829c90c9

SHA1
13aaaa94ea39aa64982a2daccc55efe7c20143d2

SHA256
dd467412c4f04ee9adc9c9a40b5d0ac2089b4666a7d044fc36f8cc913f63de34

SHA512
c779995a6127b598f1503d77ae91d35ac3b8d47c0afddb641a3c411a18c36db8f69c5952c3ee062298e9f6c3a0e724d0dd7c66a4c46b6d8017c235fc3acdfa4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
323ca1d9f5146ca5924549e9badebf0a

SHA1
a55fb850993e055df7a781850f9a5093dd48acb7

SHA256
d260994e9870cd39ba5467b49056d77dc99a00c55ccd5e13559513ca6c36d8f3

SHA512
95b0d3dd02a6cbb5c758f8ad3b345be10399ed26d0b8bbb9a9c9529bae025319a231fe57a4df75dfb28ebcf22b099fd2691290ceb1450e40b7449ae09de10773

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
cc4d6964b08c37964105efd478086230

SHA1
54fc20a8e1f5c0e05c2f675daa40e6d0c165294a

SHA256
2ad0cd9af206993cf0f8f06d5d207338daee6c2f4c6227bb093bf940f1910186

SHA512
fed0be55073b7ed6152ab3f075d3d577f263b2a6fc8bf7654a4277c50204e1248389d637caf4b75f7bb864f1e05f2405cf6969810470a584cb7701fcf3da17a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ead547809d7e21db3a26bc784fa265a2

SHA1
f08af0f6b6645df2d438cb52dee743f34e02ba31

SHA256
d0d19885f6d686bd374657087c0d37db07b5017779b196467c1c46f961467f33

SHA512
f1189fdd93c2d613d3e1952d661a460ae5867b45f8bd7845b28627f310a5ed884be00c23bc4d041ca5f7cd918bd179f0e10a813ea569032267518c3c46d1ad54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
19aa2b52c701db56bdb7a7a09e40fb0d

SHA1
fa97b7d887d456f33be7831cc7d79acb26d56b92

SHA256
045001fe805a20d6fa5b6eed98cd07f3041b9802f0e42a745bc2ca2cdb86ff9c

SHA512
97cff63e0c5d892139bc3018bdea56ec146e19d044094db54a76dc8704d38ef9b9c2d359060a99e7f50d1f50c4f696c7da4e4656ce50bc83f475980d48ce162a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
091e1c2e1c7a151308d76f8aebd5afd8

SHA1
8cbf11ac718a8d3d818831720440b2957b982f5d

SHA256
5dd56aa60bb9ec087ae08eef71816ae4b8b3b03481d9fd53a2eb6cab78731403

SHA512
14c0e9f35e5f1888e7af331444f5665f161e06a229ee778b9f9a8e4e46ebb80a6f5e0dd6175faa1fb29e14a6ed8d1f128b7b10016a72c727e03d68a5cb27151e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
97dd2916f314b44b8b2cfc3fef1b070a

SHA1
c220c56d79fb2f36b0850902c85dc052262c80bc

SHA256
9cac4e3577af4dc8421e2b94cc7ad99fd6bcdbd51683c269a4423baa5847b679

SHA512
c18d62927086efaf6951eff62d53ec59337548301d1d6c0ee220624cdba5e84a12ef35284deed64dbabd1e39427a39f05d186fa5fc89367cff45e51017589f1f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
8d213300818163b3de58094d5b60ff33

SHA1
d8f805deb7b6dcd996fd04766c772acc0f2979cf

SHA256
9f8a228d8e1d6337e59e5993bf513958e4450f3e606191d0053a864308148f4b

SHA512
82829f26a726795f5f9c48ad44bdfaf06d14a738d111d9cc1e0e207661d69cba4fdc7238b8fef03c173e88dbae101c2514e9938ca18c95c2b0e77e5b59827114

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
59da8ad9d9ed1e893db1e42b8e9a99e6

SHA1
6e072cb37c43d8c3a39f18a8426f37ae3f94f458

SHA256
27e35489fc90b9a5f1ff9be13da68757682b93a5cbde57c96586f19c8ed552c1

SHA512
0b83a353da64925435964da766a33c4573a1e37046acb3295eff094c50b19409a49491fc7927663fbe834868bb9c3e5c4acc40ec3a71a7943c37c85c862b88a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
dbf0282efa3b74581153012a1975fee0

SHA1
c5c9cd66116fdf2ab32ea03193728c7863f8891c

SHA256
338b64d32ee538ae82f4f023e1dd01c791e783eb0d00d1e3f9039a23b3b89bcc

SHA512
68262c16089da437073ec405919a653929acd11d84a9402209e43f15b3db324a1314292cc198f330ec585c806e5b06cbf5e2e74f3e3b0b47d3847b67632711d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1c5063866fce2d19d0d96d233ffe4803

SHA1
29b214d67f3efacfa9fa3e6a270f93f751c3d789

SHA256
d05ecf917978478582ac7f0793f7b386e2b9ec53952ad0f402dcb25784e07d3d

SHA512
4d5e637a65365ea3c0a7aae03371498d925a4a81af609da5166780e8f1b855c5fb84d7a16668b3aaeed8cd96f700bf0a77da0f1712d62a1023f7d1ab59d65dc8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
981a2f6a24cde0b5a60a40ac49530540

SHA1
92b87724df16de43ec537b29b22807a2f10b6d69

SHA256
a6a1b6e04c18b9392e8bf6072293172fa39e3a53c49dea88e8741feb50a126de

SHA512
6e309aad7dcf7df9d4800e8e943da559da442a01cd67ae35a00b0ab7fc1338e2ddec41a9fbee8e466fcb35d834ab67751ba3b794b134cc7bce073b7cc743c157

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
238KB

MD5
a390c85542747c530b2ccef7913a2ec6

SHA1
af78bceb5a3c58d5d93f2382f080393575f78f9b

SHA256
0e84c1aae5dd017b81ed2634bada464a302e01af977f0c3a1ee08a947fa33a6b

SHA512
9e8a4ef9f40b435e49fd794e70e1d751c43e47b30a0c3e704c091c50cfa7568497ec09547a0fe1773ee7592d7e3ba84fc1c935296feb556dbfee5c103b3c5954

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
269KB

MD5
cbd74721ac7913d96940038fbaae6ae8

SHA1
9b2bd0f3653d7932743ff52f16c58c256498d9be

SHA256
bf10eb47d9b3d651feaa53e9885724742ce13ce584eb02d7c2febdd5d7e2d538

SHA512
8eb0e9b90b07838f40aaa94100bb46d3db487f3c9a832a5fde195ae4f4f12c2a6114af2aeb7380cbb6ff63046533c70786245112faea212df2b74bfc9b5c1443

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
238KB

MD5
263ccc447b730c8f7b507633b9762056

SHA1
554a802798a280af49f4b828f5b388dab2995ac0

SHA256
fabd50a3c2198d84032c6f3e14fb9d0dbdf4c25f3830497a1cb76b11d8eab636

SHA512
3c4daa841052aecc55493b2d977a58d1d3175a1471792c0cd437236cc4b15ec31d52569dadab8581f1be73d646cbea26bd32ed6065fa4ffe86a7c60ecd7c423c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
239KB

MD5
eb9ed7b2e8317971121e7195494dc44f

SHA1
fea97d4803a731c8180414f4ecebc8edb2131b79

SHA256
a1000bdf370fe0cb74d3646819d02f0a7eb8c76f37e0a563a01e3689a31ca79a

SHA512
4b0cc9172c39dba6ad18dda3e0b01dd0646709ede9f5fd0cb5516843ce29d1d6eed764016e7aa5bfeb2ae52135ffe6e7c7043ea070ac0c6ac813a67c7d645a1e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
120KB

MD5
3c08832516fb186785116dd05f18c346

SHA1
52fcabceea9ecccbf5c6273dc9f82f90c64079b3

SHA256
bfed6730a9e577a61e4b547b74d7b174d2540e563096295e3ee1a905a67ac004

SHA512
dea8d1acd92dc74c124affe398261a7f6a598d54f2c3eb36842d7c9d8a31686e0a9d24f2e53f1775ca183fe67fdc1f760e5c6062f6a9bb144234852e09bae3f1

Download Submit
C:\Users\Admin\Desktop\PORQUEPUTASYANOSIRVE.exe

Filesize
3.1MB

MD5
73565f33ed4d8741291cbb30409f1727

SHA1
4d3a54b28f3ea80f884a25905e27165bdc353109

SHA256
aafe953e627f9e733e101d7211f0c9594dbdf82ec4019b2c9aa361cbc478f0de

SHA512
d897b098ddcdc94ac9177bc9a90b700c8b9a7cfafa74f729beebf74a094f76a7bd69e764711bdfedcdd231465daef16e937676e391ca2c010df03fecc863b583

Download Submit
memory/1620-15-0x000000001CE20000-0x000000001CE5C000-memory.dmp

Filesize
240KB

Download
memory/1620-72-0x000000001E710000-0x000000001EC38000-memory.dmp

Filesize
5.2MB

Download
memory/1620-14-0x000000001C1A0000-0x000000001C1B2000-memory.dmp

Filesize
72KB

Download
memory/1620-11-0x000000001C1E0000-0x000000001C292000-memory.dmp

Filesize
712KB

Download
memory/1620-10-0x000000001C0D0000-0x000000001C120000-memory.dmp

Filesize
320KB

Download
memory/5288-9-0x00007FFC15A60000-0x00007FFC16522000-memory.dmp

Filesize
10.8MB

Download
memory/5288-6-0x00007FFC15A60000-0x00007FFC16522000-memory.dmp

Filesize
10.8MB

Download
memory/5288-5-0x00000000004E0000-0x0000000000804000-memory.dmp

Filesize
3.1MB

Download
memory/5288-4-0x00007FFC15A63000-0x00007FFC15A65000-memory.dmp

Filesize
8KB

Download