quasar | a9fc07683b0c89a1a3cfba37fd4548e6b28ebf334dca8cf79d4edada41ece724

Analysis

max time kernel
141s
max time network
142s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
09-12-2024 18:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Top4smm Dinero Ilimitado.zip
Size

1.1MB
MD5

bfa47aae21e145867fa2536f3adb0fbb
SHA1

b7b6eaccdf32b323421b75ad8e4e420a4527b151
SHA256

a9fc07683b0c89a1a3cfba37fd4548e6b28ebf334dca8cf79d4edada41ece724
SHA512

8ca4870f1949aaf6476b3ed18bfa5764110184242d0ae2d631b28b618cb167ec4de3267776be67a6bfd1de66e5f777fc75d25a8de2c75ef16578637f514906ae
SSDEEP

24576:+NEcxEieY4MkUNZfAzaSbhDmRsYyAo1GMvTSplXql0pDAkddsid2g4:6Ecx5UUnfW9qRU4E2lXSH0sidD4

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

azxq0ap.localto.net:3425

Mutex

e51e2b65-e963-4051-9736-67d57ed46798

Attributes

encryption_key
AEA258EF65BF1786F0F767C0BE2497ECC304C46F
install_name
WindowsUpdate.exe
log_directory
Logs
reconnect_delay
3000
startup_key
WindowsUpdate
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x002900000004502c-2.dat	family_quasar
behavioral1/memory/4132-5-0x0000000000E70000-0x00000000011A2000-memory.dmp	family_quasar

Executes dropped EXE 2 IoCs

pid	Process
4132	Top4smm Dinero Ilimitado.exe
2044	WindowsUpdate.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133782413256335568"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings	WindowsUpdate.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2312	schtasks.exe
4008	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
2044	WindowsUpdate.exe
1180	chrome.exe
1180	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	4348	7zFM.exe
Token: 35	4348	7zFM.exe
Token: SeSecurityPrivilege	4348	7zFM.exe
Token: SeDebugPrivilege	4132	Top4smm Dinero Ilimitado.exe
Token: SeDebugPrivilege	2044	WindowsUpdate.exe
Token: SeDebugPrivilege	3808	taskmgr.exe
Token: SeSystemProfilePrivilege	3808	taskmgr.exe
Token: SeCreateGlobalPrivilege	3808	taskmgr.exe
Token: 33	3808	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3808	taskmgr.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4348	7zFM.exe
4348	7zFM.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe

Suspicious use of SendNotifyMessage 60 IoCs

pid	Process
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
3808	taskmgr.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2044	WindowsUpdate.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4132 wrote to memory of 2312	4132	Top4smm Dinero Ilimitado.exe	92
PID 4132 wrote to memory of 2312	4132	Top4smm Dinero Ilimitado.exe	92
PID 4132 wrote to memory of 2044	4132	Top4smm Dinero Ilimitado.exe	94
PID 4132 wrote to memory of 2044	4132	Top4smm Dinero Ilimitado.exe	94
PID 2044 wrote to memory of 4008	2044	WindowsUpdate.exe	95
PID 2044 wrote to memory of 4008	2044	WindowsUpdate.exe	95
PID 1180 wrote to memory of 1528	1180	chrome.exe	101
PID 1180 wrote to memory of 1528	1180	chrome.exe	101
PID 1180 wrote to memory of 4420	1180	chrome.exe	102
PID 1180 wrote to memory of 4420	1180	chrome.exe	102
PID 1180 wrote to memory of 4420	1180	chrome.exe	102
PID 1180 wrote to memory of 4420	1180	chrome.exe	102
PID 1180 wrote to memory of 4420	1180	chrome.exe	102
PID 1180 wrote to memory of 4420	1180	chrome.exe	102
PID 1180 wrote to memory of 4420	1180	chrome.exe	102
PID 1180 wrote to memory of 4420	1180	chrome.exe	102
PID 1180 wrote to memory of 4420	1180	chrome.exe	102
PID 1180 wrote to memory of 4420	1180	chrome.exe	102
PID 1180 wrote to memory of 4420	1180	chrome.exe	102
PID 1180 wrote to memory of 4420	1180	chrome.exe	102
PID 1180 wrote to memory of 4420	1180	chrome.exe	102
PID 1180 wrote to memory of 4420	1180	chrome.exe	102
PID 1180 wrote to memory of 4420	1180	chrome.exe	102
PID 1180 wrote to memory of 4420	1180	chrome.exe	102
PID 1180 wrote to memory of 4420	1180	chrome.exe	102
PID 1180 wrote to memory of 4420	1180	chrome.exe	102
PID 1180 wrote to memory of 4420	1180	chrome.exe	102
PID 1180 wrote to memory of 4420	1180	chrome.exe	102
PID 1180 wrote to memory of 4420	1180	chrome.exe	102
PID 1180 wrote to memory of 4420	1180	chrome.exe	102
PID 1180 wrote to memory of 4420	1180	chrome.exe	102
PID 1180 wrote to memory of 4420	1180	chrome.exe	102
PID 1180 wrote to memory of 4420	1180	chrome.exe	102
PID 1180 wrote to memory of 4420	1180	chrome.exe	102
PID 1180 wrote to memory of 4420	1180	chrome.exe	102
PID 1180 wrote to memory of 4420	1180	chrome.exe	102
PID 1180 wrote to memory of 4420	1180	chrome.exe	102
PID 1180 wrote to memory of 4420	1180	chrome.exe	102
PID 1180 wrote to memory of 3636	1180	chrome.exe	103
PID 1180 wrote to memory of 3636	1180	chrome.exe	103
PID 1180 wrote to memory of 4952	1180	chrome.exe	104
PID 1180 wrote to memory of 4952	1180	chrome.exe	104
PID 1180 wrote to memory of 4952	1180	chrome.exe	104
PID 1180 wrote to memory of 4952	1180	chrome.exe	104
PID 1180 wrote to memory of 4952	1180	chrome.exe	104
PID 1180 wrote to memory of 4952	1180	chrome.exe	104
PID 1180 wrote to memory of 4952	1180	chrome.exe	104
PID 1180 wrote to memory of 4952	1180	chrome.exe	104
PID 1180 wrote to memory of 4952	1180	chrome.exe	104
PID 1180 wrote to memory of 4952	1180	chrome.exe	104
PID 1180 wrote to memory of 4952	1180	chrome.exe	104
PID 1180 wrote to memory of 4952	1180	chrome.exe	104
PID 1180 wrote to memory of 4952	1180	chrome.exe	104
PID 1180 wrote to memory of 4952	1180	chrome.exe	104
PID 1180 wrote to memory of 4952	1180	chrome.exe	104
PID 1180 wrote to memory of 4952	1180	chrome.exe	104
PID 1180 wrote to memory of 4952	1180	chrome.exe	104
PID 1180 wrote to memory of 4952	1180	chrome.exe	104
PID 1180 wrote to memory of 4952	1180	chrome.exe	104
PID 1180 wrote to memory of 4952	1180	chrome.exe	104
PID 1180 wrote to memory of 4952	1180	chrome.exe	104
PID 1180 wrote to memory of 4952	1180	chrome.exe	104
PID 1180 wrote to memory of 4952	1180	chrome.exe	104
PID 1180 wrote to memory of 4952	1180	chrome.exe	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Top4smm Dinero Ilimitado.zip"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4348

C:\Users\Admin\Desktop\Top4smm Dinero Ilimitado.exe
"C:\Users\Admin\Desktop\Top4smm Dinero Ilimitado.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4132
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2312
- C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4008

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3808

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ffb617fcc40,0x7ffb617fcc4c,0x7ffb617fcc58
  2⤵
  PID:1528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2112,i,17421365259957741071,14107228799256248655,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2108 /prefetch:2
  2⤵
  PID:4420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1816,i,17421365259957741071,14107228799256248655,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2144 /prefetch:3
  2⤵
  PID:3636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2152,i,17421365259957741071,14107228799256248655,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2500 /prefetch:8
  2⤵
  PID:4952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3152,i,17421365259957741071,14107228799256248655,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3164 /prefetch:1
  2⤵
  PID:3992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3188,i,17421365259957741071,14107228799256248655,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:1128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4556,i,17421365259957741071,14107228799256248655,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4580 /prefetch:1
  2⤵
  PID:2772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4760,i,17421365259957741071,14107228799256248655,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4808 /prefetch:8
  2⤵
  PID:3356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4840,i,17421365259957741071,14107228799256248655,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4808 /prefetch:8
  2⤵
  PID:3844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5124,i,17421365259957741071,14107228799256248655,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5132 /prefetch:8
  2⤵
  PID:2296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4976,i,17421365259957741071,14107228799256248655,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4824 /prefetch:8
  2⤵
  PID:1384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4804,i,17421365259957741071,14107228799256248655,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5108 /prefetch:8
  2⤵
  PID:4716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4836,i,17421365259957741071,14107228799256248655,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5160 /prefetch:8
  2⤵
  PID:3932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5396,i,17421365259957741071,14107228799256248655,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5260 /prefetch:2
  2⤵
  PID:3820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5128,i,17421365259957741071,14107228799256248655,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4888 /prefetch:1
  2⤵
  PID:2128

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
63f47002f130a1ac5ffb584106fb6c72

SHA1
02d4e41dd141a98ecac230d60df5864ade0107a3

SHA256
f56d1a8d5306d560ec9702d7d89f717246f5689cea482bcc1a356690c7323405

SHA512
e13d24fefdd9bba9883ad2f13a1cd68b54f212a84059bb668d32d3b1b0ddb84dd9fce4d4219c331916d9a3e2f63de3cb90bcb99a600975a19e254db0c1650d9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
eeaa1f957f676d53111a23b4f943cab3

SHA1
8f7eb30f1657cf0df77046a453db724c701b2052

SHA256
b8afdb23f7d59b213f355db18f22d6190e33741f85d389e45449e6eed6031d32

SHA512
7308efa1b2747bb7a2dc54f45b882c470bc69e9bd5f25b35a1a88997fcba0bb5fcacea4580c34a034ec62ac5e4c3cde1f4e70072344624e3c4859d42f77b38c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.84.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.84.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
02062cee1ef3d91c8439f46fa48d6a6d

SHA1
a7f2cbbbcad7ecc18e4118399d9c73cefd68f153

SHA256
5416a4e72557dce6be365fe5bcef0c2ab296f6585f773fabd6336b983e46c9c1

SHA512
b9ee8a9c5018824870d8e21a3d2d0313b7026c70917b470e44c48ee37105648498da4496829824a5dca06d5dc3da81a35ae71a429fa2863295b742dc49b1c461

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
4ba9f8e3f91777ce963b92e691891a61

SHA1
c5ceaa324420fe8177ca9b81a1781cf1402e6b5a

SHA256
e78252c53bcd07b8bc64b038e78ef140bdb1320d96221bba78b0d42ec36b232f

SHA512
8c0e4a3475c9ab1bde7f9ca0cd41b2c1822a2e5f69054e03aa762d16446965f58f163692de72b1eca3784c85fc003c709c62b11e71a0b12dcada03ae04c75728

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
224a0d7d2266e08c5a779ceeaace28ea

SHA1
69048f9a13a7e44d25230c2623a424032bbf3a57

SHA256
1c3884a53e68af7b4036357d9cccd459dbe6a969f342b8bc9048e63153ca2618

SHA512
4bb5888947f3c0af3f9f9fc9f7bfeb50ce2565b9ee96ee1205f1dfe00302032eb5e6353b39c6ab382fbe18035ab55f9f7aac8c6abc0c1b9b16ed8ea0ddfb3bee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fbbb0e884e4c94e27e4812f59dc7e68c

SHA1
b1399e91fa8ff3e2c3a52c4cf3a127b5c9803abc

SHA256
3cec9ba2918f5ea870d3573b79d84be16bb1d4939f868f11a50758daf2fd3aef

SHA512
67904ddc266f2673a6c86a97873ef7e8eff7eac91d16805b314e0c757296bdf3adeaa34b1281c08d37f2d3c9b39c3930133496b807f2cb344b1b3cba06da5cc4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e2d4b614b79c013d9635f1e7bc749a2b

SHA1
8383900a455fbd6a0d6ede4bf9e6ae07a10dccb4

SHA256
6bc490e86e235f4fc1e33453d03f66ea4957f4f5c2756012435b27f3b81d4db5

SHA512
84ccd4ae6ad274b3e8c2598037ed96d702105e460d043d1d81e63b1cf8dfeb179d16ca1683d247f0c6b5ba7e50057de6dcf6abb2d48e6aa2f2cc0d83cdbc956b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
e5ec82acb8a10ee28d4718d04e678d42

SHA1
35f9ffffcf0588347dd6473b60283d0e0dae3e12

SHA256
f4e9937a3660c08514caa4d6ee94ed106c0a615f717d5c1659be86ff41c25767

SHA512
20c4e781f11054a33404e666ec174bfc81c6c56cd7970197bcb68516e2863bb537e2444ed5afda7b98805eb61333752ff69234e96b70182934cc1316f11752b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
603e6960fba1428de1204001deb0ae45

SHA1
06a8ae7a2b9cf02c3d6c484b6d5c148c8bc07c9a

SHA256
e8d1d561f285bf8b7d8e4f44ced66f03926d97b8262c26d534fd82220903d0e3

SHA512
3b73d47f9fc992f7c7f98344b4b67b8e22499e6b935bcd5ad529a270117e2f373ca63565fd9326d00e2f8a1efc3d747ccee284ef194d3333325bce575f280c66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
cc6d5f473aecc99ae0a37535e4e5860f

SHA1
5d541d69561c1711c2a572aadfac16e73e9768d9

SHA256
7261b75bfbb3a1edda13256f76a21c844cc6d8a3761706ec54223d92cff9daae

SHA512
e5dd5810944137ccf7e107267796f75bb9159ce3e8f6b93d4f13f76376fb0e64b42f1f4befde835b910a0c932b4cccc386826f0e7db7968f0dd5b0541c6ab449

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
019c2146837ee32045a1b72b32a3a6a9

SHA1
910a2dc1ebbf57fe892c0ab440f131f295e82d8c

SHA256
5b6fffc4f67cf6a5eba8e1ad3580ac437fbec7cefb84205b14ddd3af6bf1b6cc

SHA512
4aa1b77176ad16a930cb76fea421996ec9dc309373fb0e708ce56370b4f00c441731bf7e3668d70494439ac13414374d592d920033579016b3a9e231ecf293af

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1180_616940857\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\Desktop\Top4smm Dinero Ilimitado.exe

Filesize
3.2MB

MD5
74474ce327c2d8e2b74eba981a7e3249

SHA1
48544696b4ce7c96559a791efb58ec7481092454

SHA256
46ca3722c1851d6a68aea45c19e64a4c735eb236403e172422d02bbff4e35cca

SHA512
0c5b75305b19e0dcaacb9f3df556cdb136c002a5732625cb096fdd0a69e4a6a4b96507bb2948b847e2726d98e424462a237e0c0cecb1210c45cef52c7c1accc1

Download Submit
C:\Users\Admin\Documents\Panel Ejecutador MTA 3.14.zip

Filesize
1.1MB

MD5
d345c2eb24b0d3806865fda604ad1cc8

SHA1
6b813317f6108f2c242babda58097070503df242

SHA256
9261f3eefa0aef107e865784d8b8b62d4e7213056dfe535893920a344fa0d908

SHA512
76c941b833ffcef6da121c2e2735952ed81cbf7c6a6260a227040d37abf0adaa41461045c69710331345d52d95aac89ddf0a256ebc85fbdb2ed703106999ab74

Download Submit
memory/2044-15-0x000000001C930000-0x000000001C96C000-memory.dmp

Filesize
240KB

Download
memory/2044-14-0x000000001B070000-0x000000001B082000-memory.dmp

Filesize
72KB

Download
memory/2044-29-0x000000001D9E0000-0x000000001DF08000-memory.dmp

Filesize
5.2MB

Download
memory/2044-11-0x000000001C9B0000-0x000000001CA62000-memory.dmp

Filesize
712KB

Download
memory/2044-10-0x000000001B000000-0x000000001B050000-memory.dmp

Filesize
320KB

Download
memory/3808-18-0x00000109908E0000-0x00000109908E1000-memory.dmp

Filesize
4KB

Download
memory/3808-22-0x00000109908E0000-0x00000109908E1000-memory.dmp

Filesize
4KB

Download
memory/3808-23-0x00000109908E0000-0x00000109908E1000-memory.dmp

Filesize
4KB

Download
memory/3808-24-0x00000109908E0000-0x00000109908E1000-memory.dmp

Filesize
4KB

Download
memory/3808-25-0x00000109908E0000-0x00000109908E1000-memory.dmp

Filesize
4KB

Download
memory/3808-26-0x00000109908E0000-0x00000109908E1000-memory.dmp

Filesize
4KB

Download
memory/3808-27-0x00000109908E0000-0x00000109908E1000-memory.dmp

Filesize
4KB

Download
memory/3808-28-0x00000109908E0000-0x00000109908E1000-memory.dmp

Filesize
4KB

Download
memory/3808-16-0x00000109908E0000-0x00000109908E1000-memory.dmp

Filesize
4KB

Download
memory/3808-17-0x00000109908E0000-0x00000109908E1000-memory.dmp

Filesize
4KB

Download
memory/4132-9-0x00007FFB51BF0000-0x00007FFB526B2000-memory.dmp

Filesize
10.8MB

Download
memory/4132-6-0x00007FFB51BF0000-0x00007FFB526B2000-memory.dmp

Filesize
10.8MB

Download
memory/4132-5-0x0000000000E70000-0x00000000011A2000-memory.dmp

Filesize
3.2MB

Download
memory/4132-4-0x00007FFB51BF3000-0x00007FFB51BF5000-memory.dmp

Filesize
8KB

Download