quasar | 9261f3eefa0aef107e865784d8b8b62d4e7213056dfe535893920a344fa0d908

Analysis

max time kernel
43s
max time network
45s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
16-12-2024 07:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Panel Ejecutador MTA 3.14.zip
Size

1.1MB
MD5

d345c2eb24b0d3806865fda604ad1cc8
SHA1

6b813317f6108f2c242babda58097070503df242
SHA256

9261f3eefa0aef107e865784d8b8b62d4e7213056dfe535893920a344fa0d908
SHA512

76c941b833ffcef6da121c2e2735952ed81cbf7c6a6260a227040d37abf0adaa41461045c69710331345d52d95aac89ddf0a256ebc85fbdb2ed703106999ab74
SSDEEP

24576:ioRau4l48JTUIlfSsqFDxCs3+UgQYuX370FBZa:ioRUv5UIYsqOs3+UPY234m

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

azxq0ap.localto.net:3425

Mutex

e51e2b65-e963-4051-9736-67d57ed46798

Attributes

encryption_key
AEA258EF65BF1786F0F767C0BE2497ECC304C46F
install_name
WindowsUpdate.exe
log_directory
Logs
reconnect_delay
3000
startup_key
WindowsUpdate
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00280000000450a3-2.dat	family_quasar
behavioral1/memory/3000-5-0x0000000000500000-0x0000000000856000-memory.dmp	family_quasar

Executes dropped EXE 2 IoCs

pid	Process
3000	Panel Ejecutador MTA 3.14.exe
4672	WindowsUpdate.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133788069820223790"	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1660	schtasks.exe
1716	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2136	chrome.exe
2136	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	4020	7zFM.exe
Token: 35	4020	7zFM.exe
Token: SeSecurityPrivilege	4020	7zFM.exe
Token: SeDebugPrivilege	3000	Panel Ejecutador MTA 3.14.exe
Token: SeDebugPrivilege	4672	WindowsUpdate.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeCreatePagefilePrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
4020	7zFM.exe
4020	7zFM.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4672	WindowsUpdate.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2000	2136	chrome.exe	90
PID 2136 wrote to memory of 2000	2136	chrome.exe	90
PID 3000 wrote to memory of 1660	3000	Panel Ejecutador MTA 3.14.exe	91
PID 3000 wrote to memory of 1660	3000	Panel Ejecutador MTA 3.14.exe	91
PID 2136 wrote to memory of 4628	2136	chrome.exe	93
PID 2136 wrote to memory of 4628	2136	chrome.exe	93
PID 2136 wrote to memory of 4628	2136	chrome.exe	93
PID 2136 wrote to memory of 4628	2136	chrome.exe	93
PID 2136 wrote to memory of 4628	2136	chrome.exe	93
PID 2136 wrote to memory of 4628	2136	chrome.exe	93
PID 2136 wrote to memory of 4628	2136	chrome.exe	93
PID 2136 wrote to memory of 4628	2136	chrome.exe	93
PID 2136 wrote to memory of 4628	2136	chrome.exe	93
PID 2136 wrote to memory of 4628	2136	chrome.exe	93
PID 2136 wrote to memory of 4628	2136	chrome.exe	93
PID 2136 wrote to memory of 4628	2136	chrome.exe	93
PID 2136 wrote to memory of 4628	2136	chrome.exe	93
PID 2136 wrote to memory of 4628	2136	chrome.exe	93
PID 2136 wrote to memory of 4628	2136	chrome.exe	93
PID 2136 wrote to memory of 4628	2136	chrome.exe	93
PID 2136 wrote to memory of 4628	2136	chrome.exe	93
PID 2136 wrote to memory of 4628	2136	chrome.exe	93
PID 2136 wrote to memory of 4628	2136	chrome.exe	93
PID 2136 wrote to memory of 4628	2136	chrome.exe	93
PID 2136 wrote to memory of 4628	2136	chrome.exe	93
PID 2136 wrote to memory of 4628	2136	chrome.exe	93
PID 2136 wrote to memory of 4628	2136	chrome.exe	93
PID 2136 wrote to memory of 4628	2136	chrome.exe	93
PID 2136 wrote to memory of 4628	2136	chrome.exe	93
PID 2136 wrote to memory of 4628	2136	chrome.exe	93
PID 2136 wrote to memory of 4628	2136	chrome.exe	93
PID 2136 wrote to memory of 4628	2136	chrome.exe	93
PID 2136 wrote to memory of 4628	2136	chrome.exe	93
PID 2136 wrote to memory of 4628	2136	chrome.exe	93
PID 2136 wrote to memory of 1132	2136	chrome.exe	94
PID 2136 wrote to memory of 1132	2136	chrome.exe	94
PID 2136 wrote to memory of 4216	2136	chrome.exe	95
PID 2136 wrote to memory of 4216	2136	chrome.exe	95
PID 2136 wrote to memory of 4216	2136	chrome.exe	95
PID 2136 wrote to memory of 4216	2136	chrome.exe	95
PID 2136 wrote to memory of 4216	2136	chrome.exe	95
PID 2136 wrote to memory of 4216	2136	chrome.exe	95
PID 2136 wrote to memory of 4216	2136	chrome.exe	95
PID 2136 wrote to memory of 4216	2136	chrome.exe	95
PID 2136 wrote to memory of 4216	2136	chrome.exe	95
PID 2136 wrote to memory of 4216	2136	chrome.exe	95
PID 2136 wrote to memory of 4216	2136	chrome.exe	95
PID 2136 wrote to memory of 4216	2136	chrome.exe	95
PID 2136 wrote to memory of 4216	2136	chrome.exe	95
PID 2136 wrote to memory of 4216	2136	chrome.exe	95
PID 2136 wrote to memory of 4216	2136	chrome.exe	95
PID 2136 wrote to memory of 4216	2136	chrome.exe	95
PID 2136 wrote to memory of 4216	2136	chrome.exe	95
PID 2136 wrote to memory of 4216	2136	chrome.exe	95
PID 2136 wrote to memory of 4216	2136	chrome.exe	95
PID 2136 wrote to memory of 4216	2136	chrome.exe	95
PID 2136 wrote to memory of 4216	2136	chrome.exe	95
PID 2136 wrote to memory of 4216	2136	chrome.exe	95
PID 2136 wrote to memory of 4216	2136	chrome.exe	95
PID 2136 wrote to memory of 4216	2136	chrome.exe	95
PID 2136 wrote to memory of 4216	2136	chrome.exe	95
PID 2136 wrote to memory of 4216	2136	chrome.exe	95
PID 2136 wrote to memory of 4216	2136	chrome.exe	95
PID 2136 wrote to memory of 4216	2136	chrome.exe	95

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Panel Ejecutador MTA 3.14.zip"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4020

C:\Users\Admin\Desktop\Panel Ejecutador MTA 3.14.exe
"C:\Users\Admin\Desktop\Panel Ejecutador MTA 3.14.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1660
- C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4672
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ffee251cc40,0x7ffee251cc4c,0x7ffee251cc58
  2⤵
  PID:2000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1916,i,13832979627826609194,7168765853539513509,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:4628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2104,i,13832979627826609194,7168765853539513509,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2012 /prefetch:3
  2⤵
  PID:1132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2264,i,13832979627826609194,7168765853539513509,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2432 /prefetch:8
  2⤵
  PID:4216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,13832979627826609194,7168765853539513509,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:1284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3148,i,13832979627826609194,7168765853539513509,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:1936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4512,i,13832979627826609194,7168765853539513509,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4552 /prefetch:1
  2⤵
  PID:4632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4396,i,13832979627826609194,7168765853539513509,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4708 /prefetch:1
  2⤵
  PID:3216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4668,i,13832979627826609194,7168765853539513509,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4880 /prefetch:1
  2⤵
  PID:4640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4484,i,13832979627826609194,7168765853539513509,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4992 /prefetch:1
  2⤵
  PID:348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4696,i,13832979627826609194,7168765853539513509,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5188 /prefetch:1
  2⤵
  PID:2540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5332,i,13832979627826609194,7168765853539513509,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5324 /prefetch:8
  2⤵
  PID:1872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4828,i,13832979627826609194,7168765853539513509,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4848 /prefetch:8
  2⤵
  PID:3380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3196,i,13832979627826609194,7168765853539513509,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4516 /prefetch:1
  2⤵
  PID:4560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=3260,i,13832979627826609194,7168765853539513509,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5256 /prefetch:1
  2⤵
  PID:3208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5232,i,13832979627826609194,7168765853539513509,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4456 /prefetch:1
  2⤵
  PID:2256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5064,i,13832979627826609194,7168765853539513509,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5152 /prefetch:1
  2⤵
  PID:2624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5228,i,13832979627826609194,7168765853539513509,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5048 /prefetch:1
  2⤵
  PID:4784

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
bed4c5a18558235c039947aebfff04ba

SHA1
c368543fb55913ac71b8b6ff5aec2fe5572186ae

SHA256
214cfd07003863c0cf56f0325b61a10ab668b16cb53ef4ded1cf0b26b6afbcd0

SHA512
5d3121cc60adc7553a807ff84dda5003caec7be5cb258926d00e25344446427e16a286e30d54244fbe69c6ce736cc969c7ae37a92d4e531b1f4bf570bdbbdef3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
936B

MD5
f485142216b8fa5ef1d22531178f4f88

SHA1
292616960ca48046dcc061436b66698d802ef48d

SHA256
6e31c63f53079fec35c9729d3efeca49dcfde393383b6d8014e6e3267e40cf12

SHA512
c580eab533d8e1bc15947f346ad1061dc04ef2b836eb2245a553fb621455d7a4f9dd2b9406d4a6b0a898566f30d8c0a175ce1bb7c1dbcc15108e1544a4f674fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1015B

MD5
dd1309ac125131d4a66f9217c8e304eb

SHA1
e512e8c480075ede06bf15f4d95d9a8f874d7fdf

SHA256
7bb44ef2122a3bb1bc8c8026d6ab7dbdc4631c7e84707c5c9b971b21f2bc0890

SHA512
4af2db7a9994e9508b7be3b8326d29564662b11fa3d2b8099f6148478a7ac0202abbc2813ddb7d02046337fe5f6647c9521539b14a167c0b37085d96bc08ebc8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
dba2b39909433019b050bf889fec6024

SHA1
ac288b53b05a8c595a9eb803b9aa525c937237be

SHA256
851b2e6a4028f1f67ba1ae38cb32d67764e61abdae066dbbfd040b81a4031fd8

SHA512
5b3e5a54312bcc436bf95ab4ed35457df54d6442af380319c83fe9d75e820dba4c979a140694f84efe999af386ed94d517e06684b9eeaf0587237bb96c4941be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2da349371336b8ef21a4156bc80eeb6d

SHA1
ad572279d282d676212da51f3e6a9810462a47ea

SHA256
7f2099ba68ba9700f6e7a7c81ac9ec43b6bbf1e1ee7ec600c8b4521cc8cbdf22

SHA512
fd425df06de4b18c628df070f5f9c2675f815dd38da4b3510804326ba8a20914c0d2a416641bcc4045c24fcbe6cd1884e0ceb7ccb62a88f125582deed9a26686

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1504a0cc6e669e26c9b13683f5152d99

SHA1
b7f00b16627ed2224232e9976e495e2182012a6b

SHA256
d2989ae2e080c748b82de6cece825ef22b169aed226052deca5fb7274ae08000

SHA512
6b98c16da1509805e59ff578aeb3974be104b136a2fff9d6841d18084093a445c86bcb8473a6b45781c0be2431bf613e6b5345e4935cebb9ad0a5cb230aa084a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
555d4211cc9630567585bf11b66c3b5a

SHA1
8246e64771fc9e23428454e4ed9cce2e8b620ce7

SHA256
968d1de059193e7d7fd5b7510c4f3183773e9081042e9ed51c363718172f93c8

SHA512
778cddb82a2c831a235c814e6449337f93d4902ed2e7dbd426820539c10f0d4f9acd6a40ed6acfd63510016107671a07a24f0d8dc49724bd24d0735a66505253

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
fc51cb548f2a0e118d7d4b9d6d9918d7

SHA1
21876f14b2d1050d5cff0c27866a421633532b3d

SHA256
62845d25c748d628cbb70baf0384972938d175c0c64ebe84762e3a15ff42987c

SHA512
8d2771bf463c9b4c310f5b9638109e6b2bc3873831e891aed6b6c5c1f7869bbedfdc4a080dfbb46c975df27fee283eda748ff7b8c06170711767b03a69fc72e2

Download Submit
C:\Users\Admin\Desktop\Panel Ejecutador MTA 3.14.exe

Filesize
3.3MB

MD5
5791d405ca0a97a89eeaeb4f2be628be

SHA1
a012d40aaaa01db12a83b0e4408d012fd383dd0b

SHA256
6c67a1bf1d558b31a790e4bdcef062c9b49f00a1b3d7361dfc8308d55b87bc5d

SHA512
3971447d6a5f1ffe51bb1acc0d2525aa5bca521358c67828e6bd983d68e8c22dfa83ab49109575bc113e13de861682af563a3ed21e5ef48cce1bfcdb8f1f2afd

Download Submit
memory/3000-14-0x00007FFEE7590000-0x00007FFEE8052000-memory.dmp

Filesize
10.8MB

Download
memory/3000-6-0x00007FFEE7590000-0x00007FFEE8052000-memory.dmp

Filesize
10.8MB

Download
memory/3000-5-0x0000000000500000-0x0000000000856000-memory.dmp

Filesize
3.3MB

Download
memory/3000-4-0x00007FFEE7593000-0x00007FFEE7595000-memory.dmp

Filesize
8KB

Download
memory/4672-53-0x000000001D2D0000-0x000000001D7F8000-memory.dmp

Filesize
5.2MB

Download
memory/4672-52-0x000000001C260000-0x000000001C29C000-memory.dmp

Filesize
240KB

Download
memory/4672-51-0x000000001C200000-0x000000001C212000-memory.dmp

Filesize
72KB

Download
memory/4672-35-0x000000001C2A0000-0x000000001C352000-memory.dmp

Filesize
712KB

Download
memory/4672-34-0x000000001C190000-0x000000001C1E0000-memory.dmp

Filesize
320KB

Download