quasar | hxxps://gofile[.]io/d/iyThFL

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-05-2024 04:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/iyThFL

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

10.0.0.235:4782

Mutex

344dfdd6-fe74-48a9-967b-a3dfad856bcb

Attributes

encryption_key
131452D2A8537CACD85316B57C663E06ADAC8DE0
install_name
SvcHost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
conhost
subdirectory
Windows

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Unconfirmed 971125.crdownload	family_quasar
behavioral1/memory/868-147-0x00000000000D0000-0x00000000003F4000-memory.dmp	family_quasar

Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

Client-built.exeSvcHost.exeClient-built.exeClient-built.exe

pid process

868 Client-built.exe
744 SvcHost.exe
4456 Client-built.exe
1452 Client-built.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4456 schtasks.exe
2472 schtasks.exe

pid	process
868	Client-built.exe
744	SvcHost.exe
4456	Client-built.exe
1452	Client-built.exe

pid	process
4456	schtasks.exe
2472	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 2 IoCs

Processes:

msedge.exeClient-built.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 971125.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\Windows\SvcHost.exe\:SmartScreen:$DATA	Client-built.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid process

4868 msedge.exe
4868 msedge.exe
3952 msedge.exe
3952 msedge.exe
3604 identity_helper.exe
3604 identity_helper.exe
2052 msedge.exe
2052 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

msedge.exe

pid process

3952 msedge.exe
3952 msedge.exe
3952 msedge.exe
3952 msedge.exe
3952 msedge.exe
3952 msedge.exe
3952 msedge.exe
3952 msedge.exe
3952 msedge.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Client-built.exeSvcHost.exeClient-built.exe

description pid process

Token: SeDebugPrivilege 868 Client-built.exe
Token: SeDebugPrivilege 744 SvcHost.exe
Token: SeDebugPrivilege 1452 Client-built.exe

pid	process
4868	msedge.exe
4868	msedge.exe
3952	msedge.exe
3952	msedge.exe
3604	identity_helper.exe
3604	identity_helper.exe
2052	msedge.exe
2052	msedge.exe

description	pid	process
Token: SeDebugPrivilege	868	Client-built.exe
Token: SeDebugPrivilege	744	SvcHost.exe
Token: SeDebugPrivilege	1452	Client-built.exe

Suspicious use of FindShellTrayWindow 38 IoCs

Processes:

msedge.exe

pid	process
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe
3952	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

SvcHost.exe

pid process

744 SvcHost.exe

pid	process
744	SvcHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3952 wrote to memory of 1640	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 1640	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 856	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 856	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 856	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 856	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 856	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 856	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 856	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 856	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 856	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 856	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 856	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 856	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 856	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 856	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 856	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 856	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 856	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 856	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 856	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 856	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 856	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 856	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 856	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 856	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 856	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 856	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 856	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 856	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 856	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 856	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 856	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 856	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 856	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 856	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 856	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 856	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 856	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 856	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 856	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 856	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 4868	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 4868	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 3668	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 3668	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 3668	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 3668	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 3668	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 3668	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 3668	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 3668	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 3668	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 3668	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 3668	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 3668	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 3668	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 3668	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 3668	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 3668	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 3668	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 3668	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 3668	3952	msedge.exe	msedge.exe
PID 3952 wrote to memory of 3668	3952	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/iyThFL
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc451246f8,0x7ffc45124708,0x7ffc45124718
2⤵
PID:1640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,7248830287857707490,6675280216770345704,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2
2⤵
PID:856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,7248830287857707490,6675280216770345704,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,7248830287857707490,6675280216770345704,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8
2⤵
PID:3668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,7248830287857707490,6675280216770345704,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
2⤵
PID:2040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,7248830287857707490,6675280216770345704,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
2⤵
PID:4048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,7248830287857707490,6675280216770345704,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:1
2⤵
PID:4480

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,7248830287857707490,6675280216770345704,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
2⤵
PID:4428

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,7248830287857707490,6675280216770345704,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,7248830287857707490,6675280216770345704,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
2⤵
PID:4320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,7248830287857707490,6675280216770345704,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
2⤵
PID:3500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,7248830287857707490,6675280216770345704,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
2⤵
PID:868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,7248830287857707490,6675280216770345704,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
2⤵
PID:4140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,7248830287857707490,6675280216770345704,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:1
2⤵
PID:3612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2060,7248830287857707490,6675280216770345704,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5692 /prefetch:8
2⤵
PID:4084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,7248830287857707490,6675280216770345704,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
2⤵
PID:2024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2060,7248830287857707490,6675280216770345704,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6176 /prefetch:8
2⤵
PID:4508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,7248830287857707490,6675280216770345704,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5932 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2052

C:\Users\Admin\Downloads\Client-built.exe
"C:\Users\Admin\Downloads\Client-built.exe"
2⤵
- Executes dropped EXE
PID:4456

C:\Users\Admin\Downloads\Client-built.exe
"C:\Users\Admin\Downloads\Client-built.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1452

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4388

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1204

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3768

C:\Users\Admin\Downloads\Client-built.exe
"C:\Users\Admin\Downloads\Client-built.exe"
1⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
PID:868

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "conhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\SvcHost.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:4456

C:\Users\Admin\AppData\Roaming\Windows\SvcHost.exe
"C:\Users\Admin\AppData\Roaming\Windows\SvcHost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:744

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "conhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\SvcHost.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client-built.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56641592f6e69f5f5fb06f2319384490

SHA1
6a86be42e2c6d26b7830ad9f4e2627995fd91069

SHA256
02d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455

SHA512
c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
612a6c4247ef652299b376221c984213

SHA1
d306f3b16bde39708aa862aee372345feb559750

SHA256
9d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a

SHA512
34a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
990122b91bbeede22a18963f61ef530f

SHA1
3042c508206d100ba33849667dfe0ae6e3ef74df

SHA256
abf1ca6aa2f05c1c3aeae44283d8c52d51bef2c39be71378cc5bba5434b994c3

SHA512
ccd998fe2d99b5a9a97b55219a25c5d46a185eef1c3fd8444362ee371dfb80d3be217260029835e21ac732c96af594ad20c3a9545a12b81346c17b6b794c6d9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
317B

MD5
afc6cddd7e64d81e52b729d09f227107

SHA1
ad0d3740f4b66de83db8862911c07dc91928d2f6

SHA256
b5e81a7c7d80feaaa10ee7bc8aaef9f21a5c1e4b03b3823ed115022311d674a0

SHA512
844edb69585153c378a7c97709983776fc9303a32fb5ef8122ecca32adfc0b265f5ef7118ee07814da5c020ac7ba1bf2a2f66d46312e4d8e6df99aab2e5f9b2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
32985c660db8271e506c383ba8aea31a

SHA1
4e1102371119d654ad8d80294a239e4deb125ca8

SHA256
9e4225673bfde2551138201e7c780a8c0fc8624b80ada4bfe519de1351aca3c6

SHA512
10bc01f1e5e3aa6c49fd5b268e73afd5c6fd542a91f443ac397a6e2cf8a1289a47e4a684abfc7e44d4bd6c1ffac8df8b5b5c291d628f1b346e40a66c40ebd670

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
318922847b875d12cfc186042a65b87c

SHA1
e845f1c07da73533060e24b2d0f524ddff18c66b

SHA256
171e9e6aa7a0edad54365addbb00c2166e12bc5b3df6c58b2e33aa4437c850e5

SHA512
b1685f67a18b7322e66608ebca4e9fe48a66ff9bb857c6faf61230e9de3fb5aef7ba69f89ef252b45df033db0d6afcf27fd267d622009d99b26918a84469f88b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f12c59a3049cb29fd1234c3a8da78fad

SHA1
f49e6e4ef88f6520a25b8f068fd51e21bdaf615f

SHA256
2537faa2508f9e55d784704ec0742fb4b829bd13302356ee2603c22c2c58c863

SHA512
e4eae9ec902c924cdeeeb36e96055d5186fda20ebe36e49e714fd2f4a7ad021d5352a2f74e1c657278261afb30b8c9177ce32d831f7629b0c23b354bf817263b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c1f25f35a7a7602db046e64157d756bd

SHA1
7a5241ee5d41b2fce671f26bff172efaadac46a6

SHA256
b9cef98185100423206050f4c7def714359249294034f261ae369858bf7e32e2

SHA512
299089a16a1e0ddb16ff5a52f457f8a636bc0ba9705838c870a80f8ec976d82efce15fd6a1490ba6693acec7eed1809ed74c5c090022ff759aa6d74264afdaab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
5c6f8b15547118c5b561466c922e1c75

SHA1
aea69b1baeefbcdbadc6349623236c75cfaa9cf7

SHA256
f54e031ccfe7e7650dda12db47fc3a8563af7f9a4d4ebcb2ae90dd3082a0f980

SHA512
50d0be996a8cad0e3b558f3d709ef2c0d55a5d05d1230e8f9ccb9b6bf6e4908a3b83a192e9f850d50a1bf42723adc0ec8b774b22d9dc3f8f9e27f42ced885155

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
32a03070dee8a85da7eb54568e138e41

SHA1
ab06c822e1fb77dd10ccc4f72337fb7499b791d9

SHA256
2a14d31599352f50e7b576ba43753ee0ea99bbe05481bb7dc7f6c9eab4c13778

SHA512
72b46d2ff7632d0b5b11a7e467a00954e890dec992b34c9b9a903a5bddbbc2effec15e0f0059bce79b2c2d6243d24be76aeab810655f0c0dee1f48c50c06b06c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c79b4508a761c47e48ea90361e36a415

SHA1
c5b23f3e68b5e5119121c27a18928aecaf57116a

SHA256
c17ac69b4dfdd31a69dc57bce1891d4abf517f4b41f9b635128b1e988e915a57

SHA512
910cc7a58a134121b2148507991fea1ce80a6a3b1329f0f68e2ff9cab1f4a0f14e64f5ba775d65b6283ab852cfcb8d5d3e82b71bbd2b4a1d5d89d99bdbf79f50

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 971125.crdownload

Filesize
3.1MB

MD5
b5477d01c6ec3a2e05153673c7cba24a

SHA1
0774e7fb2a94aa489185ae7047b5c810685ba12e

SHA256
348d6ee5d14cba4dd47355c7c521bf085824359b0285fd0f769678dc8c4edcea

SHA512
590948c3b4e32685a6d4bbb14017c145f061f15e28d3ba1f26ef0d14a01adf2ab029fa11ee4ab2881612084b34e63f30d49d8867dcb0a463a848b6c253f8e488

Download Submit
\??\pipe\LOCAL\crashpad_3952_LKVSPOXGPNQVMODV

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/744-156-0x000000001CE10000-0x000000001CEC2000-memory.dmp

Filesize
712KB

Download
memory/744-155-0x000000001CD00000-0x000000001CD50000-memory.dmp

Filesize
320KB

Download
memory/868-147-0x00000000000D0000-0x00000000003F4000-memory.dmp

Filesize
3.1MB

Download