Analysis
-
max time kernel
72s -
max time network
68s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
17-05-2024 15:21
Static task
static1
URLScan task
urlscan1
Malware Config
Extracted
quasar
1.4.1
PoofNRico
nahchris-49021.portmap.host:49021
1a5d095f-2c59-4b3f-b053-5bd928b2e541
-
encryption_key
ADBAB4BC16998E7E1913E54C27829FE47C72BE6D
-
install_name
PlutoBETAv2.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
DiscordUpdater.exe
-
subdirectory
PlutoBETAv2
Signatures
-
Quasar payload 2 IoCs
resource yara_rule behavioral1/files/0x000100000002aa71-74.dat family_quasar behavioral1/memory/1264-108-0x0000000000FA0000-0x00000000012C4000-memory.dmp family_quasar -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 1264 InfinityBETA.V2.exe 4012 PlutoBETAv2.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 Taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A Taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName Taskmgr.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1384 schtasks.exe 3608 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings Taskmgr.exe -
NTFS ADS 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 94836.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\InfinityBETA.V2.exe:Zone.Identifier msedge.exe File created C:\Users\Admin\AppData\Roaming\PlutoBETAv2\PlutoBETAv2.exe\:SmartScreen:$DATA InfinityBETA.V2.exe -
Suspicious behavior: EnumeratesProcesses 50 IoCs
pid Process 1632 msedge.exe 1632 msedge.exe 4596 msedge.exe 4596 msedge.exe 4788 identity_helper.exe 4788 identity_helper.exe 788 msedge.exe 788 msedge.exe 776 msedge.exe 776 msedge.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
pid Process 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1264 InfinityBETA.V2.exe Token: SeDebugPrivilege 4012 PlutoBETAv2.exe Token: SeDebugPrivilege 3140 Taskmgr.exe Token: SeSystemProfilePrivilege 3140 Taskmgr.exe Token: SeCreateGlobalPrivilege 3140 Taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4012 PlutoBETAv2.exe 4012 PlutoBETAv2.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4012 PlutoBETAv2.exe 4012 PlutoBETAv2.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe 3140 Taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4012 PlutoBETAv2.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4596 wrote to memory of 4540 4596 msedge.exe 78 PID 4596 wrote to memory of 4540 4596 msedge.exe 78 PID 4596 wrote to memory of 4272 4596 msedge.exe 79 PID 4596 wrote to memory of 4272 4596 msedge.exe 79 PID 4596 wrote to memory of 4272 4596 msedge.exe 79 PID 4596 wrote to memory of 4272 4596 msedge.exe 79 PID 4596 wrote to memory of 4272 4596 msedge.exe 79 PID 4596 wrote to memory of 4272 4596 msedge.exe 79 PID 4596 wrote to memory of 4272 4596 msedge.exe 79 PID 4596 wrote to memory of 4272 4596 msedge.exe 79 PID 4596 wrote to memory of 4272 4596 msedge.exe 79 PID 4596 wrote to memory of 4272 4596 msedge.exe 79 PID 4596 wrote to memory of 4272 4596 msedge.exe 79 PID 4596 wrote to memory of 4272 4596 msedge.exe 79 PID 4596 wrote to memory of 4272 4596 msedge.exe 79 PID 4596 wrote to memory of 4272 4596 msedge.exe 79 PID 4596 wrote to memory of 4272 4596 msedge.exe 79 PID 4596 wrote to memory of 4272 4596 msedge.exe 79 PID 4596 wrote to memory of 4272 4596 msedge.exe 79 PID 4596 wrote to memory of 4272 4596 msedge.exe 79 PID 4596 wrote to memory of 4272 4596 msedge.exe 79 PID 4596 wrote to memory of 4272 4596 msedge.exe 79 PID 4596 wrote to memory of 4272 4596 msedge.exe 79 PID 4596 wrote to memory of 4272 4596 msedge.exe 79 PID 4596 wrote to memory of 4272 4596 msedge.exe 79 PID 4596 wrote to memory of 4272 4596 msedge.exe 79 PID 4596 wrote to memory of 4272 4596 msedge.exe 79 PID 4596 wrote to memory of 4272 4596 msedge.exe 79 PID 4596 wrote to memory of 4272 4596 msedge.exe 79 PID 4596 wrote to memory of 4272 4596 msedge.exe 79 PID 4596 wrote to memory of 4272 4596 msedge.exe 79 PID 4596 wrote to memory of 4272 4596 msedge.exe 79 PID 4596 wrote to memory of 4272 4596 msedge.exe 79 PID 4596 wrote to memory of 4272 4596 msedge.exe 79 PID 4596 wrote to memory of 4272 4596 msedge.exe 79 PID 4596 wrote to memory of 4272 4596 msedge.exe 79 PID 4596 wrote to memory of 4272 4596 msedge.exe 79 PID 4596 wrote to memory of 4272 4596 msedge.exe 79 PID 4596 wrote to memory of 4272 4596 msedge.exe 79 PID 4596 wrote to memory of 4272 4596 msedge.exe 79 PID 4596 wrote to memory of 4272 4596 msedge.exe 79 PID 4596 wrote to memory of 4272 4596 msedge.exe 79 PID 4596 wrote to memory of 1632 4596 msedge.exe 80 PID 4596 wrote to memory of 1632 4596 msedge.exe 80 PID 4596 wrote to memory of 5060 4596 msedge.exe 81 PID 4596 wrote to memory of 5060 4596 msedge.exe 81 PID 4596 wrote to memory of 5060 4596 msedge.exe 81 PID 4596 wrote to memory of 5060 4596 msedge.exe 81 PID 4596 wrote to memory of 5060 4596 msedge.exe 81 PID 4596 wrote to memory of 5060 4596 msedge.exe 81 PID 4596 wrote to memory of 5060 4596 msedge.exe 81 PID 4596 wrote to memory of 5060 4596 msedge.exe 81 PID 4596 wrote to memory of 5060 4596 msedge.exe 81 PID 4596 wrote to memory of 5060 4596 msedge.exe 81 PID 4596 wrote to memory of 5060 4596 msedge.exe 81 PID 4596 wrote to memory of 5060 4596 msedge.exe 81 PID 4596 wrote to memory of 5060 4596 msedge.exe 81 PID 4596 wrote to memory of 5060 4596 msedge.exe 81 PID 4596 wrote to memory of 5060 4596 msedge.exe 81 PID 4596 wrote to memory of 5060 4596 msedge.exe 81 PID 4596 wrote to memory of 5060 4596 msedge.exe 81 PID 4596 wrote to memory of 5060 4596 msedge.exe 81 PID 4596 wrote to memory of 5060 4596 msedge.exe 81 PID 4596 wrote to memory of 5060 4596 msedge.exe 81 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/XUQ3Zo1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffbe8813cb8,0x7ffbe8813cc8,0x7ffbe8813cd82⤵PID:4540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1860,9781588012461971526,11824576062357363356,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1876 /prefetch:22⤵PID:4272
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1860,9781588012461971526,11824576062357363356,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1860,9781588012461971526,11824576062357363356,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:82⤵PID:5060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,9781588012461971526,11824576062357363356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:12⤵PID:1700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,9781588012461971526,11824576062357363356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:12⤵PID:644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,9781588012461971526,11824576062357363356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3744 /prefetch:12⤵PID:1332
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1860,9781588012461971526,11824576062357363356,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,9781588012461971526,11824576062357363356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:12⤵PID:1932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1860,9781588012461971526,11824576062357363356,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,9781588012461971526,11824576062357363356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:12⤵PID:412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1860,9781588012461971526,11824576062357363356,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5744 /prefetch:82⤵PID:4688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1860,9781588012461971526,11824576062357363356,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5580 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:776
-
-
C:\Users\Admin\Downloads\InfinityBETA.V2.exe"C:\Users\Admin\Downloads\InfinityBETA.V2.exe"2⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
PID:1264 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "DiscordUpdater.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\PlutoBETAv2\PlutoBETAv2.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:1384
-
-
C:\Users\Admin\AppData\Roaming\PlutoBETAv2\PlutoBETAv2.exe"C:\Users\Admin\AppData\Roaming\PlutoBETAv2\PlutoBETAv2.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4012 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "DiscordUpdater.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\PlutoBETAv2\PlutoBETAv2.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
PID:3608
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,9781588012461971526,11824576062357363356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2312 /prefetch:12⤵PID:4772
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,9781588012461971526,11824576062357363356,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:12⤵PID:2836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,9781588012461971526,11824576062357363356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:12⤵PID:1352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,9781588012461971526,11824576062357363356,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6248 /prefetch:12⤵PID:5076
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1876
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1988
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5068
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:3860
-
C:\Windows\System32\Taskmgr.exe"C:\Windows\System32\Taskmgr.exe"1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3140
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD55e027def9b55f3d49cde9fb82beba238
SHA164baabd8454c210162cbc3a90d6a2daaf87d856a
SHA2569816e980b04f1fe7efaa4b9c83ff6a0fdd485ee65a884c001b43a0cad7c39d83
SHA512a315e1336c5ec70cbb002969e539068ba92f3ec681b6d863db95227fd1808a778fd994e2fb03f28f0e401677aa5f7c66813e315b6b99a5065384c49586f9782e
-
Filesize
152B
MD50c5042350ee7871ccbfdc856bde96f3f
SHA190222f176bc96ec17d1bdad2d31bc994c000900c
SHA256b8b1cb139d4d19a85adce0152fa3c4f6adfb73a322d7253820e848c6f82afc1b
SHA5122efdb535fa6a06c4f9702b2129f2dd07c330e37fd10b492f2236007c660c1707773c22005d1e1fa580dbf633dc1a700ada3b7b611ef9accd9555a17a244f61ce
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize288B
MD5fa26e96bd8b1117447866af46e75ecdd
SHA1a625eb26a08d53a669705309c9f18ac0ecf87aae
SHA25667ce8575b736e77b39adf2cdc2ce2850cb1b0ba39c8ea59a2c24fb11d1ff936f
SHA512dccdd0c5f855ee42327deecb6fe8d14c5a1737d8e2825f2de392f4e65c6ad44add2ea419cc509a2699499fd72d480a58f0ec9f48e9e1a59452683c5a8f9a2c98
-
Filesize
317B
MD5afc6cddd7e64d81e52b729d09f227107
SHA1ad0d3740f4b66de83db8862911c07dc91928d2f6
SHA256b5e81a7c7d80feaaa10ee7bc8aaef9f21a5c1e4b03b3823ed115022311d674a0
SHA512844edb69585153c378a7c97709983776fc9303a32fb5ef8122ecca32adfc0b265f5ef7118ee07814da5c020ac7ba1bf2a2f66d46312e4d8e6df99aab2e5f9b2a
-
Filesize
5KB
MD508c9710a545364b0a015a1e0220f7adc
SHA1a71b1761066ed6e3da89c987853763ea218ded9c
SHA25689806e78d0c0a42153e3ef5723c269825a177371d7d9d7b375e3733a0dc666a1
SHA5121cc07e42a77813ecc5b641547555f17f20f454d1c3071a0535c1d00f00add0987b3326703092489509eab0bd7edf1ce09cc92dff095263543a451b58924c9f04
-
Filesize
6KB
MD5074427486fdaeb2adb632920cc3d3eb6
SHA1f5992964719d70f1a40e0968b783239c22179688
SHA256b9e1dee612e0d26f0816a5109292c16e659154f3a15e56037b271fef184cdec4
SHA5122c49e4d3e2aa744874f42915b8e7bdb1c6aa0cd4ff2ec3ed1182d38ae43b08f7d8d64ed658f4d3b95e8823a54701096ad9959fb0cac52d389ae11187db83f991
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD533f06577ab63b74523069a5be11bfeba
SHA1db1dbf359d0b1d4ec24345acde29a50597bcfc71
SHA25612dca1c8fb9237813a56a59a34ee1103be0610d1f53df903b1063f7521d9ec7b
SHA512cc75ca0ec1d7f44cd15dc0b7c21e0bc89365d3d178a781ff88dbe40f09e45ad9a9f9124e6894b62f123ce68c930c10ad5122b26e4887532171a8c174a62cf1b2
-
Filesize
11KB
MD56900ac0747ea6b550ea8860ad86cdb49
SHA13d51121302b357d3a0a4de530dd5782873c6d07e
SHA2568a753273ce65b796f04326ad01908495c3070f1824125fd03ea4b35050802690
SHA51204d85cbad9295031933f2e6bbc61b68d6b9ce5262bcff1961651fe98f56d2bb4260f445ec1d4a83624b05ae69a774f8baa1fa5283177ca0f24f2671d76244e0d
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
3.1MB
MD51b84762faebd8469f686f703cbaef7b9
SHA141e135a8a2a9525e09a2303055430e36d95780cd
SHA2564b857bc454edef7fa460fecb36f676fa38bab8b3304f3f07d12b9777fa0b68cb
SHA512da9482a2ef6fbe659afff4c5a0d1911145bb93be47dd5a714e4e1c24802f1e9d9669f5a209665a7da752e56d2c82c41e48c5bd951d26a2cd763fc8a62d4e703c