quasar | 31b494be325fc9c97031135886454b1370e5e3608c757f74784c6b6fb2fb5c99

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
23-04-2024 21:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31b494be325fc9c97031135886454b1370e5e3608c757f74784c6b6fb2fb5c99.exe
Size

6.4MB
MD5

eb0beafcb365cd20eb00ff9e19b73232
SHA1

1a4470109418e1110588d52851e320ecefcba7de
SHA256

31b494be325fc9c97031135886454b1370e5e3608c757f74784c6b6fb2fb5c99
SHA512

8dff151e81b5ce3c4f51b1f24a6e7654c3008d81b6652e6d2f7fabc42d341e9db703b12f83ccf9471514498af3c1763ef97f132ad36302de8ccd984fbf52d52f
SSDEEP

98304:DpgFmZKkYcZ4YSQrKF78eHm8Xdt6Zz55JJ9enfr:uFmZOcZtrKFFHm8t0NJJo

Score

10^/10

quasar office04 microsoft persistence phishing spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

185.196.10.233:4782

Mutex

b0fcdfbd-bdd4-4a5d-8ab1-7217539d4db6

Attributes

encryption_key
0EC03133971030F6D05E6D59F71626F6543BBE65
install_name
gfdgfdg.exe
log_directory
Logs
reconnect_delay
3000
startup_key
fgfdhdgg
subdirectory
gfgfgf

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1692-17-0x0000000000400000-0x0000000000724000-memory.dmp	family_quasar

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

31b494be325fc9c97031135886454b1370e5e3608c757f74784c6b6fb2fb5c99.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\31b494be325fc9c97031135886454b1370e5e3608c757f74784c6b6fb2fb5c99 = "\"C:\\Users\\Admin\\31b494be325fc9c97031135886454b1370e5e3608c757f74784c6b6fb2fb5c99.exe\""	31b494be325fc9c97031135886454b1370e5e3608c757f74784c6b6fb2fb5c99.exe

Detected potential entity reuse from brand microsoft.
phishing microsoft

Suspicious use of SetThreadContext 1 IoCs

Processes:

31b494be325fc9c97031135886454b1370e5e3608c757f74784c6b6fb2fb5c99.exe

description	pid	process	target process
PID 4104 set thread context of 1692	4104	31b494be325fc9c97031135886454b1370e5e3608c757f74784c6b6fb2fb5c99.exe	wab.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
552	powershell.exe
552	powershell.exe
2260	msedge.exe
2260	msedge.exe
3820	msedge.exe
3820	msedge.exe
844	identity_helper.exe
844	identity_helper.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

msedge.exe

pid process

3820 msedge.exe
3820 msedge.exe
3820 msedge.exe
3820 msedge.exe
3820 msedge.exe
3820 msedge.exe
3820 msedge.exe
3820 msedge.exe
3820 msedge.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 552 powershell.exe

description	pid	process
Token: SeDebugPrivilege	552	powershell.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

31b494be325fc9c97031135886454b1370e5e3608c757f74784c6b6fb2fb5c99.exewab.exemsedge.exe

description	pid	process	target process
PID 4104 wrote to memory of 552	4104	31b494be325fc9c97031135886454b1370e5e3608c757f74784c6b6fb2fb5c99.exe	powershell.exe
PID 4104 wrote to memory of 552	4104	31b494be325fc9c97031135886454b1370e5e3608c757f74784c6b6fb2fb5c99.exe	powershell.exe
PID 4104 wrote to memory of 3272	4104	31b494be325fc9c97031135886454b1370e5e3608c757f74784c6b6fb2fb5c99.exe	cmd.exe
PID 4104 wrote to memory of 3272	4104	31b494be325fc9c97031135886454b1370e5e3608c757f74784c6b6fb2fb5c99.exe	cmd.exe
PID 4104 wrote to memory of 3272	4104	31b494be325fc9c97031135886454b1370e5e3608c757f74784c6b6fb2fb5c99.exe	cmd.exe
PID 4104 wrote to memory of 3272	4104	31b494be325fc9c97031135886454b1370e5e3608c757f74784c6b6fb2fb5c99.exe	cmd.exe
PID 4104 wrote to memory of 3272	4104	31b494be325fc9c97031135886454b1370e5e3608c757f74784c6b6fb2fb5c99.exe	cmd.exe
PID 4104 wrote to memory of 3272	4104	31b494be325fc9c97031135886454b1370e5e3608c757f74784c6b6fb2fb5c99.exe	cmd.exe
PID 4104 wrote to memory of 1692	4104	31b494be325fc9c97031135886454b1370e5e3608c757f74784c6b6fb2fb5c99.exe	wab.exe
PID 4104 wrote to memory of 1692	4104	31b494be325fc9c97031135886454b1370e5e3608c757f74784c6b6fb2fb5c99.exe	wab.exe
PID 4104 wrote to memory of 1692	4104	31b494be325fc9c97031135886454b1370e5e3608c757f74784c6b6fb2fb5c99.exe	wab.exe
PID 4104 wrote to memory of 1692	4104	31b494be325fc9c97031135886454b1370e5e3608c757f74784c6b6fb2fb5c99.exe	wab.exe
PID 4104 wrote to memory of 1692	4104	31b494be325fc9c97031135886454b1370e5e3608c757f74784c6b6fb2fb5c99.exe	wab.exe
PID 4104 wrote to memory of 1692	4104	31b494be325fc9c97031135886454b1370e5e3608c757f74784c6b6fb2fb5c99.exe	wab.exe
PID 4104 wrote to memory of 1692	4104	31b494be325fc9c97031135886454b1370e5e3608c757f74784c6b6fb2fb5c99.exe	wab.exe
PID 4104 wrote to memory of 1692	4104	31b494be325fc9c97031135886454b1370e5e3608c757f74784c6b6fb2fb5c99.exe	wab.exe
PID 1692 wrote to memory of 3820	1692	wab.exe	msedge.exe
PID 1692 wrote to memory of 3820	1692	wab.exe	msedge.exe
PID 3820 wrote to memory of 1680	3820	msedge.exe	msedge.exe
PID 3820 wrote to memory of 1680	3820	msedge.exe	msedge.exe
PID 3820 wrote to memory of 4288	3820	msedge.exe	msedge.exe
PID 3820 wrote to memory of 4288	3820	msedge.exe	msedge.exe
PID 3820 wrote to memory of 4288	3820	msedge.exe	msedge.exe
PID 3820 wrote to memory of 4288	3820	msedge.exe	msedge.exe
PID 3820 wrote to memory of 4288	3820	msedge.exe	msedge.exe
PID 3820 wrote to memory of 4288	3820	msedge.exe	msedge.exe
PID 3820 wrote to memory of 4288	3820	msedge.exe	msedge.exe
PID 3820 wrote to memory of 4288	3820	msedge.exe	msedge.exe
PID 3820 wrote to memory of 4288	3820	msedge.exe	msedge.exe
PID 3820 wrote to memory of 4288	3820	msedge.exe	msedge.exe
PID 3820 wrote to memory of 4288	3820	msedge.exe	msedge.exe
PID 3820 wrote to memory of 4288	3820	msedge.exe	msedge.exe
PID 3820 wrote to memory of 4288	3820	msedge.exe	msedge.exe
PID 3820 wrote to memory of 4288	3820	msedge.exe	msedge.exe
PID 3820 wrote to memory of 4288	3820	msedge.exe	msedge.exe
PID 3820 wrote to memory of 4288	3820	msedge.exe	msedge.exe
PID 3820 wrote to memory of 4288	3820	msedge.exe	msedge.exe
PID 3820 wrote to memory of 4288	3820	msedge.exe	msedge.exe
PID 3820 wrote to memory of 4288	3820	msedge.exe	msedge.exe
PID 3820 wrote to memory of 4288	3820	msedge.exe	msedge.exe
PID 3820 wrote to memory of 4288	3820	msedge.exe	msedge.exe
PID 3820 wrote to memory of 4288	3820	msedge.exe	msedge.exe
PID 3820 wrote to memory of 4288	3820	msedge.exe	msedge.exe
PID 3820 wrote to memory of 4288	3820	msedge.exe	msedge.exe
PID 3820 wrote to memory of 4288	3820	msedge.exe	msedge.exe
PID 3820 wrote to memory of 4288	3820	msedge.exe	msedge.exe
PID 3820 wrote to memory of 4288	3820	msedge.exe	msedge.exe
PID 3820 wrote to memory of 4288	3820	msedge.exe	msedge.exe
PID 3820 wrote to memory of 4288	3820	msedge.exe	msedge.exe
PID 3820 wrote to memory of 4288	3820	msedge.exe	msedge.exe
PID 3820 wrote to memory of 4288	3820	msedge.exe	msedge.exe
PID 3820 wrote to memory of 4288	3820	msedge.exe	msedge.exe
PID 3820 wrote to memory of 4288	3820	msedge.exe	msedge.exe
PID 3820 wrote to memory of 4288	3820	msedge.exe	msedge.exe
PID 3820 wrote to memory of 4288	3820	msedge.exe	msedge.exe
PID 3820 wrote to memory of 4288	3820	msedge.exe	msedge.exe
PID 3820 wrote to memory of 4288	3820	msedge.exe	msedge.exe
PID 3820 wrote to memory of 4288	3820	msedge.exe	msedge.exe
PID 3820 wrote to memory of 4288	3820	msedge.exe	msedge.exe
PID 3820 wrote to memory of 4288	3820	msedge.exe	msedge.exe
PID 3820 wrote to memory of 2260	3820	msedge.exe	msedge.exe
PID 3820 wrote to memory of 2260	3820	msedge.exe	msedge.exe
PID 3820 wrote to memory of 4756	3820	msedge.exe	msedge.exe
PID 3820 wrote to memory of 4756	3820	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\31b494be325fc9c97031135886454b1370e5e3608c757f74784c6b6fb2fb5c99.exe
"C:\Users\Admin\AppData\Local\Temp\31b494be325fc9c97031135886454b1370e5e3608c757f74784c6b6fb2fb5c99.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4104

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:552

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:3272

C:\Program Files (x86)\Windows Mail\wab.exe
"C:\Program Files (x86)\Windows Mail\wab.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=wab.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xd8,0xe4,0x104,0x100,0x108,0x7ffec52046f8,0x7ffec5204708,0x7ffec5204718
4⤵
PID:1680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,11994130558483322238,10994797729466524983,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
4⤵
PID:4288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,11994130558483322238,10994797729466524983,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,11994130558483322238,10994797729466524983,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
4⤵
PID:4756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,11994130558483322238,10994797729466524983,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
4⤵
PID:3712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,11994130558483322238,10994797729466524983,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
4⤵
PID:1580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,11994130558483322238,10994797729466524983,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
4⤵
PID:3776

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,11994130558483322238,10994797729466524983,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 /prefetch:8
4⤵
PID:1544

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,11994130558483322238,10994797729466524983,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 /prefetch:8
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,11994130558483322238,10994797729466524983,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
4⤵
PID:3284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,11994130558483322238,10994797729466524983,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
4⤵
PID:3700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,11994130558483322238,10994797729466524983,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4060 /prefetch:1
4⤵
PID:5384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,11994130558483322238,10994797729466524983,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4116 /prefetch:1
4⤵
PID:5392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,11994130558483322238,10994797729466524983,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
4⤵
PID:5776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,11994130558483322238,10994797729466524983,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
4⤵
PID:5896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,11994130558483322238,10994797729466524983,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5080 /prefetch:2
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=wab.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
3⤵
PID:5696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffec52046f8,0x7ffec5204708,0x7ffec5204718
4⤵
PID:5712

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4276

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:620

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
dc629a750e345390344524fe0ea7dcd7

SHA1
5f9f00a358caaef0321707c4f6f38d52bd7e0399

SHA256
38b634f3fedcf2a9dc3280aa76bd1ea93e192200b8a48904664fac5c9944636a

SHA512
2a941fe90b748d0326e011258fa9b494dc2f47ac047767455ed16a41d523f04370f818316503a5bad0ff5c5699e92a0aaf3952748b09287c5328354bfa6cc902

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
cff358b013d6f9f633bc1587f6f54ffa

SHA1
6cb7852e096be24695ff1bc213abde42d35bb376

SHA256
39205cdf989e3a86822b3f473c5fc223d7290b98c2a3fb7f75e366fc8e3ecbe9

SHA512
8831c223a1f0cf5f71fa851cdd82f4a9f03e5f267513e05b936756c116997f749ffa563623b4724de921d049de34a8f277cc539f58997cda4d178ea205be2259

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
264B

MD5
274dabe4acb3c927ec99a085f247c18c

SHA1
d4657a589dcce5b73748d62db74e099fd3c4d7d5

SHA256
6634c8d0cf0788c939545a316ecc44a9872748cbe73073b22bb32686b43d9d09

SHA512
468532075de470734f3ab7b2a6e51d233f6f625716b507bbe69434f594a80c8acc576511390fc01eaec8d7cefdf60f7860e70c37e54f2a160e3fa52a4973bab4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
437B

MD5
05592d6b429a6209d372dba7629ce97c

SHA1
b4d45e956e3ec9651d4e1e045b887c7ccbdde326

SHA256
3aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd

SHA512
caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
7affa9775d4d4dbed684c75da24ff1b1

SHA1
5627c4e563e91c8c6ccc6170ba1f2b33f76522d9

SHA256
4b0b17cbbddd2de8d9065e0380e7a4c9f6edda4879960e18a0e7c8e0e2e8d1c5

SHA512
c3d865eb19a554594d485005fe755ffa7c1c6cf0f04986c9d630b07a2ce4118d601e978518bde0ca37fed0ffb259f1edfb4f3dbdf5171bc7e9f839ac3bb8a15e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
b61dccefbf0442cd60875eb9a7e9e1a9

SHA1
c613ad678a3d198bcb830145e505a633ac163af4

SHA256
1f7dca400b69b669c3cad39f3fb62ecd51b508a8282e0a83b20bede86941766f

SHA512
f212354427452753d3d1579a77f38fafadfe97cb7824823f6aa50db25d09ba9ec983c534c03cf784076414d88ebb507e371e98a4c0d5025d7a324a39b03ac6da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
a9ac3a07e812651ae10283554323879c

SHA1
a8c75e9a9fbde8260a63d91c3d5aaa381ef204f2

SHA256
d6c1516d697322aea26b7d97126bef00c98f25d6662919b89e12f66e9c5a068e

SHA512
baf30c6c172325453a10825242c4427015eb10cbd57f64c054f3f18b7f00dab967d5c4846223335157d55c64bdf5706c119df6160a852b82e27cb78e623ba729

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
371B

MD5
1a64836280a01888dcb902d84f7d7d71

SHA1
215c2e1e8219111b26b650a79ff65135c784e9db

SHA256
22d4e082afbd250e9f0ede65e350fc94369dd306e330f88bb3b1b4b49603e326

SHA512
725fec84881e4b86b5cab5f7e44a40295ed27eb327884172366bf4dd838bb2560b75767e7d1c4878bc2b28dde509590830c2b416c0522f909fc2d9991e2909d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57abb1.TMP
Filesize
371B

MD5
a7d6d3f63ff729277bb577d340753583

SHA1
704f55c0591df49f7de4508e0f9ffbd30f773c24

SHA256
850a58b1e3fdef880ffd80d31aa8d0d3c03b12214ae20b1359fafc0f73052562

SHA512
4a6e212a8af16dc0e28bbb8e84a97a9f55620f67daa6afe4b93ab143b0d93a738dec691d830e956651fe23e19906bad1031ecf61c678988d850d8ec3620dfcad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
3d351651547e3e9ae5702899771ff889

SHA1
5457828c7c7571174d7e4e81f0d8e8b2c91baf5e

SHA256
964dcb9c1c7c9f9c95310b350ee797bab046e1b98da0a1d5c5fe17cf5333c8b6

SHA512
7c8fe1812d93dda85e4892f4e295a0e9db230f07cb8de465a318a0ac3359223fc321194a99f8266a52bc6cfe2f137fb8a6dc427c6c9635f3c763d5d2628d4ca0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ccgfs1hx.0eg.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
\??\pipe\LOCAL\crashpad_3820_KABKBWZMZAQETXCZ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/552-15-0x00007FFEB4BF0000-0x00007FFEB56B1000-memory.dmp

Filesize
10.8MB

Download
memory/552-12-0x0000026F1EA20000-0x0000026F1EA30000-memory.dmp

Filesize
64KB

Download
memory/552-11-0x0000026F1EA20000-0x0000026F1EA30000-memory.dmp

Filesize
64KB

Download
memory/552-10-0x00007FFEB4BF0000-0x00007FFEB56B1000-memory.dmp

Filesize
10.8MB

Download
memory/552-9-0x0000026F391C0000-0x0000026F391E2000-memory.dmp

Filesize
136KB

Download
memory/1692-17-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download