quasar | 7e5e87faf066201221548d5a8912582d7cdff43dac06331b68aa81a072f8bd21

Analysis

max time kernel
150s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
19-05-2024 22:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ConsoleSniffer.exe
Size

1.1MB
MD5

df5a226b6c70691c85cbf776a17fd221
SHA1

b9007715c4c3775c6df8ad77c745df0ca1f97650
SHA256

7e5e87faf066201221548d5a8912582d7cdff43dac06331b68aa81a072f8bd21
SHA512

fd0d4d8a86cd155a62dbaa023ee2f6ae83a39d7a7b927aa7401f598b9edbce47ef4bb850f82a76a1f61549357193742541c38468bd3f68f84979dd5b395b136a
SSDEEP

24576:T4JMDRy3iWOdqZjdV5vQukdLAk+C4j6tqYsbMGYq+OiDnQArGC11W84UQBrPatc8:ToMDY/kL+ClNtn

Score

10^/10

quasar target spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Target

185.217.1.170:56098

Mutex

QSR_MUTEX_mXJYTiCQWK23RFk8eh

Attributes

encryption_key
ieA7XwTMJRwb9d92uUFd
install_name
WindowsRun.exe
log_directory
Logs
reconnect_delay
300
startup_key
WindowsRuntiime
subdirectory
WindowsRep

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\test.exe	family_quasar
C:\Users\Admin\AppData\Local\Temp\WindowsStartup.exe	family_quasar
behavioral1/memory/3044-42-0x0000000000400000-0x00000000004EE000-memory.dmp	family_quasar
behavioral1/memory/2916-43-0x0000000000960000-0x00000000009BE000-memory.dmp	family_quasar

Drops file in Drivers directory 1 IoCs

Processes:

ConsoleSniffer v3.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts ConsoleSniffer v3.exe
Executes dropped EXE 5 IoCs

Processes:

boom.exetest.exeConsoleSniffer v3.exeWindowsStartup.exeWindowsRun.exe

pid process

1636 boom.exe
3044 test.exe
4456 ConsoleSniffer v3.exe
2916 WindowsStartup.exe
4824 WindowsRun.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

124 schtasks.exe
4336 schtasks.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	ConsoleSniffer v3.exe

pid	process
1636	boom.exe
3044	test.exe
4456	ConsoleSniffer v3.exe
2916	WindowsStartup.exe
4824	WindowsRun.exe

flow	ioc
1	ip-api.com

pid	process
124	schtasks.exe
4336	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

Processes:

test.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings test.exe
Runs .reg file with regedit 1 IoCs

Processes:

regedit.exe

pid process

2452 regedit.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings	test.exe

pid	process
2452	regedit.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
4728	msedge.exe
4728	msedge.exe
4740	msedge.exe
4740	msedge.exe
3536	msedge.exe
3536	msedge.exe
3044	identity_helper.exe
3044	identity_helper.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

4740 msedge.exe
4740 msedge.exe
4740 msedge.exe
4740 msedge.exe
4740 msedge.exe
4740 msedge.exe
4740 msedge.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

WindowsStartup.exeWindowsRun.exe

description pid process

Token: SeDebugPrivilege 2916 WindowsStartup.exe
Token: SeDebugPrivilege 4824 WindowsRun.exe

description	pid	process
Token: SeDebugPrivilege	2916	WindowsStartup.exe
Token: SeDebugPrivilege	4824	WindowsRun.exe

Suspicious use of FindShellTrayWindow 33 IoCs

Processes:

msedge.exe

pid	process
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe

Suspicious use of SendNotifyMessage 16 IoCs

Processes:

msedge.exe

pid	process
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe
4740	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ConsoleSniffer.exeboom.exetest.exeWindowsStartup.exeWindowsRun.exeConsoleSniffer v3.exemsedge.exe

description	pid	process	target process
PID 2040 wrote to memory of 1636	2040	ConsoleSniffer.exe	boom.exe
PID 2040 wrote to memory of 1636	2040	ConsoleSniffer.exe	boom.exe
PID 2040 wrote to memory of 1636	2040	ConsoleSniffer.exe	boom.exe
PID 1636 wrote to memory of 3044	1636	boom.exe	test.exe
PID 1636 wrote to memory of 3044	1636	boom.exe	test.exe
PID 1636 wrote to memory of 3044	1636	boom.exe	test.exe
PID 3044 wrote to memory of 4456	3044	test.exe	ConsoleSniffer v3.exe
PID 3044 wrote to memory of 4456	3044	test.exe	ConsoleSniffer v3.exe
PID 3044 wrote to memory of 4456	3044	test.exe	ConsoleSniffer v3.exe
PID 3044 wrote to memory of 2916	3044	test.exe	WindowsStartup.exe
PID 3044 wrote to memory of 2916	3044	test.exe	WindowsStartup.exe
PID 3044 wrote to memory of 2916	3044	test.exe	WindowsStartup.exe
PID 3044 wrote to memory of 2452	3044	test.exe	regedit.exe
PID 3044 wrote to memory of 2452	3044	test.exe	regedit.exe
PID 3044 wrote to memory of 2452	3044	test.exe	regedit.exe
PID 2916 wrote to memory of 124	2916	WindowsStartup.exe	schtasks.exe
PID 2916 wrote to memory of 124	2916	WindowsStartup.exe	schtasks.exe
PID 2916 wrote to memory of 124	2916	WindowsStartup.exe	schtasks.exe
PID 2916 wrote to memory of 4824	2916	WindowsStartup.exe	WindowsRun.exe
PID 2916 wrote to memory of 4824	2916	WindowsStartup.exe	WindowsRun.exe
PID 2916 wrote to memory of 4824	2916	WindowsStartup.exe	WindowsRun.exe
PID 4824 wrote to memory of 4336	4824	WindowsRun.exe	schtasks.exe
PID 4824 wrote to memory of 4336	4824	WindowsRun.exe	schtasks.exe
PID 4824 wrote to memory of 4336	4824	WindowsRun.exe	schtasks.exe
PID 4456 wrote to memory of 4740	4456	ConsoleSniffer v3.exe	msedge.exe
PID 4456 wrote to memory of 4740	4456	ConsoleSniffer v3.exe	msedge.exe
PID 4740 wrote to memory of 3984	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 3984	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 4504	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 4504	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 4504	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 4504	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 4504	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 4504	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 4504	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 4504	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 4504	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 4504	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 4504	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 4504	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 4504	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 4504	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 4504	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 4504	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 4504	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 4504	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 4504	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 4504	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 4504	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 4504	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 4504	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 4504	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 4504	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 4504	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 4504	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 4504	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 4504	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 4504	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 4504	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 4504	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 4504	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 4504	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 4504	4740	msedge.exe	msedge.exe
PID 4740 wrote to memory of 4504	4740	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\ConsoleSniffer.exe
"C:\Users\Admin\AppData\Local\Temp\ConsoleSniffer.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2040

C:\Users\Admin\AppData\Local\Temp\boom.exe
"C:\Users\Admin\AppData\Local\Temp\boom.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1636

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3044

C:\Users\Admin\AppData\Local\Temp\ConsoleSniffer v3.exe
"C:\Users\Admin\AppData\Local\Temp\ConsoleSniffer v3.exe"
4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://psnprank.com/?a=signup&sniff
5⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb92ff3cb8,0x7ffb92ff3cc8,0x7ffb92ff3cd8
6⤵
PID:3984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,14763858527144798302,808385966736817972,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
6⤵
PID:4504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,14763858527144798302,808385966736817972,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:4728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,14763858527144798302,808385966736817972,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2584 /prefetch:8
6⤵
PID:2388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14763858527144798302,808385966736817972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
6⤵
PID:1468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14763858527144798302,808385966736817972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
6⤵
PID:1984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14763858527144798302,808385966736817972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
6⤵
PID:2356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,14763858527144798302,808385966736817972,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4036 /prefetch:8
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:3536

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,14763858527144798302,808385966736817972,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:8
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:3044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14763858527144798302,808385966736817972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
6⤵
PID:4152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14763858527144798302,808385966736817972,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
6⤵
PID:3040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14763858527144798302,808385966736817972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:1
6⤵
PID:1580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14763858527144798302,808385966736817972,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:1
6⤵
PID:1744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,14763858527144798302,808385966736817972,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5412 /prefetch:2
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1012

C:\Users\Admin\AppData\Local\Temp\WindowsStartup.exe
"C:\Users\Admin\AppData\Local\Temp\WindowsStartup.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2916

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "WindowsRuntiime" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\WindowsStartup.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:124

C:\Users\Admin\AppData\Roaming\WindowsRep\WindowsRun.exe
"C:\Users\Admin\AppData\Roaming\WindowsRep\WindowsRun.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4824

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "WindowsRuntiime" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsRep\WindowsRun.exe" /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:4336

C:\Windows\SysWOW64\regedit.exe
"regedit.exe" "C:\Users\Admin\AppData\Local\Temp\Defender.reg"
4⤵
- Runs .reg file with regedit
PID:2452

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3360

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1680

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8f2eb94e31cadfb6eb07e6bbe61ef7ae

SHA1
3f42b0d5a90408689e7f7941f8db72a67d5a2eab

SHA256
d222c8e3b19cda2657629a486faf32962e016fc66561ce0d17010afdb283c9de

SHA512
9f7f84149885b851e0bf7173c540e466a2b2eb9907d8b608f60360933328cc75d9d1b63640ea4ecc1e64ecc5dd7ee74d82903f96a8b4418ca56296641a8c0703

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
d56e8f308a28ac4183257a7950ab5c89

SHA1
044969c58cef041a073c2d132fa66ccc1ee553fe

SHA256
0bc24451c65457abc1e4e340be2f8faceae6b6ec7768a21d44bcd14636543bae

SHA512
fd5798559f4025ec3408f5550b8671d394b1ec83b85fdac8c005b0cc3e183272bdd07db15a156a572c9c5e5798badf235dc10aae62a052efa8dd9dfdbdca8189

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
168B

MD5
f9116782db59394ea2f102e21fecdde0

SHA1
ae118dde19f14edc02d42ed6157f38c717bc8886

SHA256
a5b057e1fe4a20edf3c78b5fed414a67fc1da4010d9f266558d44e99c03c6738

SHA512
1b0562b2be28f7cf6000a01d68e438bd271acdaba6fad218dbb9f6bc4e56ebd3df3fd6ce2ea0c2e95124052ca5dc70e9f3ca0f2aefdd8f61ce507a764d0ee503

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
a3240ba05f59906c7b2f433584e78b9b

SHA1
4429ff80af07d548e0e2735fd0ce1379431fc925

SHA256
ec34bf2535fd525ec6c8ada4747cf89952a8808c1ce711cf76744577a66f6612

SHA512
e2b55f7df77758867e6dbb23a855e6bf2f0d9bee85969587849fe79684cbc85e02c1eb9ff8d2f9c34726e4a689545e785274b35c9808677a0aad326427fe4fc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
bc2820a415598ea8e30bbe2694dd0c89

SHA1
46dfb0171eb34915f16cdb4c13fe1d8173dc4e82

SHA256
8a514ac9ab304c721f4dcf77e1bde71a2bcc482b15dea8ecc8536344f608f8e3

SHA512
8311de8c1820077a000f873d1922155f09bb95eb2eeddda6f33a9f99069e1b750bea80952dbc5bda531050a97c3d986756bffa68d0af159e06861275b0495140

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
4583f61a3ca65db7e313514a5ad110b2

SHA1
6afee3335391fed5340c552dbe08048b584e210e

SHA256
9f0c197e02682a31c6c4ef47f00669b236ec6e3efb86d015f096854a1e65bdc9

SHA512
3484f0cdbf925727dc881f100f97956dd0cb65beaae564dbf2d82f85b34f2b4c858887f65d3f8ca215980877e95ed6e5ec5ed367825ad8f4130b37120c19da93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
2afddc99ca02d2dad229382eef1a0a8d

SHA1
cfe93cb1e96d77f11fa2b8ffc48a5ddf39bc873b

SHA256
5aef29d8ec27cbeb115a2667a80f28956f9a18608f450645931d2dc5b4af3929

SHA512
3cbe26fa44ae9dd194a8ea0e92f114bcb68b73050fd2ab75dca25dbcbeb489854fdb7c40c135dd061560db1ba069a0abb80859ed93b6b0d58abf242d4efee702

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
5f9456ce1b98c97470631bf141e0fa12

SHA1
03cb466998b3bec2e6e5e913f8a29f38c179a63a

SHA256
7cd60da67c0a2938af64f461781f92c9ceadcb81ad1619144f33b10003a6594e

SHA512
ea74ffa33e7fc44742835ffc436b02c4d4ed65c070bc1074b8c6acddb4574871328974f196b22ade7bb6b8e39f1ff05d413c32f250535d5b4a54796b9cb7c604

Download Submit
C:\Users\Admin\AppData\Local\Temp\ConsoleSniffer v3.exe
Filesize
486KB

MD5
c9d05cc5fdf23e5d067af249072d2163

SHA1
7e321faf6ec8cf93269246e858403fb21c064e6f

SHA256
f74852b1cabf3a967bbf7cfce1dc5560275fd170f84bd79061a3a6c043b1dcb9

SHA512
38f9b796d82aeb0c72e6b87db2853fec9e64e1c964874bdd23745b6b40f6654cfbca3c222bf5b1fb9f72a02383e8427a1ddd58184aad466c1b81dc276dce5e36

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsStartup.exe
Filesize
348KB

MD5
aa52e7cd8b83ae71ae42f3652f8cd46e

SHA1
383cde62014b43020d286394f9e1c1716d502347

SHA256
93b8d133beaad4361adcf0b800d0001d187ec7ba33678dc93e678729cf345775

SHA512
b0453fc0bec1b7b0ea10f1517114328aa735a4cb0293d1b31e1f2169255ffa44dfd0b9633346f772c110b8c1c33f7684687a521bc4fd366e4e4811c7dada3604

Download Submit
C:\Users\Admin\AppData\Local\Temp\boom.exe
Filesize
1.0MB

MD5
c2fa55361e8ac12ce55251de8216f561

SHA1
b9600e03d786ae1c8254673dbe4f1e1ac2de809f

SHA256
0edba9a528fdb120c5a6512763a3fc9ac5041566f5daac10362d67b6f04872c1

SHA512
3d85c8c5468c2234f9d4b6db607c36f3d704e4f3692404b71461bd6e403635a85ca238503106e8c4ebdfc25e9e7b8ee0f82ce50bfac56de949306c62e7daca14

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe
Filesize
929KB

MD5
6d7b4a02338f2db020d064be2da34f4b

SHA1
932a211ead1a4f61a7d29e1d8486a3fe96674f74

SHA256
0926e4fa50cef7d9a7f3e58f31e7fd312f1691ac3e31b16d912f698a8f089c57

SHA512
4d4f2840080cac1f041619b121f962e482770f0757bdfa5390ed5a452e112f7ae0e25ba708d09bc2027e01376e86e755ae6621fad6851fff5eb96141bd7526ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
1KB

MD5
01a79e24dd91e9eb91443a1b50995fa7

SHA1
95bf587d294af52019b1e0541ec5ddf8ace5810a

SHA256
95d73d5321e5b193df29731eec3b3bca4731e827867d63332a0318262c49be91

SHA512
faa8fbea8e2c77ed5434804d92367d496994a531b648e887fae48b99b9477e413b0c19513a60125252593af22fb34fa6af0e4022f817c735cbe02d7558563e32

Download Submit
\??\pipe\LOCAL\crashpad_4740_GWLNGFWVTWHWUAVU
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1636-17-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/2040-8-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2916-43-0x0000000000960000-0x00000000009BE000-memory.dmp

Filesize
376KB

Download
memory/2916-53-0x00000000066D0000-0x000000000670C000-memory.dmp

Filesize
240KB

Download
memory/2916-52-0x00000000061A0000-0x00000000061B2000-memory.dmp

Filesize
72KB

Download
memory/2916-51-0x0000000005590000-0x00000000055F6000-memory.dmp

Filesize
408KB

Download
memory/3044-42-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/4456-49-0x00000000051F0000-0x0000000005246000-memory.dmp

Filesize
344KB

Download
memory/4456-48-0x0000000004FA0000-0x0000000004FAA000-memory.dmp

Filesize
40KB

Download
memory/4456-47-0x00000000050A0000-0x0000000005132000-memory.dmp

Filesize
584KB

Download
memory/4456-46-0x0000000005650000-0x0000000005BF6000-memory.dmp

Filesize
5.6MB

Download
memory/4456-45-0x0000000005000000-0x000000000509C000-memory.dmp

Filesize
624KB

Download
memory/4456-44-0x0000000000490000-0x000000000050E000-memory.dmp

Filesize
504KB

Download