quasar | hxxps://github[.]com/R4t-Cra4ck3r/SeroXen_Cr4ck

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
20-05-2024 02:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/R4t-Cra4ck3r/SeroXen_Cr4ck

Score

10^/10

quasar seroxen spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

chinese-golden.gl.at.ply.gg:44086

Mutex

$Sxr-8pC7X2mG070btopC86

Attributes

encryption_key
X7DsXqksH10Qr4Gz4fsk
install_name
HAHAHAHAHA LMAOO.exe
log_directory
Logs
reconnect_delay
1000
startup_key
Svhost
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Unconfirmed 46326.crdownload	family_quasar
behavioral1/memory/3760-279-0x00000000009C0000-0x0000000000A2C000-memory.dmp	family_quasar

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

Sxr_Installer.batHAHAHAHAHA LMAOO.exe

pid process

3760 Sxr_Installer.bat
4624 HAHAHAHAHA LMAOO.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

52 raw.githubusercontent.com
53 raw.githubusercontent.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

84 ip-api.com

pid	process
3760	Sxr_Installer.bat
4624	HAHAHAHAHA LMAOO.exe

flow	ioc
52	raw.githubusercontent.com
53	raw.githubusercontent.com

flow	ioc
84	ip-api.com

Drops file in System32 directory 5 IoCs

Processes:

Sxr_Installer.batHAHAHAHAHA LMAOO.exe

description	ioc	process
File created	C:\Windows\SysWOW64\SubDir\HAHAHAHAHA LMAOO.exe	Sxr_Installer.bat
File opened for modification	C:\Windows\SysWOW64\SubDir\HAHAHAHAHA LMAOO.exe	Sxr_Installer.bat
File created	C:\Windows\SysWOW64\SubDir\HAHAHAHAHA LMAOO.exe:SmartScreen:$DATA	Sxr_Installer.bat
File opened for modification	C:\Windows\SysWOW64\SubDir\HAHAHAHAHA LMAOO.exe	HAHAHAHAHA LMAOO.exe
File opened for modification	C:\Windows\SysWOW64\SubDir	HAHAHAHAHA LMAOO.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeSCHTASKS.exeschtasks.exe

pid process

872 schtasks.exe
6112 SCHTASKS.exe
2344 schtasks.exe

pid	process
872	schtasks.exe
6112	SCHTASKS.exe
2344	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Unconfirmed 46326.crdownload:SmartScreen msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 46326.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid	process
5096	msedge.exe
5096	msedge.exe
3932	msedge.exe
3932	msedge.exe
6020	identity_helper.exe
6020	identity_helper.exe
636	msedge.exe
636	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

3932 msedge.exe
3932 msedge.exe
3932 msedge.exe
3932 msedge.exe
3932 msedge.exe
3932 msedge.exe
3932 msedge.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Sxr_Installer.batHAHAHAHAHA LMAOO.exe

description pid process

Token: SeDebugPrivilege 3760 Sxr_Installer.bat
Token: SeDebugPrivilege 4624 HAHAHAHAHA LMAOO.exe

description	pid	process
Token: SeDebugPrivilege	3760	Sxr_Installer.bat
Token: SeDebugPrivilege	4624	HAHAHAHAHA LMAOO.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

msedge.exe

pid	process
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

HAHAHAHAHA LMAOO.exe

pid process

4624 HAHAHAHAHA LMAOO.exe

pid	process
4624	HAHAHAHAHA LMAOO.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3932 wrote to memory of 980	3932	msedge.exe	msedge.exe
PID 3932 wrote to memory of 980	3932	msedge.exe	msedge.exe
PID 3932 wrote to memory of 5316	3932	msedge.exe	msedge.exe
PID 3932 wrote to memory of 5316	3932	msedge.exe	msedge.exe
PID 3932 wrote to memory of 5316	3932	msedge.exe	msedge.exe
PID 3932 wrote to memory of 5316	3932	msedge.exe	msedge.exe
PID 3932 wrote to memory of 5316	3932	msedge.exe	msedge.exe
PID 3932 wrote to memory of 5316	3932	msedge.exe	msedge.exe
PID 3932 wrote to memory of 5316	3932	msedge.exe	msedge.exe
PID 3932 wrote to memory of 5316	3932	msedge.exe	msedge.exe
PID 3932 wrote to memory of 5316	3932	msedge.exe	msedge.exe
PID 3932 wrote to memory of 5316	3932	msedge.exe	msedge.exe
PID 3932 wrote to memory of 5316	3932	msedge.exe	msedge.exe
PID 3932 wrote to memory of 5316	3932	msedge.exe	msedge.exe
PID 3932 wrote to memory of 5316	3932	msedge.exe	msedge.exe
PID 3932 wrote to memory of 5316	3932	msedge.exe	msedge.exe
PID 3932 wrote to memory of 5316	3932	msedge.exe	msedge.exe
PID 3932 wrote to memory of 5316	3932	msedge.exe	msedge.exe
PID 3932 wrote to memory of 5316	3932	msedge.exe	msedge.exe
PID 3932 wrote to memory of 5316	3932	msedge.exe	msedge.exe
PID 3932 wrote to memory of 5316	3932	msedge.exe	msedge.exe
PID 3932 wrote to memory of 5316	3932	msedge.exe	msedge.exe
PID 3932 wrote to memory of 5316	3932	msedge.exe	msedge.exe
PID 3932 wrote to memory of 5316	3932	msedge.exe	msedge.exe
PID 3932 wrote to memory of 5316	3932	msedge.exe	msedge.exe
PID 3932 wrote to memory of 5316	3932	msedge.exe	msedge.exe
PID 3932 wrote to memory of 5316	3932	msedge.exe	msedge.exe
PID 3932 wrote to memory of 5316	3932	msedge.exe	msedge.exe
PID 3932 wrote to memory of 5316	3932	msedge.exe	msedge.exe
PID 3932 wrote to memory of 5316	3932	msedge.exe	msedge.exe
PID 3932 wrote to memory of 5316	3932	msedge.exe	msedge.exe
PID 3932 wrote to memory of 5316	3932	msedge.exe	msedge.exe
PID 3932 wrote to memory of 5316	3932	msedge.exe	msedge.exe
PID 3932 wrote to memory of 5316	3932	msedge.exe	msedge.exe
PID 3932 wrote to memory of 5316	3932	msedge.exe	msedge.exe
PID 3932 wrote to memory of 5316	3932	msedge.exe	msedge.exe
PID 3932 wrote to memory of 5316	3932	msedge.exe	msedge.exe
PID 3932 wrote to memory of 5316	3932	msedge.exe	msedge.exe
PID 3932 wrote to memory of 5316	3932	msedge.exe	msedge.exe
PID 3932 wrote to memory of 5316	3932	msedge.exe	msedge.exe
PID 3932 wrote to memory of 5316	3932	msedge.exe	msedge.exe
PID 3932 wrote to memory of 5316	3932	msedge.exe	msedge.exe
PID 3932 wrote to memory of 5096	3932	msedge.exe	msedge.exe
PID 3932 wrote to memory of 5096	3932	msedge.exe	msedge.exe
PID 3932 wrote to memory of 3768	3932	msedge.exe	msedge.exe
PID 3932 wrote to memory of 3768	3932	msedge.exe	msedge.exe
PID 3932 wrote to memory of 3768	3932	msedge.exe	msedge.exe
PID 3932 wrote to memory of 3768	3932	msedge.exe	msedge.exe
PID 3932 wrote to memory of 3768	3932	msedge.exe	msedge.exe
PID 3932 wrote to memory of 3768	3932	msedge.exe	msedge.exe
PID 3932 wrote to memory of 3768	3932	msedge.exe	msedge.exe
PID 3932 wrote to memory of 3768	3932	msedge.exe	msedge.exe
PID 3932 wrote to memory of 3768	3932	msedge.exe	msedge.exe
PID 3932 wrote to memory of 3768	3932	msedge.exe	msedge.exe
PID 3932 wrote to memory of 3768	3932	msedge.exe	msedge.exe
PID 3932 wrote to memory of 3768	3932	msedge.exe	msedge.exe
PID 3932 wrote to memory of 3768	3932	msedge.exe	msedge.exe
PID 3932 wrote to memory of 3768	3932	msedge.exe	msedge.exe
PID 3932 wrote to memory of 3768	3932	msedge.exe	msedge.exe
PID 3932 wrote to memory of 3768	3932	msedge.exe	msedge.exe
PID 3932 wrote to memory of 3768	3932	msedge.exe	msedge.exe
PID 3932 wrote to memory of 3768	3932	msedge.exe	msedge.exe
PID 3932 wrote to memory of 3768	3932	msedge.exe	msedge.exe
PID 3932 wrote to memory of 3768	3932	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/R4t-Cra4ck3r/SeroXen_Cr4ck
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9a4f946f8,0x7ff9a4f94708,0x7ff9a4f94718
2⤵
PID:980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,3667120229084542520,16475377441034271640,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2052 /prefetch:2
2⤵
PID:5316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1928,3667120229084542520,16475377441034271640,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1928,3667120229084542520,16475377441034271640,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8
2⤵
PID:3768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3667120229084542520,16475377441034271640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
2⤵
PID:4636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3667120229084542520,16475377441034271640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
2⤵
PID:3616

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1928,3667120229084542520,16475377441034271640,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5584 /prefetch:8
2⤵
PID:3240

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1928,3667120229084542520,16475377441034271640,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5584 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:6020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1928,3667120229084542520,16475377441034271640,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5112 /prefetch:8
2⤵
PID:3852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3667120229084542520,16475377441034271640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
2⤵
PID:5124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1928,3667120229084542520,16475377441034271640,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3667120229084542520,16475377441034271640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:1
2⤵
PID:3024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3667120229084542520,16475377441034271640,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
2⤵
PID:624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3667120229084542520,16475377441034271640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1712 /prefetch:1
2⤵
PID:1136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3667120229084542520,16475377441034271640,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1260 /prefetch:1
2⤵
PID:1656

C:\Users\Admin\Downloads\Sxr_Installer.bat
"C:\Users\Admin\Downloads\Sxr_Installer.bat"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3760

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Svhost" /sc ONLOGON /tr "C:\Users\Admin\Downloads\Sxr_Installer.bat" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:872

C:\Windows\SysWOW64\SubDir\HAHAHAHAHA LMAOO.exe
"C:\Windows\SysWOW64\SubDir\HAHAHAHAHA LMAOO.exe"
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4624

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Svhost" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\HAHAHAHAHA LMAOO.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:2344

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Sxr_Installer.bat" /tr "'C:\Users\Admin\Downloads\Sxr_Installer.bat'" /sc onlogon /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:6112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,3667120229084542520,16475377441034271640,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4864 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2444

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1200

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5612

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:1528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
2daa93382bba07cbc40af372d30ec576

SHA1
c5e709dc3e2e4df2ff841fbde3e30170e7428a94

SHA256
1826d2a57b1938c148bf212a47d947ed1bfb26cfc55868931f843ee438117f30

SHA512
65635cb59c81548a9ef8fdb0942331e7f3cd0c30ce1d4dba48aed72dbb27b06511a55d2aeaadfadbbb4b7cb4b2e2772bbabba9603b3f7d9c8b9e4a7fbf3d6b6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ecdc2754d7d2ae862272153aa9b9ca6e

SHA1
c19bed1c6e1c998b9fa93298639ad7961339147d

SHA256
a13d791473f836edcab0e93451ce7b7182efbbc54261b2b5644d319e047a00a7

SHA512
cd4fb81317d540f8b15f1495a381bb6f0f129b8923a7c06e4b5cf777d2625c30304aee6cc68aa20479e08d84e5030b43fbe93e479602400334dfdd7297f702f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\3f5fad5f-205e-4544-aee1-56a788c2e1f1.tmp
Filesize
6KB

MD5
d649fd526fbe2b5da19cfca7391a994d

SHA1
8069a399014342950db574b6884df3daa0ab5471

SHA256
8921dd464fdcfdfeccd7253861b8abca5b3dda12c807a7f77a90d57d75aef717

SHA512
d864e8891d0c8912fc9160b3d78b520d9a4b00963d5fe50c6c3fe98f13b981d5b77e8842f5180444a5c7a091899ebc0db98a292833a96fb2dec21c3d81761c90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
77b0395e7018ed753d13f9b8fad42075

SHA1
0a470eb4eb0c3d743880bc19a47cc5fd49d195e0

SHA256
bf1b1e463d86f95e234f060d9c6b2618076445e0bab47d95fded7c13f857be61

SHA512
ba576c85fea18824ffa55ceef04569db666b2633a93751440bfbe138dd0813d39d65d8e29031abd9aaaaa89e9326fa7c4afaac33345b7c1cbe9c01776d8f8fc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
579B

MD5
a7d1701142cca705f833d70023ef4e1e

SHA1
1b76853132abfcddb4fefac42bf9df5d013c9815

SHA256
6c92f51e7f056e73c407228fc280cb7ca4d00ab02674d1dda4eafd7dc9f070f7

SHA512
806b7ccb375cc6116e64a9fa15229d783615d13b54cf40251561d9b664f0925915c5375ad88f5ca8d061e01367de239c29da79adf693559af53eeb7d9b1ba1a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
32cda1d365070042d3e8329edf7780f4

SHA1
f9620bdad50bdd3bbbee261e9069c6f0296794af

SHA256
5d2e67989e2dd4ed6267a0ea3e211043078c00f7655aa36e5f6c9769a8cc11b0

SHA512
3bfa9cc4e70d8e3798b7421120ae13e47851bc5faed2ba16a2cb3e5f5fdd9a8f65a4f43f6a24aedb914ae180378a00fe849bf64c9cc801a628a1d9d300a69fdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
6ff7ed391fb8c9527a86f0a0333dfbcf

SHA1
e4053054f751af70f91d77851c9e5ff28166a080

SHA256
0c3c5ac4633933b2650b37df605ee101d4fe1dd7e1e2e6ad459923b2fbb5ab3e

SHA512
0827c7acd7bbd1fcd2da8b38a4905d1686ba01f0e042f0c7c12d6a248b478eb7af0c47295c9cef8ba4c1aaa66d8418cd9e4e32b1a873055469800c5e753649b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
e49162231e1a7b7625a24b0353ccadaf

SHA1
dba4c41500462fe78ab09957f89f43a3ed686f64

SHA256
31fef6d06b297b29971c43e7872f8d7950e4ea57e1b04dfe6fac4e61770aa606

SHA512
7ef6cddfdcd26fe7bfa00488cb6b90f3f27b047bd846ab9823d7ca22cbfe8e644d09b8a51f6d96dd68232a39f013a9837db0de89dda3244ab8c239e3882ebb64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
f35e39a5cb7503eb3155bdb110768fb4

SHA1
114fd3c51d8eba1d52f11a043eb5842246a5016c

SHA256
61e578790900db258ebf6523676efcd222963fb09538644a627e17d5c1ac8902

SHA512
ba5b881bdae6a16630f27854064e654efc8fd16aa077d41a52d359288d6bde68356776b33fd201e7abf98b091c29f10f2b453fb61afd30b77934ba27263db51f

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 46326.crdownload
Filesize
409KB

MD5
9eaba1c208b8e7a0c94c109e60c5b113

SHA1
a602439a57a44287dff1d980d2c959c0d934a9e4

SHA256
ab6f4a4fa9bbdf8d9461023a2819b76b07d93e7d31e9d97a490f8ed4c0c0dccc

SHA512
625363f1203596200cd6fdc7c9f9ce8b6af0634299dc750f490305822385d8915981c8c7a162588959dbf000a7d8b4af8d61352fd84a176207c592ded2f87fa6

Download Submit
\??\pipe\LOCAL\crashpad_3932_XQUZPIJWBBIOOUFK
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3760-280-0x0000000005860000-0x0000000005E04000-memory.dmp

Filesize
5.6MB

Download
memory/3760-279-0x00000000009C0000-0x0000000000A2C000-memory.dmp

Filesize
432KB

Download
memory/3760-281-0x0000000005350000-0x00000000053E2000-memory.dmp

Filesize
584KB

Download
memory/3760-282-0x0000000005400000-0x0000000005466000-memory.dmp

Filesize
408KB

Download
memory/3760-283-0x0000000006010000-0x0000000006022000-memory.dmp

Filesize
72KB

Download
memory/3760-284-0x0000000006550000-0x000000000658C000-memory.dmp

Filesize
240KB

Download
memory/4624-292-0x0000000006D60000-0x0000000006D6A000-memory.dmp

Filesize
40KB

Download