Analysis
-
max time kernel
74s -
max time network
76s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11-04-2024 23:26
Static task
static1
URLScan task
urlscan1
Malware Config
Extracted
quasar
1.4.1
Office04
192.168.1.226:4782
aec627fa-aba4-45fa-a0fc-e456110a730a
-
encryption_key
7D414F9EC5601C94A757DDCDCF7C7A7809D8CFD0
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zO47626637\RyansProject.exe family_quasar behavioral1/memory/7712-281-0x0000000000D80000-0x00000000010A4000-memory.dmp family_quasar -
Executes dropped EXE 6 IoCs
Processes:
RyansProject.exeClient.exeRyansProject.exeRyansProject.exeRyansProject.exeRyansProject.exepid process 7712 RyansProject.exe 7704 Client.exe 7252 RyansProject.exe 6660 RyansProject.exe 2768 RyansProject.exe 7088 RyansProject.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 6156 schtasks.exe 6704 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings msedge.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
msedge.exemsedge.exemsedge.exeidentity_helper.exe7zFM.exe7zFM.exepid process 2176 msedge.exe 2176 msedge.exe 3516 msedge.exe 3516 msedge.exe 7496 msedge.exe 7496 msedge.exe 7796 identity_helper.exe 7796 identity_helper.exe 5748 7zFM.exe 5748 7zFM.exe 5748 7zFM.exe 5748 7zFM.exe 6488 7zFM.exe 6488 7zFM.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
7zFM.exe7zFM.exepid process 5748 7zFM.exe 6488 7zFM.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 53 IoCs
Processes:
msedge.exepid process 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
7zFM.exeRyansProject.exeClient.exeRyansProject.exe7zG.exeRyansProject.exeRyansProject.exe7zFM.exeRyansProject.exedescription pid process Token: SeRestorePrivilege 5748 7zFM.exe Token: 35 5748 7zFM.exe Token: SeSecurityPrivilege 5748 7zFM.exe Token: SeDebugPrivilege 7712 RyansProject.exe Token: SeDebugPrivilege 7704 Client.exe Token: SeSecurityPrivilege 5748 7zFM.exe Token: SeDebugPrivilege 7252 RyansProject.exe Token: SeRestorePrivilege 8060 7zG.exe Token: 35 8060 7zG.exe Token: SeSecurityPrivilege 8060 7zG.exe Token: SeSecurityPrivilege 8060 7zG.exe Token: SeDebugPrivilege 6660 RyansProject.exe Token: SeDebugPrivilege 2768 RyansProject.exe Token: SeRestorePrivilege 6488 7zFM.exe Token: 35 6488 7zFM.exe Token: SeSecurityPrivilege 6488 7zFM.exe Token: SeDebugPrivilege 7088 RyansProject.exe -
Suspicious use of FindShellTrayWindow 39 IoCs
Processes:
msedge.exe7zFM.exe7zG.exe7zFM.exepid process 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 5748 7zFM.exe 5748 7zFM.exe 5748 7zFM.exe 8060 7zG.exe 6488 7zFM.exe 6488 7zFM.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe 3516 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Client.exepid process 7704 Client.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 3516 wrote to memory of 2520 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2520 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2576 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2576 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2576 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2576 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2576 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2576 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2576 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2576 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2576 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2576 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2576 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2576 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2576 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2576 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2576 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2576 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2576 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2576 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2576 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2576 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2576 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2576 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2576 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2576 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2576 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2576 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2576 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2576 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2576 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2576 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2576 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2576 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2576 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2576 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2576 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2576 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2576 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2576 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2576 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2576 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2176 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2176 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2072 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2072 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2072 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2072 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2072 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2072 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2072 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2072 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2072 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2072 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2072 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2072 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2072 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2072 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2072 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2072 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2072 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2072 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2072 3516 msedge.exe msedge.exe PID 3516 wrote to memory of 2072 3516 msedge.exe msedge.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://easyupload.io/cbm5st1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff864ea46f8,0x7ff864ea4708,0x7ff864ea47182⤵PID:2520
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2256,15580206074635887335,11408357738763832886,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2268 /prefetch:22⤵PID:2576
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2256,15580206074635887335,11408357738763832886,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2176 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2256,15580206074635887335,11408357738763832886,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2444 /prefetch:82⤵PID:2072
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15580206074635887335,11408357738763832886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:12⤵PID:3068
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15580206074635887335,11408357738763832886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:12⤵PID:844
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15580206074635887335,11408357738763832886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:12⤵PID:1064
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15580206074635887335,11408357738763832886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4020 /prefetch:12⤵PID:760
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15580206074635887335,11408357738763832886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:12⤵PID:5088
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15580206074635887335,11408357738763832886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:12⤵PID:3024
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15580206074635887335,11408357738763832886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:12⤵PID:2868
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15580206074635887335,11408357738763832886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:12⤵PID:3836
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15580206074635887335,11408357738763832886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:12⤵PID:2268
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15580206074635887335,11408357738763832886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:12⤵PID:2932
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15580206074635887335,11408357738763832886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6236 /prefetch:12⤵PID:4536
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15580206074635887335,11408357738763832886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6392 /prefetch:12⤵PID:5016
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15580206074635887335,11408357738763832886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6540 /prefetch:12⤵PID:1772
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15580206074635887335,11408357738763832886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6676 /prefetch:12⤵PID:1488
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15580206074635887335,11408357738763832886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6840 /prefetch:12⤵PID:2768
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15580206074635887335,11408357738763832886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7220 /prefetch:12⤵PID:4620
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15580206074635887335,11408357738763832886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7224 /prefetch:12⤵PID:5124
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15580206074635887335,11408357738763832886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7360 /prefetch:12⤵PID:5132
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15580206074635887335,11408357738763832886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7488 /prefetch:12⤵PID:5140
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15580206074635887335,11408357738763832886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7852 /prefetch:12⤵PID:5220
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15580206074635887335,11408357738763832886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7924 /prefetch:12⤵PID:5228
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15580206074635887335,11408357738763832886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7756 /prefetch:12⤵PID:5236
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15580206074635887335,11408357738763832886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8024 /prefetch:12⤵PID:5248
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15580206074635887335,11408357738763832886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8160 /prefetch:12⤵PID:5256
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15580206074635887335,11408357738763832886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8316 /prefetch:12⤵PID:5264
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15580206074635887335,11408357738763832886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8584 /prefetch:12⤵PID:5280
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15580206074635887335,11408357738763832886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8776 /prefetch:12⤵PID:5940
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15580206074635887335,11408357738763832886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9232 /prefetch:12⤵PID:5948
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15580206074635887335,11408357738763832886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9516 /prefetch:12⤵PID:6032
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15580206074635887335,11408357738763832886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10056 /prefetch:12⤵PID:6220
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15580206074635887335,11408357738763832886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10308 /prefetch:12⤵PID:6320
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15580206074635887335,11408357738763832886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10452 /prefetch:12⤵PID:6400
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15580206074635887335,11408357738763832886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:12⤵PID:6564
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15580206074635887335,11408357738763832886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6272 /prefetch:12⤵PID:6636
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15580206074635887335,11408357738763832886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10620 /prefetch:12⤵PID:6644
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15580206074635887335,11408357738763832886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8476 /prefetch:12⤵PID:7020
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15580206074635887335,11408357738763832886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8184 /prefetch:12⤵PID:7032
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15580206074635887335,11408357738763832886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8744 /prefetch:12⤵PID:7104
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15580206074635887335,11408357738763832886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7236 /prefetch:12⤵PID:5880
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15580206074635887335,11408357738763832886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10772 /prefetch:12⤵PID:5900
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15580206074635887335,11408357738763832886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11408 /prefetch:12⤵PID:6556
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15580206074635887335,11408357738763832886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11416 /prefetch:12⤵PID:6560
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15580206074635887335,11408357738763832886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7752 /prefetch:12⤵PID:6924
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15580206074635887335,11408357738763832886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9180 /prefetch:12⤵PID:7200
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15580206074635887335,11408357738763832886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9000 /prefetch:12⤵PID:7304
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15580206074635887335,11408357738763832886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10288 /prefetch:12⤵PID:7376
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2256,15580206074635887335,11408357738763832886,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=8128 /prefetch:82⤵PID:7476
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15580206074635887335,11408357738763832886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8084 /prefetch:12⤵PID:7484
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2256,15580206074635887335,11408357738763832886,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8040 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:7496 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15580206074635887335,11408357738763832886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12572 /prefetch:12⤵PID:7684
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2256,15580206074635887335,11408357738763832886,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=10936 /prefetch:82⤵PID:7780
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2256,15580206074635887335,11408357738763832886,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=10936 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:7796 -
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\RyansProject.rar"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5748 -
C:\Users\Admin\AppData\Local\Temp\7zO47626637\RyansProject.exe"C:\Users\Admin\AppData\Local\Temp\7zO47626637\RyansProject.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:7712 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
PID:6156 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:7704 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
PID:6704 -
C:\Users\Admin\AppData\Local\Temp\7zO476CC3C7\RyansProject.exe"C:\Users\Admin\AppData\Local\Temp\7zO476CC3C7\RyansProject.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:7252 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15580206074635887335,11408357738763832886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12112 /prefetch:12⤵PID:6772
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15580206074635887335,11408357738763832886,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11680 /prefetch:12⤵PID:6668
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15580206074635887335,11408357738763832886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10252 /prefetch:12⤵PID:6876
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15580206074635887335,11408357738763832886,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11432 /prefetch:12⤵PID:6896
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15580206074635887335,11408357738763832886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8520 /prefetch:12⤵PID:7384
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1060
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4788
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:7728
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap3234:86:7zEvent104071⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:8060
-
C:\Users\Admin\Downloads\RyansProject.exe"C:\Users\Admin\Downloads\RyansProject.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6660
-
C:\Users\Admin\Downloads\RyansProject.exe"C:\Users\Admin\Downloads\RyansProject.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2768
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\RyansProject.rar"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:6488 -
C:\Users\Admin\AppData\Local\Temp\7zO85966B78\RyansProject.exe"C:\Users\Admin\AppData\Local\Temp\7zO85966B78\RyansProject.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:7088
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD555540a230bdab55187a841cfe1aa1545
SHA1363e4734f757bdeb89868efe94907774a327695e
SHA256d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb
SHA512c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
867B
MD5c5dfb849ca051355ee2dba1ac33eb028
SHA1d69b561148f01c77c54578c10926df5b856976ad
SHA256cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b
SHA51288289cdd2c2dd1f5f4c13ab2cf9bc601fc634b5945309bedf9fc5b96bf21697b4cd6da2f383497825e02272816befbac4f44955282ffbbd4dd0ddc52281082da
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416
Filesize230B
MD5309bdec57f3d22dddb703597b935c73d
SHA15cc6f08cebdf11bf55cf66cede31e4a922bf6457
SHA256dd9bf285cb642f39f5f825342b3cde8b326bf2218742e907e8070db7e7d6bba6
SHA5125dec60fa364f004a371285b8e268a0c5764c712906ff75979ecdecd6341469711eb011a5a9dca8bcd4601b3016cd0fc47f698bca2ff7a0a24659b5a8feef0ff0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F59A01A8B782D93EA6991BC172CEFFB1
Filesize242B
MD50c01f7f48843653180912a1ae3ba9691
SHA1514c4c3c854416f4b6acc65f60624a5f9381d649
SHA256c6e8174e0fa6a834758c95df325b834b2bc6b0a2bef56870507865de4276deb2
SHA5125b18c2f3dff6b1d54723da818e9aaa98eebb878a77ecadacb5835e6087ccb5e313d7aa729e9bd4020445db27d1d103b9e323e0a60e303937801ce655e5978038
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
152B
MD5f35bb0615bb9816f562b83304e456294
SHA11049e2bd3e1bbb4cea572467d7c4a96648659cb4
SHA25605e80abd624454e5b860a08f40ddf33d672c3fed319aac180b7de5754bc07b71
SHA512db9100f3e324e74a9c58c7d9f50c25eaa4c6c4553c93bab9b80c6f7bef777db04111ebcd679f94015203b240fe9f4f371cae0d4290ec891a4173c746ff4b11c1
-
Filesize
152B
MD51eb86108cb8f5a956fdf48efbd5d06fe
SHA17b2b299f753798e4891df2d9cbf30f94b39ef924
SHA2561b53367e0041d54af89e7dd59733231f5da1393c551ed2b943c89166c0baca40
SHA512e2a661437688a4a01a6eb3b2bd7979ecf96b806f5a487d39354a7f0d44cb693a3b1c2cf6b1247b04e4106cc816105e982569572042bdddb3cd5bec23b4fce29d
-
Filesize
27KB
MD5bffb059f66bf71c890cc5b5ae438989a
SHA1e13ab1e1accbf64e3e430f02f7c10ae09d413ac4
SHA2563a87dbcf5afda3daf93b5be8979affc5ed1a14c1050e004cf4c8897f2d96bd64
SHA512cc7a0e52bc9278d4e69923eb6ead9da450144797c5aec7bb479cd68203221320341e271f2be120d7fabd6b8a9d0ecfe48c870c7eb18fe687d96dbb20ede9488a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5979bb5e5db4d9cb5204fe3123a887f23
SHA18beccacf0c1beb40d82ea9844a2974427224ec35
SHA256ac3ca60e350848794a021cdd3e3b20acca5637fae091ecc0399918e9ca5151a5
SHA51217b1248699e21b4627332725fe629a1086ec2355dd8cecf13288dc4b0e4a81d5e38700aca37d7e5ad9b632e59ab88acfb60b31690dcb90ec38868b5854ed7122
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD56f041d7ab2953bcba321f9b40a59876b
SHA1636fe3eb4eea984eeb879eb5b2bfb91fadca71ac
SHA2562526a329e1cf3eb616c7282176c38ce4825164c58e75c09aaf7d2106c38e19d9
SHA512f6f7e0f0c5c44c5a2651868dd6aa355eee265f549c3be1c9c6a9dddb5d506c2b7b9ef83d84d9b2c16f47cc3f82aa42941b167b3a31c0395910a8381492fdd141
-
Filesize
10KB
MD5df4290b557c613f2299f4d2379cf6e78
SHA102425ec61f16c155b61cff503d260288d8d285a0
SHA2564b4084e10f6916b555937ef972da3a82e721d874e7ab42d1c36db21a1f6147dd
SHA5126bdd7f3dab451bfc9394a2b9a1cc6e2504f9ed2f2bf6be1d4dfb8266ba2ab65c877ffe8118c96fecf3b43caf5eb7038864c7a88d2a12d6a2fd3919f77d75308a
-
Filesize
6KB
MD590bde1593a6860f4cc8f62b0a34a8a28
SHA1bf707dacbdedc64c3e6bdbf3846422a62c36b7fb
SHA256b6a42173ee510dc9f77f3dc6bc0e8a1af50f32b3168cb6dcde436b910769b366
SHA51274e78a64ec25b0164bc7ce25bc5572ec33c0deb73677a0ad5f3573fd09fa0ea037fa02cb1d4d7d80f1c1821942840ca23ca15186f95d2e5992a338f32a264354
-
Filesize
16KB
MD5aacdd9c3bfbe9f0c1b52682220ede5e0
SHA170269c0982baae379fabda3b2b9eecfe5752d3ac
SHA2567f3df646f3f1c85b86e15146a6296c8edeaef82f3de0dfc110b29648e737051a
SHA5125a79af9fc0ada1f0fc4123d7c6401b138b4020631a3453af5c68735ad9c432965d580103f77ab4e50cf8f787e4e4610282e01442152466b98e8d96b711416d16
-
Filesize
3KB
MD54074bbc19a61ad2cd70321f74862ba87
SHA11bd30c48c0759cb993f51d8c4e419d03430f6ee0
SHA256117a0d862b789bde7f5b4208b737af1e96e76548275596af48bcb5daeaa28993
SHA5128f0dc5c7df6a3b9e29682625a5d61ca286a8faf6f99ab481bce3036ae485b58a64d250a908b56a1d215a54b30446fc9c467e7eb865f313d37c656048ff34a20d
-
Filesize
3KB
MD5059e4792380953248a45ba15c7cea739
SHA1abb68193cbadc18fb5c061307f9cd3f7d3f15fa0
SHA25693c85198f93b58d7306d8c87952aff656303ca07399763f152aead1877c86f77
SHA512333283cda0e4d33ea3c2cae9a073bacb898b7962d6e40ffd11b860dd144d319c04dd5a8620296d313baa199acc6a335c65e55253092c5f1b6ddc95647570f81a
-
Filesize
3KB
MD5b911114a20dedf31cd616d155a7c429d
SHA19967ab084972f67d33d6750b98fdbf01d00a3521
SHA25694d1a2e3ecf93a620b4738f870b4416d4007302850bf90dcb2896fe59b645b84
SHA51224e9ea549c2059ebbf542582a64c6f050a8c2c2ab3d7daecf3d906eb9e23085dbb0976c9c792a7fda0f7036b5c850ac63cf04fa401620d6f41ef18cdb311ed63
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5e8b1132932ee90283bcfcf6f11e2dfff
SHA1046283ca7f176db837d7576d78d2135061a83f0c
SHA2567ace24640fc0bb760299b23778b08d61e94fd07f16026ba156a42f5ff44677d6
SHA5120a8cdb1cf6e0fe9d6dcd989fbc2ea2b237983a2d4b27b967483ae1405dea7230edf9bad8b83aae6cf34098f572568b081b89621b0c034f0b67c44347fc7f2e23
-
Filesize
11KB
MD5424dd2d9b1af304a3679f8a5dccf06a5
SHA175454a8463dd1de70f1478cf3837ff62968bd39b
SHA25665c90f1af6388bdf0a570c8ba6270f584ef22e39009d2a0751f1a630caebe5b7
SHA5124e110e67b19bab4164e676e2e4a7d3feb7a3411f4316efae45202c9ba3cc3176e2cc128c77cd638d3d580d82f05e4fd0edbd1e6e0037b308c4ed3f75fac8049f
-
Filesize
11KB
MD59b701b8216f025ffdaaf5115c950ba2c
SHA1db0d4409f1f36aa5abc200e68e26938bda5ed94b
SHA25683e8496a58e76fec5e663a3e6570d46468afeecca72eba1dcfa29513657d8eab
SHA512e2b28137ce07bc2200d9ad9057dfc62c430874f25016ba25550f7ccaa0da391b837e808257bdd98071dcc0bfa23760aeb3ad73dd56d08dc847a2bcbf507b867c
-
Filesize
3.1MB
MD520edba711349a03803c2f96bbbe18b39
SHA1675607f2c3510c35ea0784c1051e3a96c3b44416
SHA2568e3077a2601f2727d79389b445d9e90336a0055c0f5a7ce330cbd4006876f1f9
SHA51285130c87a19dc29bb6b6c26aea68f7173bf0df69c2a4b80e90bc2e14c19acdb1457f680e69d75c916fe7d546c470da5bb38b970843b33feda74847f5a675ee4e
-
Filesize
1.0MB
MD544d6e8a53cff50cc3363e729ce3ecb04
SHA1c9b66072ab2179194baee927b4ab04d43d64ddf5
SHA25617f1c062b320bd3c8b938a07f9518affaf837fc253fe20c624187faa114938ae
SHA512a93a888e5438c9a1d7453874da93d6aa860fd92be616d4a349870f025c3c79ab3ed24403f635d3e1496799930ac08c9c1f58cf0580720a70bbf43c2aaad11189
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e