quasar | d1051935a532ce6813099c06cc359aa1e02cb1f0e341583b3ec3253186e33a80

Analysis

max time kernel
1051s
max time network
1053s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
04-06-2023 13:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

405KB
MD5

5d28f72d1aad116bab07c41530e7734a
SHA1

1b0a277f8bbb8dbee1e791cda8c134d138ce0c38
SHA256

d1051935a532ce6813099c06cc359aa1e02cb1f0e341583b3ec3253186e33a80
SHA512

39b9acaa7fbc7c6d1393d734cfec2fb3bda58abecaaed5b4c8d51cefc46e353fbbf5520ce6acb9ef2464ec1c529cc8ee4bad7b05a224caad1b1854087d2f807b
SSDEEP

6144:R+iBrrx0Bua4fRbLHp6t/ixYbaZZWstTC/2pQLrUwlYh:FBrP0hiHHtO/GWrUwlYh

Score

10^/10

quasar namesystem spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

NameSystem

bobbawb1000.duckdns.org:23092

Mutex

32m2kfpPHGN1CMuUm

Attributes

encryption_key
bhThH4m2frhSbvbgSILD
install_name
dirsys.exe
log_directory
Logs
reconnect_delay
3000
startup_key
dirsys
subdirectory
DirSys

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1252-133-0x0000000000850000-0x00000000008BC000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\DirSys\dirsys.exe	family_quasar
C:\Users\Admin\AppData\Roaming\DirSys\dirsys.exe	family_quasar

Executes dropped EXE 1 IoCs

Processes:

dirsys.exe

pid process

3024 dirsys.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

17 ip-api.com

pid	process
3024	dirsys.exe

flow	ioc
17	ip-api.com

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\3cba4f88-83cd-4057-aba9-c01781c2271b.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230604133511.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3704 schtasks.exe
1444 schtasks.exe

pid	process
3704	schtasks.exe
1444	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 2 IoCs

Processes:

msedge.exetaskmgr.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskmgr.exedirsys.exe

pid	process
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3024	dirsys.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

3864 taskmgr.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

1660 msedge.exe
1660 msedge.exe
1660 msedge.exe
1660 msedge.exe
1660 msedge.exe
1660 msedge.exe

pid	process
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

Client-built.exedirsys.exetaskmgr.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	1252	Client-built.exe
Token: SeDebugPrivilege	3024	dirsys.exe
Token: SeDebugPrivilege	3864	taskmgr.exe
Token: SeSystemProfilePrivilege	3864	taskmgr.exe
Token: SeCreateGlobalPrivilege	3864	taskmgr.exe
Token: SeSecurityPrivilege	3864	taskmgr.exe
Token: SeTakeOwnershipPrivilege	3864	taskmgr.exe
Token: 33	1640	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1640	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe

pid	process
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe
3864	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Client-built.exedirsys.exemsedge.exe

description	pid	process	target process
PID 1252 wrote to memory of 3704	1252	Client-built.exe	schtasks.exe
PID 1252 wrote to memory of 3704	1252	Client-built.exe	schtasks.exe
PID 1252 wrote to memory of 3704	1252	Client-built.exe	schtasks.exe
PID 1252 wrote to memory of 3024	1252	Client-built.exe	dirsys.exe
PID 1252 wrote to memory of 3024	1252	Client-built.exe	dirsys.exe
PID 1252 wrote to memory of 3024	1252	Client-built.exe	dirsys.exe
PID 3024 wrote to memory of 1444	3024	dirsys.exe	schtasks.exe
PID 3024 wrote to memory of 1444	3024	dirsys.exe	schtasks.exe
PID 3024 wrote to memory of 1444	3024	dirsys.exe	schtasks.exe
PID 3024 wrote to memory of 1660	3024	dirsys.exe	msedge.exe
PID 3024 wrote to memory of 1660	3024	dirsys.exe	msedge.exe
PID 1660 wrote to memory of 4912	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 4912	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 4240	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 4240	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 4240	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 4240	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 4240	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 4240	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 4240	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 4240	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 4240	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 4240	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 4240	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 4240	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 4240	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 4240	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 4240	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 4240	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 4240	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 4240	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 4240	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 4240	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 4240	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 4240	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 4240	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 4240	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 4240	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 4240	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 4240	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 4240	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 4240	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 4240	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 4240	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 4240	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 4240	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 4240	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 4240	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 4240	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 4240	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 4240	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 4240	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 4240	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 8	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 8	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 1864	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 1864	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 1864	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 1864	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 1864	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 1864	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 1864	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 1864	1660	msedge.exe	msedge.exe
PID 1660 wrote to memory of 1864	1660	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1252

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "dirsys" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Client-built.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:3704

C:\Users\Admin\AppData\Roaming\DirSys\dirsys.exe
"C:\Users\Admin\AppData\Roaming\DirSys\dirsys.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3024

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "dirsys" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\DirSys\dirsys.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:1444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://outspect.dev/
3⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
PID:1660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe8dad46f8,0x7ffe8dad4708,0x7ffe8dad4718
4⤵
PID:4912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,11619308203018595802,12333616066769932090,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
4⤵
PID:4240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,11619308203018595802,12333616066769932090,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2424 /prefetch:3
4⤵
PID:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,11619308203018595802,12333616066769932090,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
4⤵
PID:1864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11619308203018595802,12333616066769932090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
4⤵
PID:2688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11619308203018595802,12333616066769932090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
4⤵
PID:2708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11619308203018595802,12333616066769932090,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
4⤵
PID:4496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11619308203018595802,12333616066769932090,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
4⤵
PID:3772

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,11619308203018595802,12333616066769932090,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:8
4⤵
PID:4992

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
4⤵
- Drops file in Program Files directory
PID:5024

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff777bf5460,0x7ff777bf5470,0x7ff777bf5480
5⤵
PID:4976

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,11619308203018595802,12333616066769932090,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:8
4⤵
PID:4964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11619308203018595802,12333616066769932090,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1
4⤵
PID:4640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11619308203018595802,12333616066769932090,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:1
4⤵
PID:3416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,11619308203018595802,12333616066769932090,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1044 /prefetch:2
4⤵
PID:3924

C:\Windows\SysWOW64\cmd.exe
"cmd" /K
3⤵
PID:428

C:\Windows\SysWOW64\chcp.com
chcp 437
4⤵
PID:1812

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3864

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4912

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f8 0x2ec
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3916

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230604133511.pma
Filesize
1KB

MD5
c04318faf0c800948603459b8a0f522e

SHA1
3aec68ec0dd3240ef6064a191875cd6aa8568ec5

SHA256
6335b24f5b264200c8f86a1351582f148ad4b6c253cc0430c01ac60112df81d7

SHA512
ff781d19280f918d3dc537963bbaf977afa149325c700f87c1f89b37b4a9982faae74b8062928aa67eb94cc72778e36b53468674ef05fd63802d280a11def64d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
78c7656527762ed2977adf983a6f4766

SHA1
21a66d2eefcb059371f4972694057e4b1f827ce6

SHA256
e1000099751602ae1adcec6f1c74e1d65f472936817b45239dfed4b043984296

SHA512
0a8e58ae95163b3cdf8e81b5085887761e73cb7c836a1a6a972e837fb3df69b2ac70cfd6311d06d40656344ec35eb48e512f007561480f0345486ac2b329be0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk
Filesize
2KB

MD5
bfa8e5626ddafe1312d16dcede2079e4

SHA1
73fe5d60d170858c6697f5b2a2a5923a6d43fb54

SHA256
72cbe1e06f8eeb6100b86b017b293e9944b384a84e05446ec87dc0d8e5a3d01c

SHA512
e52b09ee2e263b973f96aa6a65c45dbad32657d52ee05179e0394292079b5df41656f19c1f347ab487fa1030fde90612d0cb30a93d09065f8506d7464ea70b98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
180B

MD5
526e5f6d08fd35dffb74f200822417d3

SHA1
562fb63d79cfe71f57bed54493288eb10385ed3c

SHA256
3ab94aa6217ecc9a507157834e1fdd4e2c7c43830c71f7d981641dcc621665fb

SHA512
3ae068082e5dfa7ed06c50316ba155a26be097d6015f1528257e936f9e77c3c37299db92b7696ba79da7ab85122deaef634ae902f7532e472f8b1c336fdb9d6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
c8f1da61c5ecc877f5032323729d3fa7

SHA1
1cbbb5a3a08ee39238cd80672fbaa32d7ac12d0d

SHA256
0858763b10590222b806f9f14e04be6ee4f6dfc6812775d5e28ee5edaad4d4c0

SHA512
b427bb892c7bdeba928e3895cae755cbc79328b115ddb6416c6c4d492222d53436860034c898543207064380861e5a973cd396e2541ac701dbad1a83c0d8296c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
8655ca5834834bb96172db8b95d5386e

SHA1
c3dac1445f0e1ace1433fda573a1361f55cdf88c

SHA256
2d70975dfc542a47666505cd3c036599d5ac07533b0b69bdc26d76da05bd7e64

SHA512
597698374557fef25d574cb9040d358fe94eed993315fac2456b3cd96a2880236ebba91caa8f1783c4199f4fcdf6b460f1ccf5b637ff1e46715d92e5508030df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
4KB

MD5
098c8b07656797cefef73fdba7d9f024

SHA1
8abef21bb829a82ed6ea1cf9f2fe5c2f128ef459

SHA256
a365f43bd2dc583ada396760129b74b0c56d00894bbc65a5e0a71803b56782d1

SHA512
666cb7a30d9b96fdf54267a3bc64b086686388924bfe627b0fc3ec223866daa361e861a70312f722c8eb44c076b7d8b87198fba0d44392ae32c67e5d01a0fe37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
02ee7addc9e8a2d07af55556ebf0ff5c

SHA1
020161bb64ecb7c6e6886ccc055908984dc651d8

SHA256
552d3ed359b7a52278ce621674d16428d8a7969f6cd5663df18e240cce66aadc

SHA512
567989543c3848a0c3276d96b96ca761f750e4b71fb74f36d809f590ffe16a72fd5ece251737a8b1ffe65f0051e211bd7ad19d2b8b0b7ca1b7ffc86dd2a52883

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
3966348bbd403f0d73c498b32b42c474

SHA1
e831a80dc7540db9afced875d230530380ec5119

SHA256
85295f1484a81c8e36f1287dbb3d8c2ff4f80a5b2dc0985b88abcf49850d7542

SHA512
75a7fe567b809507d121ecfccd5cb85d7dc8e64609f916a450345a1ba959f7535767619970de25f9474c498666ad1b08250697222d5696f7a589f663a035c41c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000001.dbtmp
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
8f4560d7d0069030ccda7a9e9be80853

SHA1
6300d83f77a7287253dd7399e6517f8f193e0806

SHA256
546d745636cb4c3b504d8f6ef65cfc8db9e0d9b5a638cd681b292231a1d56cf1

SHA512
682704cd7c0f05c0bb381f1e047ed308c836ee367cd66a49b0dcaf0041481d77b5d3b53f29e56d1ecb603e39fe310c91015876081c1857713372b27ed07406a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
e76f8a3bec0719c1dec847faefa13708

SHA1
05384ec432933f0cf698761499436cff8521753b

SHA256
b00fa37ebbb2885fc1e849df7459f23c9c1f5e31d33c4efbe6917de04dca5b16

SHA512
9cb5f7f27a5da8acaafe074ffbea2faeffecfc6487af94acb28244685b1e34306d59292f0c74a04e3c7359a68949cf4e8d5ae6fc02d47fe388babf95bce12df4

Download Submit
C:\Users\Admin\AppData\Roaming\DirSys\dirsys.exe
Filesize
405KB

MD5
5d28f72d1aad116bab07c41530e7734a

SHA1
1b0a277f8bbb8dbee1e791cda8c134d138ce0c38

SHA256
d1051935a532ce6813099c06cc359aa1e02cb1f0e341583b3ec3253186e33a80

SHA512
39b9acaa7fbc7c6d1393d734cfec2fb3bda58abecaaed5b4c8d51cefc46e353fbbf5520ce6acb9ef2464ec1c529cc8ee4bad7b05a224caad1b1854087d2f807b

Download Submit
C:\Users\Admin\AppData\Roaming\DirSys\dirsys.exe
Filesize
405KB

MD5
5d28f72d1aad116bab07c41530e7734a

SHA1
1b0a277f8bbb8dbee1e791cda8c134d138ce0c38

SHA256
d1051935a532ce6813099c06cc359aa1e02cb1f0e341583b3ec3253186e33a80

SHA512
39b9acaa7fbc7c6d1393d734cfec2fb3bda58abecaaed5b4c8d51cefc46e353fbbf5520ce6acb9ef2464ec1c529cc8ee4bad7b05a224caad1b1854087d2f807b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize
3KB

MD5
c26e0345ee386330a5139eeb8a8af3cd

SHA1
9e0333bb195125ef359693347c5a94b9946eb900

SHA256
3caeb5d014e7c0a2b2d03233496c5ea13905668d8011a963f002ced9dd314a0a

SHA512
7a7d475b991556f4a5afd0228b2e9ecf9e9115cc9c2a2c1dcc4c424a32ed0a63dfaf75c51307359f4ac71d558120f28fa8ca39e31ae5bba6097ff7bfc06723e8

Download Submit
\??\pipe\LOCAL\crashpad_1660_XOFIBRGPAOUDSDZJ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1252-139-0x0000000006390000-0x00000000063CC000-memory.dmp

Filesize
240KB

Download
memory/1252-138-0x0000000005F50000-0x0000000005F62000-memory.dmp

Filesize
72KB

Download
memory/1252-133-0x0000000000850000-0x00000000008BC000-memory.dmp

Filesize
432KB

Download
memory/1252-137-0x0000000005120000-0x0000000005186000-memory.dmp

Filesize
408KB

Download
memory/1252-136-0x0000000005370000-0x0000000005380000-memory.dmp

Filesize
64KB

Download
memory/1252-135-0x00000000051B0000-0x0000000005242000-memory.dmp

Filesize
584KB

Download
memory/1252-134-0x0000000005760000-0x0000000005D04000-memory.dmp

Filesize
5.6MB

Download
memory/3024-162-0x0000000001F00000-0x0000000001F10000-memory.dmp

Filesize
64KB

Download
memory/3024-165-0x0000000001F00000-0x0000000001F10000-memory.dmp

Filesize
64KB

Download
memory/3024-164-0x0000000001F00000-0x0000000001F10000-memory.dmp

Filesize
64KB

Download
memory/3024-163-0x0000000001F00000-0x0000000001F10000-memory.dmp

Filesize
64KB

Download
memory/3024-161-0x0000000001F00000-0x0000000001F10000-memory.dmp

Filesize
64KB

Download
memory/3024-160-0x00000000072A0000-0x00000000072AA000-memory.dmp

Filesize
40KB

Download
memory/3024-146-0x0000000001F00000-0x0000000001F10000-memory.dmp

Filesize
64KB

Download
memory/3864-156-0x00000186BE640000-0x00000186BE641000-memory.dmp

Filesize
4KB

Download
memory/3864-157-0x00000186BE640000-0x00000186BE641000-memory.dmp

Filesize
4KB

Download
memory/3864-158-0x00000186BE640000-0x00000186BE641000-memory.dmp

Filesize
4KB

Download
memory/3864-155-0x00000186BE640000-0x00000186BE641000-memory.dmp

Filesize
4KB

Download
memory/3864-154-0x00000186BE640000-0x00000186BE641000-memory.dmp

Filesize
4KB

Download
memory/3864-153-0x00000186BE640000-0x00000186BE641000-memory.dmp

Filesize
4KB

Download
memory/3864-149-0x00000186BE640000-0x00000186BE641000-memory.dmp

Filesize
4KB

Download
memory/3864-148-0x00000186BE640000-0x00000186BE641000-memory.dmp

Filesize
4KB

Download
memory/3864-147-0x00000186BE640000-0x00000186BE641000-memory.dmp

Filesize
4KB

Download
memory/3864-159-0x00000186BE640000-0x00000186BE641000-memory.dmp

Filesize
4KB

Download