Analysis
-
max time kernel
63s -
max time network
66s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
21-04-2024 21:34
Static task
static1
URLScan task
urlscan1
General
Malware Config
Extracted
quasar
1.4.1
Office04
Chriptzz-20947.portmap.io:20947
52b60565-cf3d-4ec4-9097-a5255e3dae6f
-
encryption_key
4D9EA4BAC3387F17840187B20C39279A3B40A9EE
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
svchost.exe
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\Downloads\Aio_Tool.exe family_quasar behavioral1/memory/5556-180-0x0000000000840000-0x0000000000B64000-memory.dmp family_quasar -
Executes dropped EXE 9 IoCs
Processes:
Aio_Tool.exeAio_Tool.exeAio_Tool.exeAio_Tool.exeAio_Tool.exeAio_Tool.exeAio_Tool.exeAio_Tool.exeAio_Tool.exepid process 5556 Aio_Tool.exe 5652 Aio_Tool.exe 5912 Aio_Tool.exe 5952 Aio_Tool.exe 428 Aio_Tool.exe 5512 Aio_Tool.exe 5728 Aio_Tool.exe 2292 Aio_Tool.exe 1240 Aio_Tool.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe -
Modifies registry class 6 IoCs
Processes:
explorer.exemsedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings explorer.exe -
NTFS ADS 1 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 824534.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepid process 1972 msedge.exe 1972 msedge.exe 3292 msedge.exe 3292 msedge.exe 780 identity_helper.exe 780 identity_helper.exe 5452 msedge.exe 5452 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 3292 msedge.exe 3292 msedge.exe 3292 msedge.exe 3292 msedge.exe 3292 msedge.exe 3292 msedge.exe 3292 msedge.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
AUDIODG.EXEAio_Tool.exeAio_Tool.exeAio_Tool.exeAio_Tool.exeAio_Tool.exeAio_Tool.exeAio_Tool.exeAio_Tool.exeAio_Tool.exedescription pid process Token: 33 4936 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4936 AUDIODG.EXE Token: SeDebugPrivilege 5556 Aio_Tool.exe Token: SeDebugPrivilege 5652 Aio_Tool.exe Token: SeDebugPrivilege 5912 Aio_Tool.exe Token: SeDebugPrivilege 5952 Aio_Tool.exe Token: SeDebugPrivilege 428 Aio_Tool.exe Token: SeDebugPrivilege 5512 Aio_Tool.exe Token: SeDebugPrivilege 5728 Aio_Tool.exe Token: SeDebugPrivilege 2292 Aio_Tool.exe Token: SeDebugPrivilege 1240 Aio_Tool.exe -
Suspicious use of FindShellTrayWindow 36 IoCs
Processes:
msedge.exeAio_Tool.exepid process 3292 msedge.exe 3292 msedge.exe 3292 msedge.exe 3292 msedge.exe 3292 msedge.exe 3292 msedge.exe 3292 msedge.exe 3292 msedge.exe 3292 msedge.exe 3292 msedge.exe 3292 msedge.exe 3292 msedge.exe 3292 msedge.exe 3292 msedge.exe 3292 msedge.exe 3292 msedge.exe 3292 msedge.exe 3292 msedge.exe 3292 msedge.exe 3292 msedge.exe 3292 msedge.exe 3292 msedge.exe 3292 msedge.exe 3292 msedge.exe 3292 msedge.exe 3292 msedge.exe 3292 msedge.exe 3292 msedge.exe 3292 msedge.exe 3292 msedge.exe 3292 msedge.exe 3292 msedge.exe 3292 msedge.exe 3292 msedge.exe 3292 msedge.exe 5652 Aio_Tool.exe -
Suspicious use of SendNotifyMessage 25 IoCs
Processes:
msedge.exeAio_Tool.exepid process 3292 msedge.exe 3292 msedge.exe 3292 msedge.exe 3292 msedge.exe 3292 msedge.exe 3292 msedge.exe 3292 msedge.exe 3292 msedge.exe 3292 msedge.exe 3292 msedge.exe 3292 msedge.exe 3292 msedge.exe 3292 msedge.exe 3292 msedge.exe 3292 msedge.exe 3292 msedge.exe 3292 msedge.exe 3292 msedge.exe 3292 msedge.exe 3292 msedge.exe 3292 msedge.exe 3292 msedge.exe 3292 msedge.exe 3292 msedge.exe 5652 Aio_Tool.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Aio_Tool.exepid process 5652 Aio_Tool.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 3292 wrote to memory of 3952 3292 msedge.exe msedge.exe PID 3292 wrote to memory of 3952 3292 msedge.exe msedge.exe PID 3292 wrote to memory of 4072 3292 msedge.exe msedge.exe PID 3292 wrote to memory of 4072 3292 msedge.exe msedge.exe PID 3292 wrote to memory of 4072 3292 msedge.exe msedge.exe PID 3292 wrote to memory of 4072 3292 msedge.exe msedge.exe PID 3292 wrote to memory of 4072 3292 msedge.exe msedge.exe PID 3292 wrote to memory of 4072 3292 msedge.exe msedge.exe PID 3292 wrote to memory of 4072 3292 msedge.exe msedge.exe PID 3292 wrote to memory of 4072 3292 msedge.exe msedge.exe PID 3292 wrote to memory of 4072 3292 msedge.exe msedge.exe PID 3292 wrote to memory of 4072 3292 msedge.exe msedge.exe PID 3292 wrote to memory of 4072 3292 msedge.exe msedge.exe PID 3292 wrote to memory of 4072 3292 msedge.exe msedge.exe PID 3292 wrote to memory of 4072 3292 msedge.exe msedge.exe PID 3292 wrote to memory of 4072 3292 msedge.exe msedge.exe PID 3292 wrote to memory of 4072 3292 msedge.exe msedge.exe PID 3292 wrote to memory of 4072 3292 msedge.exe msedge.exe PID 3292 wrote to memory of 4072 3292 msedge.exe msedge.exe PID 3292 wrote to memory of 4072 3292 msedge.exe msedge.exe PID 3292 wrote to memory of 4072 3292 msedge.exe msedge.exe PID 3292 wrote to memory of 4072 3292 msedge.exe msedge.exe PID 3292 wrote to memory of 4072 3292 msedge.exe msedge.exe PID 3292 wrote to memory of 4072 3292 msedge.exe msedge.exe PID 3292 wrote to memory of 4072 3292 msedge.exe msedge.exe PID 3292 wrote to memory of 4072 3292 msedge.exe msedge.exe PID 3292 wrote to memory of 4072 3292 msedge.exe msedge.exe PID 3292 wrote to memory of 4072 3292 msedge.exe msedge.exe PID 3292 wrote to memory of 4072 3292 msedge.exe msedge.exe PID 3292 wrote to memory of 4072 3292 msedge.exe msedge.exe PID 3292 wrote to memory of 4072 3292 msedge.exe msedge.exe PID 3292 wrote to memory of 4072 3292 msedge.exe msedge.exe PID 3292 wrote to memory of 4072 3292 msedge.exe msedge.exe PID 3292 wrote to memory of 4072 3292 msedge.exe msedge.exe PID 3292 wrote to memory of 4072 3292 msedge.exe msedge.exe PID 3292 wrote to memory of 4072 3292 msedge.exe msedge.exe PID 3292 wrote to memory of 4072 3292 msedge.exe msedge.exe PID 3292 wrote to memory of 4072 3292 msedge.exe msedge.exe PID 3292 wrote to memory of 4072 3292 msedge.exe msedge.exe PID 3292 wrote to memory of 4072 3292 msedge.exe msedge.exe PID 3292 wrote to memory of 4072 3292 msedge.exe msedge.exe PID 3292 wrote to memory of 4072 3292 msedge.exe msedge.exe PID 3292 wrote to memory of 1972 3292 msedge.exe msedge.exe PID 3292 wrote to memory of 1972 3292 msedge.exe msedge.exe PID 3292 wrote to memory of 4480 3292 msedge.exe msedge.exe PID 3292 wrote to memory of 4480 3292 msedge.exe msedge.exe PID 3292 wrote to memory of 4480 3292 msedge.exe msedge.exe PID 3292 wrote to memory of 4480 3292 msedge.exe msedge.exe PID 3292 wrote to memory of 4480 3292 msedge.exe msedge.exe PID 3292 wrote to memory of 4480 3292 msedge.exe msedge.exe PID 3292 wrote to memory of 4480 3292 msedge.exe msedge.exe PID 3292 wrote to memory of 4480 3292 msedge.exe msedge.exe PID 3292 wrote to memory of 4480 3292 msedge.exe msedge.exe PID 3292 wrote to memory of 4480 3292 msedge.exe msedge.exe PID 3292 wrote to memory of 4480 3292 msedge.exe msedge.exe PID 3292 wrote to memory of 4480 3292 msedge.exe msedge.exe PID 3292 wrote to memory of 4480 3292 msedge.exe msedge.exe PID 3292 wrote to memory of 4480 3292 msedge.exe msedge.exe PID 3292 wrote to memory of 4480 3292 msedge.exe msedge.exe PID 3292 wrote to memory of 4480 3292 msedge.exe msedge.exe PID 3292 wrote to memory of 4480 3292 msedge.exe msedge.exe PID 3292 wrote to memory of 4480 3292 msedge.exe msedge.exe PID 3292 wrote to memory of 4480 3292 msedge.exe msedge.exe PID 3292 wrote to memory of 4480 3292 msedge.exe msedge.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/8z82UJhI#y8oQ6PAjp8auO5kufIAffTM-XL5rum6oVYSqC0F6lOg1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8dbe546f8,0x7ff8dbe54708,0x7ff8dbe547182⤵PID:3952
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,3362643254454074015,17118384164593330756,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:22⤵PID:4072
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,3362643254454074015,17118384164593330756,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1972 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,3362643254454074015,17118384164593330756,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:82⤵PID:4480
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,3362643254454074015,17118384164593330756,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:12⤵PID:1732
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,3362643254454074015,17118384164593330756,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:12⤵PID:3568
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,3362643254454074015,17118384164593330756,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5584 /prefetch:82⤵PID:4780
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,3362643254454074015,17118384164593330756,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5584 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:780 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,3362643254454074015,17118384164593330756,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:12⤵PID:1324
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,3362643254454074015,17118384164593330756,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:12⤵PID:3632
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,3362643254454074015,17118384164593330756,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:12⤵PID:4404
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,3362643254454074015,17118384164593330756,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:12⤵PID:1924
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2164,3362643254454074015,17118384164593330756,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3288 /prefetch:82⤵PID:3792
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2164,3362643254454074015,17118384164593330756,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6100 /prefetch:82⤵PID:5224
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,3362643254454074015,17118384164593330756,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:12⤵PID:5232
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2164,3362643254454074015,17118384164593330756,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6472 /prefetch:82⤵PID:5356
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2164,3362643254454074015,17118384164593330756,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6272 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5452 -
C:\Users\Admin\Downloads\Aio_Tool.exe"C:\Users\Admin\Downloads\Aio_Tool.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5556 -
C:\Users\Admin\Downloads\Aio_Tool.exe"C:\Users\Admin\Downloads\Aio_Tool.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5652 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svchost.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:5732 -
C:\Users\Admin\Downloads\Aio_Tool.exe"C:\Users\Admin\Downloads\Aio_Tool.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5912 -
C:\Users\Admin\Downloads\Aio_Tool.exe"C:\Users\Admin\Downloads\Aio_Tool.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5952
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2204
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4900
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x308 0x3001⤵
- Suspicious use of AdjustPrivilegeToken
PID:4936
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:6092
-
C:\Users\Admin\Downloads\Aio_Tool.exe"C:\Users\Admin\Downloads\Aio_Tool.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:428
-
C:\Users\Admin\Downloads\Aio_Tool.exe"C:\Users\Admin\Downloads\Aio_Tool.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5512
-
C:\Users\Admin\Downloads\Aio_Tool.exe"C:\Users\Admin\Downloads\Aio_Tool.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5728
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵PID:5508
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:5424
-
C:\Users\Admin\Downloads\Aio_Tool.exe"C:\Users\Admin\Downloads\Aio_Tool.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2292
-
C:\Users\Admin\Downloads\Aio_Tool.exe"C:\Users\Admin\Downloads\Aio_Tool.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1240
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
152B
MD5cff358b013d6f9f633bc1587f6f54ffa
SHA16cb7852e096be24695ff1bc213abde42d35bb376
SHA25639205cdf989e3a86822b3f473c5fc223d7290b98c2a3fb7f75e366fc8e3ecbe9
SHA5128831c223a1f0cf5f71fa851cdd82f4a9f03e5f267513e05b936756c116997f749ffa563623b4724de921d049de34a8f277cc539f58997cda4d178ea205be2259
-
Filesize
152B
MD5dc629a750e345390344524fe0ea7dcd7
SHA15f9f00a358caaef0321707c4f6f38d52bd7e0399
SHA25638b634f3fedcf2a9dc3280aa76bd1ea93e192200b8a48904664fac5c9944636a
SHA5122a941fe90b748d0326e011258fa9b494dc2f47ac047767455ed16a41d523f04370f818316503a5bad0ff5c5699e92a0aaf3952748b09287c5328354bfa6cc902
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize72B
MD5d2895a2daea898d21fe626b96a1b5357
SHA1bbce388e0f76460ea5d3d856dcf98ef438747817
SHA25678202501bcca58ca463527c457dddc4f7b3e81d43e8683efb38c2d2cce2b51d9
SHA5120edad9ce4285c23aadf4671f63992764257a047dde6875427a1e881f8ad5e56c1f5b8e08adbec22dc55a58e58dc5f48eceb47ce1f923d2a42579f52a04a8eb71
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
6KB
MD5072756d0da053aa17657a5b979ed96eb
SHA1dd8500b893eaa5da31bcdfc3aec08b5885450d9e
SHA25633b3644954b3c0fd34922df671e432319c563e26614c10a6e0e0dc67c71f8222
SHA512db2cc7ad8b831c742f900f77927786473e7d3710416a9baf58851be37fb9d9b0f17f932eb799fe5109a2282430f7f225dac9e5eaa6b799a35655e93e4c4ee6f9
-
Filesize
6KB
MD599f8f407b42720b64bd970aba90240e0
SHA117e7c5a3c2dc45bd3bb26fc69893693064b6bafe
SHA25698a144c3a5ed84c7d3280edaaf6f02a214e18ec7428250d8b3d6a56385b17815
SHA51284f6ebd171cba4fc64e188cd3634ac9fbcef195bb607bd101ad7ad0f6d28ac9dcf542909ad86566c3907bda24d8cc4b03befaa6a89fe333c832453bb5baf809a
-
Filesize
6KB
MD5b7a8e86248993764052ec0267a1b2e77
SHA1936f8bd7774963050ebcba0eb46cc91fe435b642
SHA256bdb1e8e634d39782a0fb2a063c823c6f88d5c77d5b878b5c3be7f2d8a0f5f051
SHA512394ebb8cfe8cb6cb5de9d8b2ccce6c172b6311c6f8a0b404c3f12b7c7ae9a2295fc063338dae45e6045fc6e2d3b4b8a2903f9bd64e7eac3a0a236142b421de53
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD578d68b061043fd38ff0a62b7cc1371d6
SHA140e5e298b058175c9f76abb44011ace4829ce296
SHA256b1f726258bebd06972c11707f91eecf3b9e4074fd7e2bfa5c4b5a2431c47fbbe
SHA512b971f0934494e27ab8e972ece768b954e9fadd808cb166af09c2a60409604f8ff9766266eccb48abfb7a27156eddf8e7925814b7c83a7972bc86ff98c10a84eb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57cfe3.TMP
Filesize48B
MD52b6dd88eb7c4d9c1d48c207ae3f4bb8e
SHA1dac0cae8f5069c65db89ad1030c438aa77f6af13
SHA256f51db96544f5b9be9c54edd3af23b428552a6054810eb4b65268ea80e51fbebb
SHA512fb0e0e36feca7d8ba4b3a20db931e6d12b25be1b478d6a4000618d477c7d4bd736b4be68d1452cd4631a07ce5dcc2e84d1d5f86c811c4a060626192637e012d2
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD57afac6840c415421ef6bf9c22cfaae02
SHA182448322e4447ac85d9c17c848b27959665716d7
SHA256ca3157d943ec5d7e47a8312d3543320127b407baa6ca782ee7bc2c77c596ce3c
SHA5120f480f003f867a302e34cf6ad8c3acaa435fa8cba77177dca5eca619d49f0d3825b7d4bfbe7267ce949a35f93597ab926ed2d79d9d5fae50ace2b237e0d79ef3
-
Filesize
11KB
MD5dd38d3a31aa09050758cf09aed616360
SHA1324fbe1df7d8cee6e7f35eddc53ca8cf5684ab77
SHA2565ee6c10bd155e96610f1186d0d768cf891db75a7b90428527286ab0b265017aa
SHA5125bdf0d19c346b530967ea4775b28025a123d8190f60c17e3c845d157258df5b63b2d8303cd4d64246906dcfafa9a065d5779725c59256b96c39c38ffe586e08b
-
Filesize
3.1MB
MD551d7e93bb6018f5c9dd712716fd6d19f
SHA19d7b2792f51ed199c8f4737a263f534f9bfd52d2
SHA256b549269b9eb7604cc6397856e500df94ef2afcc02dcbf239d0b7492b2345a128
SHA51253514d1a172de9fe1abf514cc5fa84ca6d3d0d42fe6b3a75cdf46dabead8b5772d97b66c8b748a61e7aea1a5578899bc55963bbee1a6f0c1c89dabb818d8249d
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e