quasar | hxxps://gofile[.]io/d/O8pLMV

Analysis

max time kernel
119s
max time network
120s
platform
windows11-21h2_x64
resource
win11-20240214-en
resource tags

arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
submitted
18/02/2024, 00:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/O8pLMV

Score

10^/10

quasar client spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

client

192.168.1.190:8080

Mutex

4787fbcd-9b88-411d-86f3-9a4da6d1b091

Attributes

encryption_key
9125BEED3E3189E9FC0B8834A851F5BAC4D273FD
install_name
Aquatic Raider.exe
log_directory
Logs
reconnect_delay
3000
startup_key
snfr
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000200000002a7b7-89.dat	family_quasar
behavioral1/files/0x000200000002a7b7-143.dat	family_quasar
behavioral1/memory/936-144-0x00000000003D0000-0x00000000006F4000-memory.dmp	family_quasar

Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
936	Aquatic Raider.exe
5060	Aquatic Raider.exe
4024	Aquatic Raider.exe
4752	Aquatic Raider.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4864	schtasks.exe
4260	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1002246581-1510179080-2205450789-1000_Classes\Local Settings	msedge.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Aquatic Raider.exe:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\SubDir\Aquatic Raider.exe\:SmartScreen:$DATA	Aquatic Raider.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 864074.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 480320.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3800	msedge.exe
3800	msedge.exe
1924	msedge.exe
1924	msedge.exe
3888	msedge.exe
3888	msedge.exe
2224	identity_helper.exe
2224	identity_helper.exe
4652	msedge.exe
4652	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	936	Aquatic Raider.exe
Token: SeDebugPrivilege	5060	Aquatic Raider.exe
Token: SeDebugPrivilege	4024	Aquatic Raider.exe
Token: SeDebugPrivilege	4752	Aquatic Raider.exe

Suspicious use of FindShellTrayWindow 44 IoCs

pid	Process
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe
1924	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5060	Aquatic Raider.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 2612	1924	msedge.exe	77
PID 1924 wrote to memory of 2612	1924	msedge.exe	77
PID 1924 wrote to memory of 3036	1924	msedge.exe	78
PID 1924 wrote to memory of 3036	1924	msedge.exe	78
PID 1924 wrote to memory of 3036	1924	msedge.exe	78
PID 1924 wrote to memory of 3036	1924	msedge.exe	78
PID 1924 wrote to memory of 3036	1924	msedge.exe	78
PID 1924 wrote to memory of 3036	1924	msedge.exe	78
PID 1924 wrote to memory of 3036	1924	msedge.exe	78
PID 1924 wrote to memory of 3036	1924	msedge.exe	78
PID 1924 wrote to memory of 3036	1924	msedge.exe	78
PID 1924 wrote to memory of 3036	1924	msedge.exe	78
PID 1924 wrote to memory of 3036	1924	msedge.exe	78
PID 1924 wrote to memory of 3036	1924	msedge.exe	78
PID 1924 wrote to memory of 3036	1924	msedge.exe	78
PID 1924 wrote to memory of 3036	1924	msedge.exe	78
PID 1924 wrote to memory of 3036	1924	msedge.exe	78
PID 1924 wrote to memory of 3036	1924	msedge.exe	78
PID 1924 wrote to memory of 3036	1924	msedge.exe	78
PID 1924 wrote to memory of 3036	1924	msedge.exe	78
PID 1924 wrote to memory of 3036	1924	msedge.exe	78
PID 1924 wrote to memory of 3036	1924	msedge.exe	78
PID 1924 wrote to memory of 3036	1924	msedge.exe	78
PID 1924 wrote to memory of 3036	1924	msedge.exe	78
PID 1924 wrote to memory of 3036	1924	msedge.exe	78
PID 1924 wrote to memory of 3036	1924	msedge.exe	78
PID 1924 wrote to memory of 3036	1924	msedge.exe	78
PID 1924 wrote to memory of 3036	1924	msedge.exe	78
PID 1924 wrote to memory of 3036	1924	msedge.exe	78
PID 1924 wrote to memory of 3036	1924	msedge.exe	78
PID 1924 wrote to memory of 3036	1924	msedge.exe	78
PID 1924 wrote to memory of 3036	1924	msedge.exe	78
PID 1924 wrote to memory of 3036	1924	msedge.exe	78
PID 1924 wrote to memory of 3036	1924	msedge.exe	78
PID 1924 wrote to memory of 3036	1924	msedge.exe	78
PID 1924 wrote to memory of 3036	1924	msedge.exe	78
PID 1924 wrote to memory of 3036	1924	msedge.exe	78
PID 1924 wrote to memory of 3036	1924	msedge.exe	78
PID 1924 wrote to memory of 3036	1924	msedge.exe	78
PID 1924 wrote to memory of 3036	1924	msedge.exe	78
PID 1924 wrote to memory of 3036	1924	msedge.exe	78
PID 1924 wrote to memory of 3036	1924	msedge.exe	78
PID 1924 wrote to memory of 3800	1924	msedge.exe	79
PID 1924 wrote to memory of 3800	1924	msedge.exe	79
PID 1924 wrote to memory of 4424	1924	msedge.exe	80
PID 1924 wrote to memory of 4424	1924	msedge.exe	80
PID 1924 wrote to memory of 4424	1924	msedge.exe	80
PID 1924 wrote to memory of 4424	1924	msedge.exe	80
PID 1924 wrote to memory of 4424	1924	msedge.exe	80
PID 1924 wrote to memory of 4424	1924	msedge.exe	80
PID 1924 wrote to memory of 4424	1924	msedge.exe	80
PID 1924 wrote to memory of 4424	1924	msedge.exe	80
PID 1924 wrote to memory of 4424	1924	msedge.exe	80
PID 1924 wrote to memory of 4424	1924	msedge.exe	80
PID 1924 wrote to memory of 4424	1924	msedge.exe	80
PID 1924 wrote to memory of 4424	1924	msedge.exe	80
PID 1924 wrote to memory of 4424	1924	msedge.exe	80
PID 1924 wrote to memory of 4424	1924	msedge.exe	80
PID 1924 wrote to memory of 4424	1924	msedge.exe	80
PID 1924 wrote to memory of 4424	1924	msedge.exe	80
PID 1924 wrote to memory of 4424	1924	msedge.exe	80
PID 1924 wrote to memory of 4424	1924	msedge.exe	80
PID 1924 wrote to memory of 4424	1924	msedge.exe	80
PID 1924 wrote to memory of 4424	1924	msedge.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/O8pLMV
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb9d6d3cb8,0x7ffb9d6d3cc8,0x7ffb9d6d3cd8
  2⤵
  PID:2612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,7111286507238387378,11766552993074836460,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
  2⤵
  PID:3036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,7111286507238387378,11766552993074836460,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,7111286507238387378,11766552993074836460,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
  2⤵
  PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7111286507238387378,11766552993074836460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:1616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7111286507238387378,11766552993074836460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:1144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7111286507238387378,11766552993074836460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:1
  2⤵
  PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7111286507238387378,11766552993074836460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3540 /prefetch:1
  2⤵
  PID:3076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,7111286507238387378,11766552993074836460,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4580 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7111286507238387378,11766552993074836460,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
  2⤵
  PID:4884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7111286507238387378,11766552993074836460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3116 /prefetch:1
  2⤵
  PID:3452
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,7111286507238387378,11766552993074836460,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6004 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7111286507238387378,11766552993074836460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:1
  2⤵
  PID:4848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7111286507238387378,11766552993074836460,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
  2⤵
  PID:2352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7111286507238387378,11766552993074836460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:1
  2⤵
  PID:4376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7111286507238387378,11766552993074836460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:1
  2⤵
  PID:3224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7111286507238387378,11766552993074836460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
  2⤵
  PID:3480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1916,7111286507238387378,11766552993074836460,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5296 /prefetch:8
  2⤵
  PID:4464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1916,7111286507238387378,11766552993074836460,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5728 /prefetch:8
  2⤵
  PID:4896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7111286507238387378,11766552993074836460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6256 /prefetch:1
  2⤵
  PID:3888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,7111286507238387378,11766552993074836460,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6268 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4652
- C:\Users\Admin\Downloads\Aquatic Raider.exe
  "C:\Users\Admin\Downloads\Aquatic Raider.exe"
  2⤵
  - Executes dropped EXE
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  PID:936
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "snfr" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Aquatic Raider.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:4864
- - C:\Users\Admin\AppData\Roaming\SubDir\Aquatic Raider.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\Aquatic Raider.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:5060
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "snfr" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Aquatic Raider.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:4260

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2200

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3480

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3640

C:\Users\Admin\Downloads\Aquatic Raider.exe
"C:\Users\Admin\Downloads\Aquatic Raider.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4024

C:\Users\Admin\Downloads\Aquatic Raider.exe
"C:\Users\Admin\Downloads\Aquatic Raider.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Aquatic Raider.exe.log

Filesize
1KB

MD5
b4e91d2e5f40d5e2586a86cf3bb4df24

SHA1
31920b3a41aa4400d4a0230a7622848789b38672

SHA256
5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210

SHA512
968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
90bbaa873cb1024ace83f887dfde38ae

SHA1
922416490e14f9098df969a56b75e7523f108e53

SHA256
2ff8abbbdad2acf5f04a3b47624055a0f2c36a09b0db3945b494f7eb92ae87bc

SHA512
60587031845ee5ae354c760bd2714a47ff561d3bd6e8aab7b2073d1b9c6b544c7eca94078d9cdefcd87b44adce4e814852c1e8f6af8ca3bdd5b0ddd0312e57b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
186e21adcf0c946cc7055348893de9cf

SHA1
c2e3f63b1dc468bc251358e42bb7f9abd5936ca3

SHA256
f3c1afb68380348140d2ac80d9887a0cadf285fb0a9de4c13ded2d4788ba4cdd

SHA512
2ce50e43540bd5a4bc6e936a7c05f1adb935251596f4cd4f8e66bc4650c15592e8849d7831d107237d78f4e0c527478bae813253a48357739e926053207e9bf2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
317B

MD5
afc6cddd7e64d81e52b729d09f227107

SHA1
ad0d3740f4b66de83db8862911c07dc91928d2f6

SHA256
b5e81a7c7d80feaaa10ee7bc8aaef9f21a5c1e4b03b3823ed115022311d674a0

SHA512
844edb69585153c378a7c97709983776fc9303a32fb5ef8122ecca32adfc0b265f5ef7118ee07814da5c020ac7ba1bf2a2f66d46312e4d8e6df99aab2e5f9b2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3984225318ec9827bf55627c04c36225

SHA1
74ac1a6b75c85720d397a0444f51bb945bef3df3

SHA256
0a3edd2ecde088442cb1c1413627a45e3dd61ca564963be565e80aeb4a236ad8

SHA512
a7c57d7e933cedd38806926682a4e6b6e0d28110c5e5090a2b2c6fabc3db9d76ec11d39064c495472a1148e60d0da7d61e86e3da6d04fb89c56873feb2a5a073

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3ff8d54d7e411e931bd2f7f88e48cbff

SHA1
4dbbc976ae3271b1cfb19e73719c51f737b5ac82

SHA256
9a3d00fdaeef61d36ff7e10fce38bf4547084f49344d0aaa7591759960fe47eb

SHA512
b4d8b4fe79c1c5b152c9b610e434acd5748693f69c03fed3caacb0cb5bab8a154e4c9fa1806f68080c911fe1329ea3d14227dc26f7a10cd3ad3e7c67bf5e2e4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
25KB

MD5
38e0f825a71c236dde48aa2f551fc800

SHA1
1aff06111b765ed4e382b9216101e1f54a09d73e

SHA256
8018002d860e6370cd760a83b61d41f77cfb9473aeafbf630b27e4b4a7c100bf

SHA512
28fc9207402287a3742a8b409aa0db3d570cbd8e456c4ece1ced7b34b6d22f8fd0a2f699142090a9fe54062b35082560012ae80aa9785ce2b21da0aa9bd40399

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0bc57bd5b8fb3af28a32a2e278547264

SHA1
7b9730c08f8409c1751e80a82c2ec478f39192e5

SHA256
7eddd51b353a7ee3eef7ea1756720e33ffd5cdcb0e153fa2ae3df1a7d23da189

SHA512
fb4c6d924acf5c135f3ff1aa1043a75fa5f0e3b207c7d3cc3f9188986b02f0f1484c51cd258d0824bbb1a6ca7920708a075fe23b4709a84f29869fd7922926d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7e7f8029e0184a5d4343c5690e817211

SHA1
b06c089fa85cf1cb3d0c2ab65e909c4bcb7ebdee

SHA256
0bd3250d6a8600746817c15e7226382fcabec9d80d122d0d693b9736d32a378b

SHA512
007618f4b809a09da12daac2da25d1419348ef3e9d42ee210f5c52c59ee69310471b26cf5b978be0aaa7ae167489a8da6a13f57d0ee1c28442ca87b15189f363

Download Submit
C:\Users\Admin\Downloads\Aquatic Raider.exe

Filesize
2.2MB

MD5
6a473d167e00e45c8234767311439736

SHA1
f150b38141d4c6c1076c40ae7ee8421a814ee34f

SHA256
35ce70f1f184a0b82ffce9cc4ec959c4e2b23abbbf7fbe465ddf5b25c2ee3403

SHA512
a9a3ff6a9e5d154aa2bc3ba1d517fc6f734358c94cbe59e226c93fda2a8d1b5053df94087214574d469834fd9fdef17662ee3ed683fbb62cba8b1c153e22e603

Download Submit
C:\Users\Admin\Downloads\Aquatic Raider.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 864074.crdownload

Filesize
3.1MB

MD5
308d0ff88a914a66394f2f44d1e4865b

SHA1
8df9c9032084f3d1e70ec652c05deb9f66b02fbf

SHA256
2b86c52709a832ddadb00fe12ca74aed9cff98c2b4a83eb9afeffcf3853b87e4

SHA512
e5483aa1e2b79e04aaa4e4d3a769714fb1274ed8ec6cbf1af883da69d9f87c59daf067f6eeb356a0045a8593e10210e06ea601539cf920898a373f8aa2e4b4ee

Download Submit
memory/936-146-0x000000001B310000-0x000000001B320000-memory.dmp

Filesize
64KB

Download
memory/936-156-0x00007FFB89920000-0x00007FFB8A3E2000-memory.dmp

Filesize
10.8MB

Download
memory/936-145-0x00007FFB89920000-0x00007FFB8A3E2000-memory.dmp

Filesize
10.8MB

Download
memory/936-144-0x00000000003D0000-0x00000000006F4000-memory.dmp

Filesize
3.1MB

Download
memory/4024-195-0x00007FFB89920000-0x00007FFB8A3E2000-memory.dmp

Filesize
10.8MB

Download
memory/4024-197-0x00007FFB89920000-0x00007FFB8A3E2000-memory.dmp

Filesize
10.8MB

Download
memory/4752-228-0x00007FFB89920000-0x00007FFB8A3E2000-memory.dmp

Filesize
10.8MB

Download
memory/4752-229-0x00000000026C0000-0x00000000026D0000-memory.dmp

Filesize
64KB

Download
memory/4752-230-0x00007FFB89920000-0x00007FFB8A3E2000-memory.dmp

Filesize
10.8MB

Download
memory/5060-159-0x000000001C1B0000-0x000000001C262000-memory.dmp

Filesize
712KB

Download
memory/5060-158-0x000000001B910000-0x000000001B960000-memory.dmp

Filesize
320KB

Download
memory/5060-183-0x000000001C8A0000-0x000000001CDC8000-memory.dmp

Filesize
5.2MB

Download
memory/5060-194-0x00007FFB89920000-0x00007FFB8A3E2000-memory.dmp

Filesize
10.8MB

Download
memory/5060-157-0x0000000001490000-0x00000000014A0000-memory.dmp

Filesize
64KB

Download
memory/5060-196-0x0000000001490000-0x00000000014A0000-memory.dmp

Filesize
64KB

Download
memory/5060-155-0x00007FFB89920000-0x00007FFB8A3E2000-memory.dmp

Filesize
10.8MB

Download