quasar | 6c67a1bf1d558b31a790e4bdcef062c9b49f00a1b3d7361dfc8308d55b87bc5d

Analysis

max time kernel
154s
max time network
191s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
01-12-2024 09:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Panel Ejecutador MTA 3.14.exe
Size

3.3MB
MD5

5791d405ca0a97a89eeaeb4f2be628be
SHA1

a012d40aaaa01db12a83b0e4408d012fd383dd0b
SHA256

6c67a1bf1d558b31a790e4bdcef062c9b49f00a1b3d7361dfc8308d55b87bc5d
SHA512

3971447d6a5f1ffe51bb1acc0d2525aa5bca521358c67828e6bd983d68e8c22dfa83ab49109575bc113e13de861682af563a3ed21e5ef48cce1bfcdb8f1f2afd
SSDEEP

49152:ovSI22SsaNYfdPBldt698dBcjH3xcEf8Kk/Ja1oGd58THHB72eh2NT:ov/22SsaNYfdPBldt6+dBcjH3xa8

Score

10^/10

quasar office04 discovery spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

azxq0ap.localto.net:3425

Mutex

e51e2b65-e963-4051-9736-67d57ed46798

Attributes

encryption_key
AEA258EF65BF1786F0F767C0BE2497ECC304C46F
install_name
WindowsUpdate.exe
log_directory
Logs
reconnect_delay
3000
startup_key
WindowsUpdate
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/3208-1-0x0000000000790000-0x0000000000AE6000-memory.dmp	family_quasar
behavioral1/files/0x0029000000044fe4-3.dat	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
4840	WindowsUpdate.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133775178882579043"	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2980	schtasks.exe
652	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2304	chrome.exe
2304	chrome.exe
4012	msedge.exe
4012	msedge.exe
5104	msedge.exe
5104	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe
5104	msedge.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	3208	Panel Ejecutador MTA 3.14.exe
Token: SeDebugPrivilege	4840	WindowsUpdate.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
5104	msedge.exe
5104	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4840	WindowsUpdate.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3208 wrote to memory of 2980	3208	Panel Ejecutador MTA 3.14.exe	80
PID 3208 wrote to memory of 2980	3208	Panel Ejecutador MTA 3.14.exe	80
PID 3208 wrote to memory of 4840	3208	Panel Ejecutador MTA 3.14.exe	82
PID 3208 wrote to memory of 4840	3208	Panel Ejecutador MTA 3.14.exe	82
PID 4840 wrote to memory of 652	4840	WindowsUpdate.exe	85
PID 4840 wrote to memory of 652	4840	WindowsUpdate.exe	85
PID 2304 wrote to memory of 1604	2304	chrome.exe	96
PID 2304 wrote to memory of 1604	2304	chrome.exe	96
PID 2304 wrote to memory of 2876	2304	chrome.exe	97
PID 2304 wrote to memory of 2876	2304	chrome.exe	97
PID 2304 wrote to memory of 2876	2304	chrome.exe	97
PID 2304 wrote to memory of 2876	2304	chrome.exe	97
PID 2304 wrote to memory of 2876	2304	chrome.exe	97
PID 2304 wrote to memory of 2876	2304	chrome.exe	97
PID 2304 wrote to memory of 2876	2304	chrome.exe	97
PID 2304 wrote to memory of 2876	2304	chrome.exe	97
PID 2304 wrote to memory of 2876	2304	chrome.exe	97
PID 2304 wrote to memory of 2876	2304	chrome.exe	97
PID 2304 wrote to memory of 2876	2304	chrome.exe	97
PID 2304 wrote to memory of 2876	2304	chrome.exe	97
PID 2304 wrote to memory of 2876	2304	chrome.exe	97
PID 2304 wrote to memory of 2876	2304	chrome.exe	97
PID 2304 wrote to memory of 2876	2304	chrome.exe	97
PID 2304 wrote to memory of 2876	2304	chrome.exe	97
PID 2304 wrote to memory of 2876	2304	chrome.exe	97
PID 2304 wrote to memory of 2876	2304	chrome.exe	97
PID 2304 wrote to memory of 2876	2304	chrome.exe	97
PID 2304 wrote to memory of 2876	2304	chrome.exe	97
PID 2304 wrote to memory of 2876	2304	chrome.exe	97
PID 2304 wrote to memory of 2876	2304	chrome.exe	97
PID 2304 wrote to memory of 2876	2304	chrome.exe	97
PID 2304 wrote to memory of 2876	2304	chrome.exe	97
PID 2304 wrote to memory of 2876	2304	chrome.exe	97
PID 2304 wrote to memory of 2876	2304	chrome.exe	97
PID 2304 wrote to memory of 2876	2304	chrome.exe	97
PID 2304 wrote to memory of 2876	2304	chrome.exe	97
PID 2304 wrote to memory of 2876	2304	chrome.exe	97
PID 2304 wrote to memory of 2876	2304	chrome.exe	97
PID 2304 wrote to memory of 4144	2304	chrome.exe	98
PID 2304 wrote to memory of 4144	2304	chrome.exe	98
PID 2304 wrote to memory of 4732	2304	chrome.exe	99
PID 2304 wrote to memory of 4732	2304	chrome.exe	99
PID 2304 wrote to memory of 4732	2304	chrome.exe	99
PID 2304 wrote to memory of 4732	2304	chrome.exe	99
PID 2304 wrote to memory of 4732	2304	chrome.exe	99
PID 2304 wrote to memory of 4732	2304	chrome.exe	99
PID 2304 wrote to memory of 4732	2304	chrome.exe	99
PID 2304 wrote to memory of 4732	2304	chrome.exe	99
PID 2304 wrote to memory of 4732	2304	chrome.exe	99
PID 2304 wrote to memory of 4732	2304	chrome.exe	99
PID 2304 wrote to memory of 4732	2304	chrome.exe	99
PID 2304 wrote to memory of 4732	2304	chrome.exe	99
PID 2304 wrote to memory of 4732	2304	chrome.exe	99
PID 2304 wrote to memory of 4732	2304	chrome.exe	99
PID 2304 wrote to memory of 4732	2304	chrome.exe	99
PID 2304 wrote to memory of 4732	2304	chrome.exe	99
PID 2304 wrote to memory of 4732	2304	chrome.exe	99
PID 2304 wrote to memory of 4732	2304	chrome.exe	99
PID 2304 wrote to memory of 4732	2304	chrome.exe	99
PID 2304 wrote to memory of 4732	2304	chrome.exe	99
PID 2304 wrote to memory of 4732	2304	chrome.exe	99
PID 2304 wrote to memory of 4732	2304	chrome.exe	99
PID 2304 wrote to memory of 4732	2304	chrome.exe	99
PID 2304 wrote to memory of 4732	2304	chrome.exe	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Panel Ejecutador MTA 3.14.exe
"C:\Users\Admin\AppData\Local\Temp\Panel Ejecutador MTA 3.14.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3208
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2980
- C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4840
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:652
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.pornhub.com/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:5104
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffe6e0446f8,0x7ffe6e044708,0x7ffe6e044718
      4⤵
      PID:3180
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,8094913325559450109,2788266993177400708,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
      4⤵
      PID:3676
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,8094913325559450109,2788266993177400708,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4012
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,8094913325559450109,2788266993177400708,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
      4⤵
      PID:1980
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8094913325559450109,2788266993177400708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
      4⤵
      PID:1984
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8094913325559450109,2788266993177400708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1
      4⤵
      PID:1608
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8094913325559450109,2788266993177400708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
      4⤵
      PID:4020
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8094913325559450109,2788266993177400708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2592 /prefetch:1
      4⤵
      PID:3484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ffe5bc5cc40,0x7ffe5bc5cc4c,0x7ffe5bc5cc58
  2⤵
  PID:1604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1968,i,6451082184446375694,24676958508182668,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1964 /prefetch:2
  2⤵
  PID:2876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2204,i,6451082184446375694,24676958508182668,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2088 /prefetch:3
  2⤵
  PID:4144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2280,i,6451082184446375694,24676958508182668,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2628 /prefetch:8
  2⤵
  PID:4732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3152,i,6451082184446375694,24676958508182668,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3164 /prefetch:1
  2⤵
  PID:2012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3188,i,6451082184446375694,24676958508182668,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:3768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3704,i,6451082184446375694,24676958508182668,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4540 /prefetch:1
  2⤵
  PID:4892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4840,i,6451082184446375694,24676958508182668,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4852 /prefetch:8
  2⤵
  PID:4240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5004,i,6451082184446375694,24676958508182668,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5044 /prefetch:8
  2⤵
  PID:4136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5064,i,6451082184446375694,24676958508182668,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5052 /prefetch:1
  2⤵
  PID:2352

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1308

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1752

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
c6b813d47bf64b59140dc33e58353b98

SHA1
dcc049e7d63186cab94dc04360113a2ea62bee9f

SHA256
39799e2b7950d8996af95bc0a89061e86c8631dfbdba94d8f1fcc85b1c9cd29a

SHA512
155d76404d6e5334153364422bf9c0c0bff81ae5215c75f99b999bb9fb47ff90e12a43fcf1f6c04a1798b9a72675fb355de98dc6289b6fff56fc516366486491

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
300d9b6a10d45ee2e34e715cfad4fae3

SHA1
fb13729fbac8014c5c583a815157ca35f1ce0336

SHA256
7c4e0c402f43898b5d6b70b00161a7c426a735681879c3aaf5bd52792157c482

SHA512
d5658bf16b5566359b9a8f87fbd00562866fbdb8d82a96845f59a013fe3b698dd508afdcbdc29fbf2641d6a87ff1036bd518c499e7d7e860d176c938278de4a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
1800f5c4393e4452127dd77e262280e2

SHA1
f06e5fa89ea640d73e9a43242f0181e316f488ce

SHA256
c241d90ccde4ffc202ca8adec0340857603ab4fa9fa6843875a8015dda61dc3f

SHA512
fcaebda620f8b8360b83c4c0934be1caca48e43ed3fcf29f6987cad77983ed58f90a391ba86435e8bc6b2d204dd3fa66b87a3698a482e4cf272bdd049066b0e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
4010f8e2d898d134b30da5f3d3c4f27f

SHA1
02833f24b2a53be46748c8e919621b1da9bc070e

SHA256
33e667c2a4c637f435d8e2bc5458bf809135b8e91fccd50510182bf4e4a5eb83

SHA512
045cc415bd3c61ade3193b05b62d0b93fb7ecc4590cfe0939f5a1b29e4ee4c0769352dd2d6c70a462525b6fb4d4d1f06ceadb863d0f785f69d625ae7337cd62f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
23cdd46c83dca5219e00e3aec44348fd

SHA1
4d1630accc5d8b75bb8b17d313f9759888893f39

SHA256
cae4f4a6083f260b136d69a71470ee2a3b04244c8486514c15de935b7ff4d234

SHA512
58193f6d7f78de2cb9765a27b3d120445d230911c6b0a4081bc70c7932ba0d93735f979a5201ed1f276329abeea06fba8f095f91fbd3281c080339c28a5a0621

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
33f7eff133315bb8cbc42e56702b27a7

SHA1
60a94c09da42b4e4f394ca2f2b361112ae93cb73

SHA256
45f629d1abc063a8b4c31d00d7c1b69369bf4f7799fcb77fb535b773fdf96da2

SHA512
a30d0d1443b47ec6572079db043e3a671fc776a6e4e876bf9c6d29d388c40921bb5437efe04bb6ec6fa28937c85fcc713a7a9b6f32d372351ce928c654358e5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
79e6cb349f76f6d05761f1cad4cc16b0

SHA1
0108a66d6737ccaadfa97812ee327219024601af

SHA256
b7063c7bed83097d9a31018e43e825db64d11fa6d5ce43affdd7b7e2ff85b92b

SHA512
5074d330c53d8972610d23add3bad539a4014de34ef8681804b53b95e9a93603f25e2093ad2619479bcf9336affe0e4f05decb3a63fd83841f07476eba887aa0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
236KB

MD5
ce142ae328fa585bcb5498c4d79af1c5

SHA1
1eaa35ff7e4b9fbecd80cc059330a2fc67fe5e46

SHA256
e4cc4a5e1055cfd10298daf03cf7b031fdc28d3c15202fe70d20acf291e506bf

SHA512
7642f9e13fb5b28bed83eec7ad659d414eeb18cee51bea9a40358d7c4b5e1e9c7731019bfb9158565e0399f3ff3d7784113ef8e6344e480b516856713f9e5d50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
236KB

MD5
66d1780b0c83c05762f82d9dff235302

SHA1
ed64bdc3500fbd9ee9bf11630983cd8a5b590071

SHA256
d4678d2bc6bbf6536f4fd8a6d24113a8f833a7c93b01686c9a0aeece7cdf7bb0

SHA512
db95cb81fbce4c790e17d827855a6ffacd0280fc7a118b6273ac9c19f614ee881f297ac1bedccef63c7cdcff4c919d1debf8b4692063dbac9d9bd543381ef713

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d9a93ee5221bd6f61ae818935430ccac

SHA1
f35db7fca9a0204cefc2aef07558802de13f9424

SHA256
a756ec37aec7cd908ea1338159800fd302481acfddad3b1701c399a765b7c968

SHA512
b47250fdd1dd86ad16843c3df5bed88146c29279143e20f51af51f5a8d9481ae655db675ca31801e98ab1b82b01cb87ae3c83b6e68af3f7835d3cfa83100ad44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b9fc751d5fa08ca574eba851a781b900

SHA1
963c71087bd9360fa4aa1f12e84128cd26597af4

SHA256
360b095e7721603c82e03afa392eb3c3df58e91a831195fc9683e528c2363bbb

SHA512
ecb8d509380f5e7fe96f14966a4d83305cd9a2292bf42dec349269f51176a293bda3273dfe5fba5a32a6209f411e28a7c2ab0d36454b75e155fc053974980757

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
9ec8e099fc1aea1895d07bcccdfe5acf

SHA1
cdfd95ae001023ef12d4f6db34272b7694b35440

SHA256
b1462fd71db30d495cff5d65e958b364e36a19a7909c907162194cace1ed342e

SHA512
a15b3542e53693884821490e57328007b5d17eeef4e59fea2e3565aa07aa97989fc1a579ff2d2c0e43a526b8cb64710ab5a9414517a48ac1e505162ffe2f88e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
9a2f2c25ba8e72a4d7ca5d3008c65bc8

SHA1
e497ef1bd84a44ea3a0522b09dc2b594e489ca28

SHA256
9365022e9da2004961a4a3cf753857569fcb01d630a70c501fdb6c5f53df93f0

SHA512
45cea9fd9ad40de5ec6adae6ec82b8c86a3e6037936811ace2c8c383adfcb11769279277eea457baa931077b656389923603da79d4cc28a30b29a0da1b8632a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
6013ad3d3766847df4da14392281b26f

SHA1
c4ae9246e198036bc3afbe3f8621be260bdd84bf

SHA256
6796f561492fc0c4a75cb403483aaafe07db5ccb53a4c01b0b6d8de32bd01e65

SHA512
1696b9ad7315797809c91d4c9cac3fd291171fa0a1e6412591fd506b6856c98bd605efa1c8a7aeda46618ae2dad9ca338494fc0d10cf28a3ef2fe7fdb7973d3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ee5375e4d2c4a3a7e45f586bb1a401ad

SHA1
a398c1863e88872ee844cadf9d299c9ea59df618

SHA256
bed54d7d7a1e284e87e2d4363de355eee6ca0db649443a39133f39647ec29796

SHA512
c3d0f17bd0ca6a25ca873f7ea4673767d2984ce83024d40d15ebe60e4ae9224637a10e473a365bf355a4a158489509820d0c4d4e33831920a3b73452c3968036

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
f9055ea0f42cb1609ff65d5be99750dc

SHA1
6f3a884d348e9f58271ddb0cdf4ee0e29becadd4

SHA256
1cacba6574ba8cc5278c387d6465ff72ef63df4c29cfbec5c76fbaf285d92348

SHA512
b1937bc9598d584a02c5c7ac42b96ed6121f16fe2de2623b74bb9b2ca3559fc7aff11464f83a9e9e3002a1c74d4bb0ee8136b0746a5773f8f12f857a7b2b3cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
c029e76a78f124ad4aea56fa5196df7e

SHA1
e6794d580c9753f35c7e0ff6813c27fb3a3cd5f7

SHA256
9856a3a27dce1d7578353c623de39a2304fb02a4a543497e2ad4804fa03ecc4b

SHA512
cabc52938d407fa27147eaa7904f60fdce79eef6236e75f5dccdc4da1d58891c379635bd1f562c38268ef4c3476e30015396d09434cc008b54465f92959c3344

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
a515565f20977d510b10269b86adfafe

SHA1
32538e54137c321172cd000d5feb704d78440ce2

SHA256
6d4b4686476927849adefc3af1aebfce4d582d01167b65cae142648b7eef5574

SHA512
a6f8576e346efc476b7859f5660a3446050c638d448d48762e7b0ed27f4bfdebfaaf9058b5d176e7b94a553dcf88d2d199001c4dd5b9205468cd83f93e2003b6

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe

Filesize
3.3MB

MD5
5791d405ca0a97a89eeaeb4f2be628be

SHA1
a012d40aaaa01db12a83b0e4408d012fd383dd0b

SHA256
6c67a1bf1d558b31a790e4bdcef062c9b49f00a1b3d7361dfc8308d55b87bc5d

SHA512
3971447d6a5f1ffe51bb1acc0d2525aa5bca521358c67828e6bd983d68e8c22dfa83ab49109575bc113e13de861682af563a3ed21e5ef48cce1bfcdb8f1f2afd

Download Submit
memory/3208-0-0x00007FFE61FE3000-0x00007FFE61FE5000-memory.dmp

Filesize
8KB

Download
memory/3208-5-0x00007FFE61FE0000-0x00007FFE62AA2000-memory.dmp

Filesize
10.8MB

Download
memory/3208-2-0x00007FFE61FE0000-0x00007FFE62AA2000-memory.dmp

Filesize
10.8MB

Download
memory/3208-1-0x0000000000790000-0x0000000000AE6000-memory.dmp

Filesize
3.3MB

Download
memory/4840-42-0x000000001E740000-0x000000001EC68000-memory.dmp

Filesize
5.2MB

Download
memory/4840-6-0x00007FFE61FE0000-0x00007FFE62AA2000-memory.dmp

Filesize
10.8MB

Download
memory/4840-7-0x00007FFE61FE0000-0x00007FFE62AA2000-memory.dmp

Filesize
10.8MB

Download
memory/4840-8-0x0000000002E90000-0x0000000002EE0000-memory.dmp

Filesize
320KB

Download
memory/4840-9-0x000000001CA90000-0x000000001CB42000-memory.dmp

Filesize
712KB

Download
memory/4840-12-0x000000001B910000-0x000000001B922000-memory.dmp

Filesize
72KB

Download
memory/4840-13-0x000000001B970000-0x000000001B9AC000-memory.dmp

Filesize
240KB

Download
memory/4840-14-0x00007FFE61FE0000-0x00007FFE62AA2000-memory.dmp

Filesize
10.8MB

Download