Analysis
-
max time kernel
1051s -
max time network
1053s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
04-06-2023 13:31
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Client-built.exe
Resource
win10v2004-20230220-en
General
-
Target
Client-built.exe
-
Size
405KB
-
MD5
5d28f72d1aad116bab07c41530e7734a
-
SHA1
1b0a277f8bbb8dbee1e791cda8c134d138ce0c38
-
SHA256
d1051935a532ce6813099c06cc359aa1e02cb1f0e341583b3ec3253186e33a80
-
SHA512
39b9acaa7fbc7c6d1393d734cfec2fb3bda58abecaaed5b4c8d51cefc46e353fbbf5520ce6acb9ef2464ec1c529cc8ee4bad7b05a224caad1b1854087d2f807b
-
SSDEEP
6144:R+iBrrx0Bua4fRbLHp6t/ixYbaZZWstTC/2pQLrUwlYh:FBrP0hiHHtO/GWrUwlYh
Malware Config
Extracted
quasar
1.3.0.0
NameSystem
bobbawb1000.duckdns.org:23092
32m2kfpPHGN1CMuUm
-
encryption_key
bhThH4m2frhSbvbgSILD
-
install_name
dirsys.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
dirsys
-
subdirectory
DirSys
Signatures
-
Quasar payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1252-133-0x0000000000850000-0x00000000008BC000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\DirSys\dirsys.exe family_quasar C:\Users\Admin\AppData\Roaming\DirSys\dirsys.exe family_quasar -
Executes dropped EXE 1 IoCs
Processes:
dirsys.exepid process 3024 dirsys.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 17 ip-api.com -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\3cba4f88-83cd-4057-aba9-c01781c2271b.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230604133511.pma setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3704 schtasks.exe 1444 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 2 IoCs
Processes:
msedge.exetaskmgr.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
taskmgr.exedirsys.exepid process 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3024 dirsys.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 3864 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid process 1660 msedge.exe 1660 msedge.exe 1660 msedge.exe 1660 msedge.exe 1660 msedge.exe 1660 msedge.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
Client-built.exedirsys.exetaskmgr.exeAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 1252 Client-built.exe Token: SeDebugPrivilege 3024 dirsys.exe Token: SeDebugPrivilege 3864 taskmgr.exe Token: SeSystemProfilePrivilege 3864 taskmgr.exe Token: SeCreateGlobalPrivilege 3864 taskmgr.exe Token: SeSecurityPrivilege 3864 taskmgr.exe Token: SeTakeOwnershipPrivilege 3864 taskmgr.exe Token: 33 1640 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1640 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exepid process 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe 3864 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Client-built.exedirsys.exemsedge.exedescription pid process target process PID 1252 wrote to memory of 3704 1252 Client-built.exe schtasks.exe PID 1252 wrote to memory of 3704 1252 Client-built.exe schtasks.exe PID 1252 wrote to memory of 3704 1252 Client-built.exe schtasks.exe PID 1252 wrote to memory of 3024 1252 Client-built.exe dirsys.exe PID 1252 wrote to memory of 3024 1252 Client-built.exe dirsys.exe PID 1252 wrote to memory of 3024 1252 Client-built.exe dirsys.exe PID 3024 wrote to memory of 1444 3024 dirsys.exe schtasks.exe PID 3024 wrote to memory of 1444 3024 dirsys.exe schtasks.exe PID 3024 wrote to memory of 1444 3024 dirsys.exe schtasks.exe PID 3024 wrote to memory of 1660 3024 dirsys.exe msedge.exe PID 3024 wrote to memory of 1660 3024 dirsys.exe msedge.exe PID 1660 wrote to memory of 4912 1660 msedge.exe msedge.exe PID 1660 wrote to memory of 4912 1660 msedge.exe msedge.exe PID 1660 wrote to memory of 4240 1660 msedge.exe msedge.exe PID 1660 wrote to memory of 4240 1660 msedge.exe msedge.exe PID 1660 wrote to memory of 4240 1660 msedge.exe msedge.exe PID 1660 wrote to memory of 4240 1660 msedge.exe msedge.exe PID 1660 wrote to memory of 4240 1660 msedge.exe msedge.exe PID 1660 wrote to memory of 4240 1660 msedge.exe msedge.exe PID 1660 wrote to memory of 4240 1660 msedge.exe msedge.exe PID 1660 wrote to memory of 4240 1660 msedge.exe msedge.exe PID 1660 wrote to memory of 4240 1660 msedge.exe msedge.exe PID 1660 wrote to memory of 4240 1660 msedge.exe msedge.exe PID 1660 wrote to memory of 4240 1660 msedge.exe msedge.exe PID 1660 wrote to memory of 4240 1660 msedge.exe msedge.exe PID 1660 wrote to memory of 4240 1660 msedge.exe msedge.exe PID 1660 wrote to memory of 4240 1660 msedge.exe msedge.exe PID 1660 wrote to memory of 4240 1660 msedge.exe msedge.exe PID 1660 wrote to memory of 4240 1660 msedge.exe msedge.exe PID 1660 wrote to memory of 4240 1660 msedge.exe msedge.exe PID 1660 wrote to memory of 4240 1660 msedge.exe msedge.exe PID 1660 wrote to memory of 4240 1660 msedge.exe msedge.exe PID 1660 wrote to memory of 4240 1660 msedge.exe msedge.exe PID 1660 wrote to memory of 4240 1660 msedge.exe msedge.exe PID 1660 wrote to memory of 4240 1660 msedge.exe msedge.exe PID 1660 wrote to memory of 4240 1660 msedge.exe msedge.exe PID 1660 wrote to memory of 4240 1660 msedge.exe msedge.exe PID 1660 wrote to memory of 4240 1660 msedge.exe msedge.exe PID 1660 wrote to memory of 4240 1660 msedge.exe msedge.exe PID 1660 wrote to memory of 4240 1660 msedge.exe msedge.exe PID 1660 wrote to memory of 4240 1660 msedge.exe msedge.exe PID 1660 wrote to memory of 4240 1660 msedge.exe msedge.exe PID 1660 wrote to memory of 4240 1660 msedge.exe msedge.exe PID 1660 wrote to memory of 4240 1660 msedge.exe msedge.exe PID 1660 wrote to memory of 4240 1660 msedge.exe msedge.exe PID 1660 wrote to memory of 4240 1660 msedge.exe msedge.exe PID 1660 wrote to memory of 4240 1660 msedge.exe msedge.exe PID 1660 wrote to memory of 4240 1660 msedge.exe msedge.exe PID 1660 wrote to memory of 4240 1660 msedge.exe msedge.exe PID 1660 wrote to memory of 4240 1660 msedge.exe msedge.exe PID 1660 wrote to memory of 4240 1660 msedge.exe msedge.exe PID 1660 wrote to memory of 4240 1660 msedge.exe msedge.exe PID 1660 wrote to memory of 4240 1660 msedge.exe msedge.exe PID 1660 wrote to memory of 8 1660 msedge.exe msedge.exe PID 1660 wrote to memory of 8 1660 msedge.exe msedge.exe PID 1660 wrote to memory of 1864 1660 msedge.exe msedge.exe PID 1660 wrote to memory of 1864 1660 msedge.exe msedge.exe PID 1660 wrote to memory of 1864 1660 msedge.exe msedge.exe PID 1660 wrote to memory of 1864 1660 msedge.exe msedge.exe PID 1660 wrote to memory of 1864 1660 msedge.exe msedge.exe PID 1660 wrote to memory of 1864 1660 msedge.exe msedge.exe PID 1660 wrote to memory of 1864 1660 msedge.exe msedge.exe PID 1660 wrote to memory of 1864 1660 msedge.exe msedge.exe PID 1660 wrote to memory of 1864 1660 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "dirsys" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Client-built.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\DirSys\dirsys.exe"C:\Users\Admin\AppData\Roaming\DirSys\dirsys.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "dirsys" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\DirSys\dirsys.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://outspect.dev/3⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe8dad46f8,0x7ffe8dad4708,0x7ffe8dad47184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,11619308203018595802,12333616066769932090,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,11619308203018595802,12333616066769932090,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2424 /prefetch:34⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,11619308203018595802,12333616066769932090,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11619308203018595802,12333616066769932090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11619308203018595802,12333616066769932090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11619308203018595802,12333616066769932090,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11619308203018595802,12333616066769932090,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,11619308203018595802,12333616066769932090,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings4⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff777bf5460,0x7ff777bf5470,0x7ff777bf54805⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,11619308203018595802,12333616066769932090,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11619308203018595802,12333616066769932090,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11619308203018595802,12333616066769932090,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,11619308203018595802,12333616066769932090,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1044 /prefetch:24⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd" /K3⤵
-
C:\Windows\SysWOW64\chcp.comchcp 4374⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2f8 0x2ec1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230604133511.pmaFilesize
1KB
MD5c04318faf0c800948603459b8a0f522e
SHA13aec68ec0dd3240ef6064a191875cd6aa8568ec5
SHA2566335b24f5b264200c8f86a1351582f148ad4b6c253cc0430c01ac60112df81d7
SHA512ff781d19280f918d3dc537963bbaf977afa149325c700f87c1f89b37b4a9982faae74b8062928aa67eb94cc72778e36b53468674ef05fd63802d280a11def64d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD578c7656527762ed2977adf983a6f4766
SHA121a66d2eefcb059371f4972694057e4b1f827ce6
SHA256e1000099751602ae1adcec6f1c74e1d65f472936817b45239dfed4b043984296
SHA5120a8e58ae95163b3cdf8e81b5085887761e73cb7c836a1a6a972e837fb3df69b2ac70cfd6311d06d40656344ec35eb48e512f007561480f0345486ac2b329be0b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.icoFilesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\MANIFEST-000001Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnkFilesize
2KB
MD5bfa8e5626ddafe1312d16dcede2079e4
SHA173fe5d60d170858c6697f5b2a2a5923a6d43fb54
SHA25672cbe1e06f8eeb6100b86b017b293e9944b384a84e05446ec87dc0d8e5a3d01c
SHA512e52b09ee2e263b973f96aa6a65c45dbad32657d52ee05179e0394292079b5df41656f19c1f347ab487fa1030fde90612d0cb30a93d09065f8506d7464ea70b98
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
180B
MD5526e5f6d08fd35dffb74f200822417d3
SHA1562fb63d79cfe71f57bed54493288eb10385ed3c
SHA2563ab94aa6217ecc9a507157834e1fdd4e2c7c43830c71f7d981641dcc621665fb
SHA5123ae068082e5dfa7ed06c50316ba155a26be097d6015f1528257e936f9e77c3c37299db92b7696ba79da7ab85122deaef634ae902f7532e472f8b1c336fdb9d6f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5c8f1da61c5ecc877f5032323729d3fa7
SHA11cbbb5a3a08ee39238cd80672fbaa32d7ac12d0d
SHA2560858763b10590222b806f9f14e04be6ee4f6dfc6812775d5e28ee5edaad4d4c0
SHA512b427bb892c7bdeba928e3895cae755cbc79328b115ddb6416c6c4d492222d53436860034c898543207064380861e5a973cd396e2541ac701dbad1a83c0d8296c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD58655ca5834834bb96172db8b95d5386e
SHA1c3dac1445f0e1ace1433fda573a1361f55cdf88c
SHA2562d70975dfc542a47666505cd3c036599d5ac07533b0b69bdc26d76da05bd7e64
SHA512597698374557fef25d574cb9040d358fe94eed993315fac2456b3cd96a2880236ebba91caa8f1783c4199f4fcdf6b460f1ccf5b637ff1e46715d92e5508030df
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
4KB
MD5098c8b07656797cefef73fdba7d9f024
SHA18abef21bb829a82ed6ea1cf9f2fe5c2f128ef459
SHA256a365f43bd2dc583ada396760129b74b0c56d00894bbc65a5e0a71803b56782d1
SHA512666cb7a30d9b96fdf54267a3bc64b086686388924bfe627b0fc3ec223866daa361e861a70312f722c8eb44c076b7d8b87198fba0d44392ae32c67e5d01a0fe37
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
24KB
MD502ee7addc9e8a2d07af55556ebf0ff5c
SHA1020161bb64ecb7c6e6886ccc055908984dc651d8
SHA256552d3ed359b7a52278ce621674d16428d8a7969f6cd5663df18e240cce66aadc
SHA512567989543c3848a0c3276d96b96ca761f750e4b71fb74f36d809f590ffe16a72fd5ece251737a8b1ffe65f0051e211bd7ad19d2b8b0b7ca1b7ffc86dd2a52883
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
24KB
MD53966348bbd403f0d73c498b32b42c474
SHA1e831a80dc7540db9afced875d230530380ec5119
SHA25685295f1484a81c8e36f1287dbb3d8c2ff4f80a5b2dc0985b88abcf49850d7542
SHA51275a7fe567b809507d121ecfccd5cb85d7dc8e64609f916a450345a1ba959f7535767619970de25f9474c498666ad1b08250697222d5696f7a589f663a035c41c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000001.dbtmpFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD58f4560d7d0069030ccda7a9e9be80853
SHA16300d83f77a7287253dd7399e6517f8f193e0806
SHA256546d745636cb4c3b504d8f6ef65cfc8db9e0d9b5a638cd681b292231a1d56cf1
SHA512682704cd7c0f05c0bb381f1e047ed308c836ee367cd66a49b0dcaf0041481d77b5d3b53f29e56d1ecb603e39fe310c91015876081c1857713372b27ed07406a0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5e76f8a3bec0719c1dec847faefa13708
SHA105384ec432933f0cf698761499436cff8521753b
SHA256b00fa37ebbb2885fc1e849df7459f23c9c1f5e31d33c4efbe6917de04dca5b16
SHA5129cb5f7f27a5da8acaafe074ffbea2faeffecfc6487af94acb28244685b1e34306d59292f0c74a04e3c7359a68949cf4e8d5ae6fc02d47fe388babf95bce12df4
-
C:\Users\Admin\AppData\Roaming\DirSys\dirsys.exeFilesize
405KB
MD55d28f72d1aad116bab07c41530e7734a
SHA11b0a277f8bbb8dbee1e791cda8c134d138ce0c38
SHA256d1051935a532ce6813099c06cc359aa1e02cb1f0e341583b3ec3253186e33a80
SHA51239b9acaa7fbc7c6d1393d734cfec2fb3bda58abecaaed5b4c8d51cefc46e353fbbf5520ce6acb9ef2464ec1c529cc8ee4bad7b05a224caad1b1854087d2f807b
-
C:\Users\Admin\AppData\Roaming\DirSys\dirsys.exeFilesize
405KB
MD55d28f72d1aad116bab07c41530e7734a
SHA11b0a277f8bbb8dbee1e791cda8c134d138ce0c38
SHA256d1051935a532ce6813099c06cc359aa1e02cb1f0e341583b3ec3253186e33a80
SHA51239b9acaa7fbc7c6d1393d734cfec2fb3bda58abecaaed5b4c8d51cefc46e353fbbf5520ce6acb9ef2464ec1c529cc8ee4bad7b05a224caad1b1854087d2f807b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-msFilesize
3KB
MD5c26e0345ee386330a5139eeb8a8af3cd
SHA19e0333bb195125ef359693347c5a94b9946eb900
SHA2563caeb5d014e7c0a2b2d03233496c5ea13905668d8011a963f002ced9dd314a0a
SHA5127a7d475b991556f4a5afd0228b2e9ecf9e9115cc9c2a2c1dcc4c424a32ed0a63dfaf75c51307359f4ac71d558120f28fa8ca39e31ae5bba6097ff7bfc06723e8
-
\??\pipe\LOCAL\crashpad_1660_XOFIBRGPAOUDSDZJMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1252-139-0x0000000006390000-0x00000000063CC000-memory.dmpFilesize
240KB
-
memory/1252-138-0x0000000005F50000-0x0000000005F62000-memory.dmpFilesize
72KB
-
memory/1252-133-0x0000000000850000-0x00000000008BC000-memory.dmpFilesize
432KB
-
memory/1252-137-0x0000000005120000-0x0000000005186000-memory.dmpFilesize
408KB
-
memory/1252-136-0x0000000005370000-0x0000000005380000-memory.dmpFilesize
64KB
-
memory/1252-135-0x00000000051B0000-0x0000000005242000-memory.dmpFilesize
584KB
-
memory/1252-134-0x0000000005760000-0x0000000005D04000-memory.dmpFilesize
5.6MB
-
memory/3024-162-0x0000000001F00000-0x0000000001F10000-memory.dmpFilesize
64KB
-
memory/3024-165-0x0000000001F00000-0x0000000001F10000-memory.dmpFilesize
64KB
-
memory/3024-164-0x0000000001F00000-0x0000000001F10000-memory.dmpFilesize
64KB
-
memory/3024-163-0x0000000001F00000-0x0000000001F10000-memory.dmpFilesize
64KB
-
memory/3024-161-0x0000000001F00000-0x0000000001F10000-memory.dmpFilesize
64KB
-
memory/3024-160-0x00000000072A0000-0x00000000072AA000-memory.dmpFilesize
40KB
-
memory/3024-146-0x0000000001F00000-0x0000000001F10000-memory.dmpFilesize
64KB
-
memory/3864-156-0x00000186BE640000-0x00000186BE641000-memory.dmpFilesize
4KB
-
memory/3864-157-0x00000186BE640000-0x00000186BE641000-memory.dmpFilesize
4KB
-
memory/3864-158-0x00000186BE640000-0x00000186BE641000-memory.dmpFilesize
4KB
-
memory/3864-155-0x00000186BE640000-0x00000186BE641000-memory.dmpFilesize
4KB
-
memory/3864-154-0x00000186BE640000-0x00000186BE641000-memory.dmpFilesize
4KB
-
memory/3864-153-0x00000186BE640000-0x00000186BE641000-memory.dmpFilesize
4KB
-
memory/3864-149-0x00000186BE640000-0x00000186BE641000-memory.dmpFilesize
4KB
-
memory/3864-148-0x00000186BE640000-0x00000186BE641000-memory.dmpFilesize
4KB
-
memory/3864-147-0x00000186BE640000-0x00000186BE641000-memory.dmpFilesize
4KB
-
memory/3864-159-0x00000186BE640000-0x00000186BE641000-memory.dmpFilesize
4KB