Overview

overview

10

Static

static

3

COMPROBANT...GO.exe

windows7-x64

10

COMPROBANT...GO.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    272s
  • max time network
    282s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250207-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-02-2025 17:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    COMPROBANTE de PAGO.exe

  • Size

    854KB

  • MD5

    e56d988fd3f4b747bf69c724085878d6

  • SHA1

    876cbcce543f49cf190a12c4a07c3139247e05ab

  • SHA256

    e490dc9257f951ed3e61055852315cac3f13dd404f88d546a06010639fb55f93

  • SHA512

    06f1c1e8c48340dda4115d0b5221502ad90a5e92e1eafc351d765ec91343a91e5bda8fb85d8cee1601a69800dd5502492310aa01b32aba5a3b11ba9120f881d6

  • SSDEEP

    24576:JRuPGExISnGAvq4TYlCjXZfQVbhImUTdlmajaO:z96wgYUjX9uhnU5o

Score
10/10
quasarstroy3adwarediscoverypersistenceprivilege_escalationspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Stroy3

C2

twentyfivev.crabdance.com:61538

127.0.0.1:61538
Mutex

QSR_MUTEX_jgYB0FbAXwuBLBMCAM

Attributes
  • encryption_key

    7ghxCAmzO7RIdS51gVaQ

  • install_name

    cpdater.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    cindows cpdater

  • subdirectory

    cindows

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 1 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Downloads MZ/PE file 1 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Executes dropped EXE 13 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 26 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 64 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 58 IoCs
  • System policy modification 1 TTPs 4 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\COMPROBANTE de PAGO.exe
    "C:\Users\Admin\AppData\Local\Temp\COMPROBANTE de PAGO.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4600
    • C:\Users\Admin\AppData\Local\Temp\COMPROBANTE de PAGO.exe
      "C:\Users\Admin\AppData\Local\Temp\COMPROBANTE de PAGO.exe"
      2⤵
        PID:868
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 80
          3⤵
          • Program crash
          PID:4388
      • C:\Users\Admin\AppData\Local\Temp\COMPROBANTE de PAGO.exe
        "C:\Users\Admin\AppData\Local\Temp\COMPROBANTE de PAGO.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:540
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks" /create /tn "cindows cpdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\COMPROBANTE de PAGO.exe" /rl HIGHEST /f
          3⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:704
        • C:\Users\Admin\AppData\Roaming\cindows\cpdater.exe
          "C:\Users\Admin\AppData\Roaming\cindows\cpdater.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4264
          • C:\Users\Admin\AppData\Roaming\cindows\cpdater.exe
            C:\Users\Admin\AppData\Roaming\cindows\cpdater.exe
            4⤵
            • Executes dropped EXE
            PID:1032
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 80
              5⤵
              • Program crash
              PID:4588
          • C:\Users\Admin\AppData\Roaming\cindows\cpdater.exe
            C:\Users\Admin\AppData\Roaming\cindows\cpdater.exe
            4⤵
            • Executes dropped EXE
            PID:3576
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 80
              5⤵
              • Program crash
              PID:348
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 868 -ip 868
      1⤵
        PID:3024
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1032 -ip 1032
        1⤵
          PID:2976
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3576 -ip 3576
          1⤵
            PID:232
          • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
            "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7OTM3NTJBNTgtNTRFRC00NjQwLUJDNjYtMjVCRTg1M0EyMkM5fSIgdXNlcmlkPSJ7RjEzNDEwNjktN0U1NS00MTJELUE3RjctQjk5OEM0OTk3MzBDfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RjM0RkZCMzgtMjEzNy00Q0YxLUI2OEItMDNFNzA3QzQ4NzkxfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI0IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU5MjEiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODE5ODA3NzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTI4MzE0Njg2Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
            1⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            PID:5112
          • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{6295FE08-5555-4642-9EBD-59C36DD5D7D6}\MicrosoftEdge_X64_133.0.3065.59.exe
            "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{6295FE08-5555-4642-9EBD-59C36DD5D7D6}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
            1⤵
            • Drops file in Program Files directory
            • Suspicious use of WriteProcessMemory
            PID:4636
            • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{6295FE08-5555-4642-9EBD-59C36DD5D7D6}\EDGEMITMP_42A6D.tmp\setup.exe
              "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{6295FE08-5555-4642-9EBD-59C36DD5D7D6}\EDGEMITMP_42A6D.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{6295FE08-5555-4642-9EBD-59C36DD5D7D6}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
              2⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Installs/modifies Browser Helper Object
              • Drops file in Program Files directory
              • Modifies Internet Explorer settings
              • Modifies registry class
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:4988
              • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{6295FE08-5555-4642-9EBD-59C36DD5D7D6}\EDGEMITMP_42A6D.tmp\setup.exe
                "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{6295FE08-5555-4642-9EBD-59C36DD5D7D6}\EDGEMITMP_42A6D.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{6295FE08-5555-4642-9EBD-59C36DD5D7D6}\EDGEMITMP_42A6D.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff72f786a68,0x7ff72f786a74,0x7ff72f786a80
                3⤵
                • Executes dropped EXE
                PID:208
              • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{6295FE08-5555-4642-9EBD-59C36DD5D7D6}\EDGEMITMP_42A6D.tmp\setup.exe
                "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{6295FE08-5555-4642-9EBD-59C36DD5D7D6}\EDGEMITMP_42A6D.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
                3⤵
                • Executes dropped EXE
                • Drops file in System32 directory
                • Modifies data under HKEY_USERS
                • Suspicious use of WriteProcessMemory
                PID:4264
                • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{6295FE08-5555-4642-9EBD-59C36DD5D7D6}\EDGEMITMP_42A6D.tmp\setup.exe
                  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{6295FE08-5555-4642-9EBD-59C36DD5D7D6}\EDGEMITMP_42A6D.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{6295FE08-5555-4642-9EBD-59C36DD5D7D6}\EDGEMITMP_42A6D.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff72f786a68,0x7ff72f786a74,0x7ff72f786a80
                  4⤵
                  • Executes dropped EXE
                  PID:876
              • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level
                3⤵
                • Executes dropped EXE
                • Drops file in Program Files directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:2992
                • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7eae76a68,0x7ff7eae76a74,0x7ff7eae76a80
                  4⤵
                  • Executes dropped EXE
                  PID:676
              • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level
                3⤵
                • Executes dropped EXE
                • Drops file in Program Files directory
                • Suspicious use of WriteProcessMemory
                PID:4544
                • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7eae76a68,0x7ff7eae76a74,0x7ff7eae76a80
                  4⤵
                  • Executes dropped EXE
                  PID:2416
              • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level
                3⤵
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:2336
                • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7eae76a68,0x7ff7eae76a74,0x7ff7eae76a80
                  4⤵
                  • Executes dropped EXE
                  PID:1400
          • C:\Windows\System32\svchost.exe
            C:\Windows\System32\svchost.exe -k AppReadiness -p -s AppReadiness
            1⤵
              PID:3284
            • C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe
              "C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe" /InvokerPRAID: Microsoft.MicrosoftOfficeHub prelaunch
              1⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:3688
            • C:\Windows\system32\wwahost.exe
              "C:\Windows\system32\wwahost.exe" -ServerName:Microsoft.MicrosoftOfficeHub.wwa
              1⤵
              • Modifies Internet Explorer settings
              • Modifies registry class
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:2100
            • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
              "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7OTM3NTJBNTgtNTRFRC00NjQwLUJDNjYtMjVCRTg1M0EyMkM5fSIgdXNlcmlkPSJ7RjEzNDEwNjktN0U1NS00MTJELUE3RjctQjk5OEM0OTk3MzBDfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9Ins0N0E1NDJDOC1GQkQyLTRGMDMtOTE3QS0wOTk5MEQyRjZBRjR9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7VlBRb1AxRitmcTE1d1J6aDFrUEw0UE1wV2g4T1JNQjVpenZyT0MvY2hqUT0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE5NS40MyIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjQiIGNvaG9ydD0icnJmQDAuNDIiPjx1cGRhdGVjaGVjay8-PHBpbmcgcj0iNCIgcmQ9IjY2MTIiIHBpbmdfZnJlc2huZXNzPSJ7MTI4OTUwM0YtNUM5MS00RjlFLTlFODUtNkFDMDcyQzQwMjc4fSIvPjwvYXBwPjxhcHAgYXBwaWQ9Ins1NkVCMThGOC1CMDA4LTRDQkQtQjZEMi04Qzk3RkU3RTkwNjJ9IiB2ZXJzaW9uPSI5Mi4wLjkwMi42NyIgbmV4dHZlcnNpb249IjEzMy4wLjMwNjUuNTkiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgaW5zdGFsbGFnZT0iNCIgaXNfcGlubmVkX3N5c3RlbT0idHJ1ZSIgbGFzdF9sYXVuY2hfY291bnQ9IjEiIGxhc3RfbGF1bmNoX3RpbWU9IjEzMzgzNDIyMjc5NTIxMTU5MCI-PHVwZGF0ZWNoZWNrLz48ZXZlbnQgZXZlbnR0eXBlPSIxMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTE2NTAzMjY2OSIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTY1MTg4OTQxIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIwIiBlcnJvcmNvZGU9Ii0yMTQ3MDIzODM4IiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1ODYxNTk1NTU2IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJkbyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvZmVkNTU4MDUtMmU4NS00MWQ4LWI0ZTMtNGVmNmI1ZWJmNjNhP1AxPTE3Mzk4OTgxMzkmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9Y3M2NHMlMmJvQ0dMRXE0QThwYmdmQSUyYjNNbHk2MzZ0bSUyYm1weTk2UTRTaUdvMlNUSkZLYkFIYW5kSkk1NHYyS2JGZjRuYXg2ZXJpRE9pOEthRyUyZk1PdXQzUSUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjAiIHRvdGFsPSIwIiBkb3dubG9hZF90aW1lX21zPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU4NjE1OTU1NTYiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImJpdHMiIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzL2ZlZDU1ODA1LTJlODUtNDFkOC1iNGUzLTRlZjZiNWViZjYzYT9QMT0xNzM5ODk4MTM5JmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PWNzNjRzJTJib0NHTEVxNEE4cGJnZkElMmIzTWx5NjM2dG0lMmJtcHk5NlE0U2lHbzJTVEpGS2JBSGFuZEpJNTR2MktiRmY0bmF4NmVyaURPaThLYUclMmZNT3V0M1ElM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIxNzg2MDQwODgiIHRvdGFsPSIxNzg2MDQwODgiIGRvd25sb2FkX3RpbWVfbXM9IjYzNTAwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU4NjE3NTE3NzYiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTg3NTM0NTgyMyIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjE5Njc1NyIgc3lzdGVtX3VwdGltZV90aWNrcz0iNjUyNDQwODEwOCIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgdXBkYXRlX2NoZWNrX3RpbWVfbXM9Ijc4MSIgZG93bmxvYWRfdGltZV9tcz0iNjk2NTYiIGRvd25sb2FkZWQ9IjE3ODYwNDA4OCIgdG90YWw9IjE3ODYwNDA4OCIgcGFja2FnZV9jYWNoZV9yZXN1bHQ9IjAiIGluc3RhbGxfdGltZV9tcz0iNjQ5MDYiLz48cGluZyBhY3RpdmU9IjEiIGE9IjQiIHI9IjQiIGFkPSI2NjEyIiByZD0iNjYxMiIgcGluZ19mcmVzaG5lc3M9Ins2MEM3NUFFOC1ERkRBLTRGMUEtOENENy02MTA2Mjk3RjI2REN9Ii8-PC9hcHA-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249IjEzMi4wLjI5NTcuMTQwIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iNCIgaW5zdGFsbGRhdGU9IjY2MDgiIGNvaG9ydD0icnJmQDAuMTQiPjx1cGRhdGVjaGVjay8-PHBpbmcgcj0iNCIgcmQ9IjY2MTIiIHBpbmdfZnJlc2huZXNzPSJ7M0QzQjg3NjEtQzUwNi00RDIwLUI0NTktNjYzN0JFMDA2ODIzfSIvPjwvYXBwPjwvcmVxdWVzdD4
              1⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              PID:3016

            Network

            MITRE ATT&CK Enterprise v15

            Reconnaissance

            Resource Development

            Initial Access

            Execution

            Scheduled Task/Job

            1
            T1053

            Scheduled Task

            1
            T1053.005

            Persistence

            Boot or Logon Autostart Execution

            1
            T1547

            Active Setup

            1
            T1547.014

            Browser Extensions

            1
            T1176

            Event Triggered Execution

            1
            T1546

            Component Object Model Hijacking

            1
            T1546.015

            Scheduled Task/Job

            1
            T1053

            Scheduled Task

            1
            T1053.005

            Privilege Escalation

            Boot or Logon Autostart Execution

            1
            T1547

            Active Setup

            1
            T1547.014

            Event Triggered Execution

            1
            T1546

            Component Object Model Hijacking

            1
            T1546.015

            Scheduled Task/Job

            1
            T1053

            Scheduled Task

            1
            T1053.005

            Defense Evasion

            Modify Registry

            4
            T1112

            Credential Access

            Discovery

            Query Registry

            2
            T1012

            System Information Discovery

            1
            T1082

            System Location Discovery

            1
            T1614

            System Language Discovery

            1
            T1614.001

            System Network Configuration Discovery

            1
            T1016

            Internet Connection Discovery

            1
            T1016.001

            Lateral Movement

            Collection

            Command and Control

            Exfiltration

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{6295FE08-5555-4642-9EBD-59C36DD5D7D6}\EDGEMITMP_42A6D.tmp\setup.exe
              Filesize

              6.8MB

              MD5

              1b3e9c59f9c7a134ec630ada1eb76a39

              SHA1

              a7e831d392e99f3d37847dcc561dd2e017065439

              SHA256

              ce78ccfb0c9cdb06ea61116bc57e50690650b6b5cf37c1aebfb30c19458ee4ae

              SHA512

              c0e50410dc92d80ff7bc854907774fc551564e078a8d38ca6421f15cea50282c25efac4f357b52b066c4371f9b8d4900fa8122dd80ab06ecbd851c6e049f7a3e

              Download Submit

            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              Filesize

              3.9MB

              MD5

              ad5f7dc7ca3e67dce70c0a89c04519e0

              SHA1

              a10b03234627ca8f3f8034cd5637cda1b8246d83

              SHA256

              663fe0f4e090583e6aa5204b9a80b7a76f677259066e56a7345aebc6bc3e7d31

              SHA512

              ad5490e9865caa454c47ec2e96364b9c566b553e64801da60c295acd570017747be1aff6f22ca6c20c6eee6f6d05a058af72569fd6e656f66e48010978c7fd51

              Download Submit

            • C:\Program Files\msedge_installer.log
              Filesize

              75KB

              MD5

              ee6c1176e19a2081cd537003972bea59

              SHA1

              b7930f72936bf31c56678c9a7792e4f02cff52f6

              SHA256

              3856ef1e226d90bc88dc81d701157e1a5c49e9aab93897381044d9b4d74cebc7

              SHA512

              d160da4dd9f53dd3c2d13f4328f84f57ec8d625f2f8d172b35d1190c91da83f1a7ab08a7be1b0f9b21f691c404e407ba9c90382a4b57e39e2b5b9597e22a8160

              Download Submit

            • C:\Program Files\msedge_installer.log
              Filesize

              102KB

              MD5

              5923233e392f600ad25c7d3c481149f9

              SHA1

              9c06e0821608527c560cb20edd3f882c11d86f2c

              SHA256

              b04448f7b87f4a31882199bc9a3055dc07725eaf8919e4d246e9befa9a5511e6

              SHA512

              77be81e8f442e0e6eead4d4303328e32af97bb237348a4a317c3aa56e89c3da4d8ac15dcc81c2991a16075b7aa464bff98fcaa37991d77eedcc28200b4f8bccb

              Download Submit

            • C:\Program Files\msedge_installer.log
              Filesize

              105KB

              MD5

              6f51fefe12705a91f776f8c8d805f122

              SHA1

              a6a8671cc04ddc90b49643529b8fe59d4676d317

              SHA256

              b04970438db3db1ed95c29c195172aa4fd5cf5c07ae52a6c8f6f2666b133172b

              SHA512

              3548efc6cb2770be791fff95f8e39b573eb18d70476789087c8bbaf12bf40fc1d8b639e56fb7895796fd478f68ae65ec8df5cf2586cc93e77e254997889d9760

              Download Submit

            • C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log
              Filesize

              533KB

              MD5

              cd87e4211aa6fa99acf472dbcd138b50

              SHA1

              aaeb3af0053f481f30902991af5571b4cbf76ca7

              SHA256

              2b2adeb1ce9ceb9cbdb06beab83c27e7b5eb1e0db6921df73e0181600b590242

              SHA512

              dc3541d5de60508168191bfe3ffce93235d6840dca2bd12a4ca38f44e707f2d7cda9a4fbfcfbee1097aa1fcad24dd02301cfe4c0caaa662a5d663249c2909b1c

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\COMPROBANTE de PAGO.exe.log
              Filesize

              706B

              MD5

              d95c58e609838928f0f49837cab7dfd2

              SHA1

              55e7139a1e3899195b92ed8771d1ca2c7d53c916

              SHA256

              0407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339

              SHA512

              405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d

              Download Submit

            • C:\Users\Admin\AppData\Roaming\cindows\cpdater.exe
              Filesize

              854KB

              MD5

              e56d988fd3f4b747bf69c724085878d6

              SHA1

              876cbcce543f49cf190a12c4a07c3139247e05ab

              SHA256

              e490dc9257f951ed3e61055852315cac3f13dd404f88d546a06010639fb55f93

              SHA512

              06f1c1e8c48340dda4115d0b5221502ad90a5e92e1eafc351d765ec91343a91e5bda8fb85d8cee1601a69800dd5502492310aa01b32aba5a3b11ba9120f881d6

              Download Submit

            • memory/540-9-0x0000000000400000-0x000000000045E000-memory.dmp

              Filesize

              376KB

              Download

            • memory/540-13-0x0000000073C60000-0x0000000074410000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/540-14-0x0000000073C60000-0x0000000074410000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/540-15-0x0000000005A80000-0x0000000005AE6000-memory.dmp

              Filesize

              408KB

              Download

            • memory/540-16-0x0000000005F70000-0x0000000005F82000-memory.dmp

              Filesize

              72KB

              Download

            • memory/540-17-0x0000000006CA0000-0x0000000006CDC000-memory.dmp

              Filesize

              240KB

              Download

            • memory/540-22-0x0000000073C60000-0x0000000074410000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/3688-104-0x0000024E40A60000-0x0000024E40CA9000-memory.dmp

              Filesize

              2.3MB

              Download

            • memory/3688-103-0x0000024E407D0000-0x0000024E407D8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/3688-102-0x0000024E407A0000-0x0000024E407AA000-memory.dmp

              Filesize

              40KB

              Download

            • memory/3688-101-0x0000024E26280000-0x0000024E2628E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/4264-29-0x0000000073C60000-0x0000000074410000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/4264-24-0x0000000073C60000-0x0000000074410000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/4264-23-0x0000000073C60000-0x0000000074410000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/4600-6-0x0000000005260000-0x0000000005266000-memory.dmp

              Filesize

              24KB

              Download

            • memory/4600-5-0x00000000078E0000-0x0000000007972000-memory.dmp

              Filesize

              584KB

              Download

            • memory/4600-4-0x0000000007E90000-0x0000000008434000-memory.dmp

              Filesize

              5.6MB

              Download

            • memory/4600-3-0x0000000007840000-0x00000000078DC000-memory.dmp

              Filesize

              624KB

              Download

            • memory/4600-2-0x0000000007740000-0x0000000007846000-memory.dmp

              Filesize

              1.0MB

              Download

            • memory/4600-0-0x0000000073C6E000-0x0000000073C6F000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4600-12-0x0000000073C60000-0x0000000074410000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/4600-7-0x0000000073C60000-0x0000000074410000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/4600-1-0x00000000007A0000-0x000000000087C000-memory.dmp

              Filesize

              880KB

              Download