quasar | 9261f3eefa0aef107e865784d8b8b62d4e7213056dfe535893920a344fa0d908

Analysis

max time kernel
47s
max time network
49s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
16-12-2024 19:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Panel Ejecutador MTA 3.14.zip
Size

1.1MB
MD5

d345c2eb24b0d3806865fda604ad1cc8
SHA1

6b813317f6108f2c242babda58097070503df242
SHA256

9261f3eefa0aef107e865784d8b8b62d4e7213056dfe535893920a344fa0d908
SHA512

76c941b833ffcef6da121c2e2735952ed81cbf7c6a6260a227040d37abf0adaa41461045c69710331345d52d95aac89ddf0a256ebc85fbdb2ed703106999ab74
SSDEEP

24576:ioRau4l48JTUIlfSsqFDxCs3+UgQYuX370FBZa:ioRUv5UIYsqOs3+UPY234m

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

azxq0ap.localto.net:3425

Mutex

e51e2b65-e963-4051-9736-67d57ed46798

Attributes

encryption_key
AEA258EF65BF1786F0F767C0BE2497ECC304C46F
install_name
WindowsUpdate.exe
log_directory
Logs
reconnect_delay
3000
startup_key
WindowsUpdate
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x002800000004615c-2.dat	family_quasar
behavioral1/memory/4656-5-0x0000000000C80000-0x0000000000FD6000-memory.dmp	family_quasar

Executes dropped EXE 2 IoCs

pid	Process
4656	Panel Ejecutador MTA 3.14.exe
1156	WindowsUpdate.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133788507184856827"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1798060429-1844192857-3165087720-1000\{2343E93C-61E9-4474-AA5D-C222E306C9A6}	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4764	schtasks.exe
3724	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4064	chrome.exe
4064	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	3500	7zFM.exe
Token: 35	3500	7zFM.exe
Token: SeSecurityPrivilege	3500	7zFM.exe
Token: SeDebugPrivilege	4656	Panel Ejecutador MTA 3.14.exe
Token: SeDebugPrivilege	1156	WindowsUpdate.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe
Token: SeCreatePagefilePrivilege	4064	chrome.exe
Token: SeShutdownPrivilege	4064	chrome.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
3500	7zFM.exe
3500	7zFM.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1156	WindowsUpdate.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4656 wrote to memory of 4764	4656	Panel Ejecutador MTA 3.14.exe	89
PID 4656 wrote to memory of 4764	4656	Panel Ejecutador MTA 3.14.exe	89
PID 4656 wrote to memory of 1156	4656	Panel Ejecutador MTA 3.14.exe	91
PID 4656 wrote to memory of 1156	4656	Panel Ejecutador MTA 3.14.exe	91
PID 4064 wrote to memory of 1960	4064	chrome.exe	93
PID 4064 wrote to memory of 1960	4064	chrome.exe	93
PID 4064 wrote to memory of 2684	4064	chrome.exe	94
PID 4064 wrote to memory of 2684	4064	chrome.exe	94
PID 4064 wrote to memory of 2684	4064	chrome.exe	94
PID 4064 wrote to memory of 2684	4064	chrome.exe	94
PID 4064 wrote to memory of 2684	4064	chrome.exe	94
PID 4064 wrote to memory of 2684	4064	chrome.exe	94
PID 4064 wrote to memory of 2684	4064	chrome.exe	94
PID 4064 wrote to memory of 2684	4064	chrome.exe	94
PID 4064 wrote to memory of 2684	4064	chrome.exe	94
PID 4064 wrote to memory of 2684	4064	chrome.exe	94
PID 4064 wrote to memory of 2684	4064	chrome.exe	94
PID 4064 wrote to memory of 2684	4064	chrome.exe	94
PID 4064 wrote to memory of 2684	4064	chrome.exe	94
PID 4064 wrote to memory of 2684	4064	chrome.exe	94
PID 4064 wrote to memory of 2684	4064	chrome.exe	94
PID 4064 wrote to memory of 2684	4064	chrome.exe	94
PID 4064 wrote to memory of 2684	4064	chrome.exe	94
PID 4064 wrote to memory of 2684	4064	chrome.exe	94
PID 4064 wrote to memory of 2684	4064	chrome.exe	94
PID 4064 wrote to memory of 2684	4064	chrome.exe	94
PID 4064 wrote to memory of 2684	4064	chrome.exe	94
PID 4064 wrote to memory of 2684	4064	chrome.exe	94
PID 4064 wrote to memory of 2684	4064	chrome.exe	94
PID 4064 wrote to memory of 2684	4064	chrome.exe	94
PID 4064 wrote to memory of 2684	4064	chrome.exe	94
PID 4064 wrote to memory of 2684	4064	chrome.exe	94
PID 4064 wrote to memory of 2684	4064	chrome.exe	94
PID 4064 wrote to memory of 2684	4064	chrome.exe	94
PID 4064 wrote to memory of 2684	4064	chrome.exe	94
PID 4064 wrote to memory of 2684	4064	chrome.exe	94
PID 4064 wrote to memory of 1332	4064	chrome.exe	95
PID 4064 wrote to memory of 1332	4064	chrome.exe	95
PID 4064 wrote to memory of 4020	4064	chrome.exe	96
PID 4064 wrote to memory of 4020	4064	chrome.exe	96
PID 4064 wrote to memory of 4020	4064	chrome.exe	96
PID 4064 wrote to memory of 4020	4064	chrome.exe	96
PID 4064 wrote to memory of 4020	4064	chrome.exe	96
PID 4064 wrote to memory of 4020	4064	chrome.exe	96
PID 4064 wrote to memory of 4020	4064	chrome.exe	96
PID 4064 wrote to memory of 4020	4064	chrome.exe	96
PID 4064 wrote to memory of 4020	4064	chrome.exe	96
PID 4064 wrote to memory of 4020	4064	chrome.exe	96
PID 4064 wrote to memory of 4020	4064	chrome.exe	96
PID 4064 wrote to memory of 4020	4064	chrome.exe	96
PID 4064 wrote to memory of 4020	4064	chrome.exe	96
PID 4064 wrote to memory of 4020	4064	chrome.exe	96
PID 4064 wrote to memory of 4020	4064	chrome.exe	96
PID 4064 wrote to memory of 4020	4064	chrome.exe	96
PID 4064 wrote to memory of 4020	4064	chrome.exe	96
PID 4064 wrote to memory of 4020	4064	chrome.exe	96
PID 4064 wrote to memory of 4020	4064	chrome.exe	96
PID 4064 wrote to memory of 4020	4064	chrome.exe	96
PID 4064 wrote to memory of 4020	4064	chrome.exe	96
PID 4064 wrote to memory of 4020	4064	chrome.exe	96
PID 4064 wrote to memory of 4020	4064	chrome.exe	96
PID 4064 wrote to memory of 4020	4064	chrome.exe	96
PID 4064 wrote to memory of 4020	4064	chrome.exe	96
PID 4064 wrote to memory of 4020	4064	chrome.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Panel Ejecutador MTA 3.14.zip"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3500

C:\Users\Admin\Desktop\Panel Ejecutador MTA 3.14.exe
"C:\Users\Admin\Desktop\Panel Ejecutador MTA 3.14.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4764
- C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1156
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ff9dad0cc40,0x7ff9dad0cc4c,0x7ff9dad0cc58
  2⤵
  PID:1960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1964,i,12183617410340255827,17875920241727339335,262144 --variations-seed-version=20241211-065542.269000 --mojo-platform-channel-handle=1868 /prefetch:2
  2⤵
  PID:2684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2164,i,12183617410340255827,17875920241727339335,262144 --variations-seed-version=20241211-065542.269000 --mojo-platform-channel-handle=2220 /prefetch:3
  2⤵
  PID:1332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2268,i,12183617410340255827,17875920241727339335,262144 --variations-seed-version=20241211-065542.269000 --mojo-platform-channel-handle=2272 /prefetch:8
  2⤵
  PID:4020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,12183617410340255827,17875920241727339335,262144 --variations-seed-version=20241211-065542.269000 --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:1544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3184,i,12183617410340255827,17875920241727339335,262144 --variations-seed-version=20241211-065542.269000 --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:3384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4584,i,12183617410340255827,17875920241727339335,262144 --variations-seed-version=20241211-065542.269000 --mojo-platform-channel-handle=4492 /prefetch:1
  2⤵
  PID:2028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4708,i,12183617410340255827,17875920241727339335,262144 --variations-seed-version=20241211-065542.269000 --mojo-platform-channel-handle=4144 /prefetch:1
  2⤵
  PID:5008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4992,i,12183617410340255827,17875920241727339335,262144 --variations-seed-version=20241211-065542.269000 --mojo-platform-channel-handle=5028 /prefetch:8
  2⤵
  PID:4700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3192,i,12183617410340255827,17875920241727339335,262144 --variations-seed-version=20241211-065542.269000 --mojo-platform-channel-handle=4676 /prefetch:8
  2⤵
  PID:648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3156,i,12183617410340255827,17875920241727339335,262144 --variations-seed-version=20241211-065542.269000 --mojo-platform-channel-handle=5336 /prefetch:1
  2⤵
  PID:2732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4888,i,12183617410340255827,17875920241727339335,262144 --variations-seed-version=20241211-065542.269000 --mojo-platform-channel-handle=4680 /prefetch:1
  2⤵
  PID:2828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5040,i,12183617410340255827,17875920241727339335,262144 --variations-seed-version=20241211-065542.269000 --mojo-platform-channel-handle=4836 /prefetch:1
  2⤵
  PID:2268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4620,i,12183617410340255827,17875920241727339335,262144 --variations-seed-version=20241211-065542.269000 --mojo-platform-channel-handle=4072 /prefetch:1
  2⤵
  PID:4108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=3364,i,12183617410340255827,17875920241727339335,262144 --variations-seed-version=20241211-065542.269000 --mojo-platform-channel-handle=5332 /prefetch:8
  2⤵
  PID:3936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3320,i,12183617410340255827,17875920241727339335,262144 --variations-seed-version=20241211-065542.269000 --mojo-platform-channel-handle=3256 /prefetch:8
  2⤵
  - Modifies registry class
  PID:3620

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
215KB

MD5
d79b35ccf8e6af6714eb612714349097

SHA1
eb3ccc9ed29830df42f3fd129951cb8b791aaf98

SHA256
c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

SHA512
f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
14860004cf44995ee3bf96bca52c4932

SHA1
6667f68aea26ed605263c6614eabeba89276c4ff

SHA256
4c7a5bd29739458f576098b2e91471b9358d2171f03afd069714e4251c629d00

SHA512
2fcbd2d71974bda9534cc5281dca0c8ebc7010cfc8524a5aa8cc15f58a5fdc52a1f45cc00b6d169488f74a8dd03105c19847ef0abbb7e35c393f2f73864eb7e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
01a979dfd037cdffd47ae33b7e00dedd

SHA1
9350d60b63741373a9aaf40b2a66d2a1737200eb

SHA256
c55db91ea15371dd77764f02767fe4d79ed8343ff16c6df1c34dd38b812d1766

SHA512
ccae649ba6304b9750fef1c07f7983da5501235852e8a2e501daca94dc9f001dc8cfa4c69a3788742b5eacb2218ecb1c4df6f1975ee9e4de563e0bee5c0f1ad4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
a00caed62f25345b547a8f59bef490b8

SHA1
9f2b3dc4cf6ecc82e67c73527e5639c8f6c89bef

SHA256
12ccb4b783606277f1efd4cc98cd7fbe64900ac4fa4dcad47fd209a8a9b1cbce

SHA512
d763396a67673d575373d0bf40106d25ad9eae3dc8585bd2e1f68d6a81199629589497c0a96b7ae592a4ab3c37a06a64d52d2c91eb46ebe4ad850034f51f77db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
696a0e023cf3472547f815f71f7c6b3f

SHA1
0dd7c7f01c4bb49ebb91a8cf592672c3ceac782d

SHA256
9dea9b5822e88cde7b0392a47ee26c65a1272876d557c31d0cf3286a7ffbde11

SHA512
8f1977e2eba8672a0cdce888556fec58bd577c43aed334cbe443145890c24c791580ed8013b43712751c6a8921185aa16e8403d1988ca88a50c278494d2b3d32

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
eac7fb4f10649ebde3a4c1ae68ddba90

SHA1
c960e098bb0e37182d38cf46d361ca3135663701

SHA256
c955eec7d13a29e90a862e6332530c9b8df4461de8bb2686431879e9223cd4ef

SHA512
05d6e42247272c0be66581cd8ed80f0db0ad50cd4491612c9678b879902e89367b80de1bf512b5ff2545cc95020e7206c58fbf6c90d9a18c71520c4c6bcfafe5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a5de172e10f3dc24c2b4ab4ab3fd4a90

SHA1
e8b222d3058de912c5a26e1a8b2e99bd87f65af2

SHA256
1da76527a2ea0b5a44c7c47e7012d27fa2189a5820c335debac1b76f0cfe07f6

SHA512
43e46d03b31a169ccfeb08612c397b6e523ad3c80201481593726ffa976b526c2a91507342c8e3109ec9d8d61df1935f2e4e14a38a215824e2e35dfeeed856cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
f4e1a7df6b7e694399a579749966f55f

SHA1
861680fd740b504374a202f26aed16a8ee9632fa

SHA256
3af5bcbbdac18b740b7f3f72e2b1569200d48db5ffde703c1fe7170ab80c10f9

SHA512
8af30014a0d8a667887797efc6987e22f73d6c07adf7760bcfd440ba7dd69ca6ab0de8b95b4bd33776c29dece4a40e735eed24710c6b788cffb63388e69040a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt

Filesize
80B

MD5
c014e5c0db0d2b54177aa205b51c20f1

SHA1
6f4bbba43b93cc1a723dcc4d73bd2b0feb091629

SHA256
1b909a787c2deb55ef08f1525eabe833c1d30a8aa23e80b406bf9a5c3d801a23

SHA512
d47cee01c91e84a160a00cfeb9ccdca0b4d6242116325e91cc785672638a825006f6c6211ef31e6029015cb2ac4b39227a65377d669b50c30be63ab34c7c7e6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt~RFe57f5d9.TMP

Filesize
144B

MD5
ea6c4bbf579236820ceccc865e281d91

SHA1
7c56f7e1a0daa6d97b2c69d9eae92ca1eab4986a

SHA256
f01ba00e58fed36d5e0aa518b5ed32ef4ed9b890b1470cdee0262f36551dac15

SHA512
c0ae640c198f3919d61f30a8eb118a32869ac7763b4750e17ec15cef90deed23d322d33b5b9a1ee4e6e89092d3c2621127346542efc47ca01543804dad9a0a84

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
e141c385271a1920226066bf09ad735a

SHA1
d56d4d30c659a7be88de0580cf554684fd9aa65a

SHA256
8fb28ffa94109b49b3657f3c3a3b54424f835f317480ec987bce42b5ac130482

SHA512
b0e06a3f5d502ded486689623495ef2f2ab196df3a6dc73a1398c33b1a0fb35d0138effacd2254fa8dc38317297d4715d2c6da16cd317d8e26c6485d5eb80987

Download Submit
C:\Users\Admin\Desktop\Panel Ejecutador MTA 3.14.exe

Filesize
3.3MB

MD5
5791d405ca0a97a89eeaeb4f2be628be

SHA1
a012d40aaaa01db12a83b0e4408d012fd383dd0b

SHA256
6c67a1bf1d558b31a790e4bdcef062c9b49f00a1b3d7361dfc8308d55b87bc5d

SHA512
3971447d6a5f1ffe51bb1acc0d2525aa5bca521358c67828e6bd983d68e8c22dfa83ab49109575bc113e13de861682af563a3ed21e5ef48cce1bfcdb8f1f2afd

Download Submit
memory/1156-19-0x000000001CF50000-0x000000001CFA0000-memory.dmp

Filesize
320KB

Download
memory/1156-20-0x000000001D060000-0x000000001D112000-memory.dmp

Filesize
712KB

Download
memory/1156-38-0x000000001D760000-0x000000001D79C000-memory.dmp

Filesize
240KB

Download
memory/1156-37-0x000000001D000000-0x000000001D012000-memory.dmp

Filesize
72KB

Download
memory/1156-36-0x000000001D850000-0x000000001DD78000-memory.dmp

Filesize
5.2MB

Download
memory/1156-181-0x000000001E180000-0x000000001E327000-memory.dmp

Filesize
1.7MB

Download
memory/4656-9-0x00007FF9E0190000-0x00007FF9E0C52000-memory.dmp

Filesize
10.8MB

Download
memory/4656-6-0x00007FF9E0190000-0x00007FF9E0C52000-memory.dmp

Filesize
10.8MB

Download
memory/4656-5-0x0000000000C80000-0x0000000000FD6000-memory.dmp

Filesize
3.3MB

Download
memory/4656-4-0x00007FF9E0193000-0x00007FF9E0195000-memory.dmp

Filesize
8KB

Download