quasar | hxxps://github[.]com/aspdasdksa/TROLLLOLL/blob/main/hello[.]exe

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
29-05-2024 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/aspdasdksa/TROLLLOLL/blob/main/hello.exe

Score

10^/10

quasar test spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Test

47.134.26.200:4782

193.161.193.99:23325

Mutex

9cabbafb-503b-49f1-ab22-adc756455c10

Attributes

encryption_key
8B93C77AC1C58EA80A3327E9FD26246A79EF3B8E
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
MS Build Tools
subdirectory
Microsoft-Build-Tools

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Unconfirmed 473926.crdownload	family_quasar
behavioral1/memory/3480-209-0x0000000000F50000-0x0000000001274000-memory.dmp	family_quasar

Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

hello.exeClient.exehello.exehello.exehello.exe

pid process

3480 hello.exe
2144 Client.exe
3480 hello.exe
448 hello.exe
2340 hello.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

57 raw.githubusercontent.com
58 raw.githubusercontent.com
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1436 schtasks.exe
4844 schtasks.exe

pid	process
3480	hello.exe
2144	Client.exe
3480	hello.exe
448	hello.exe
2340	hello.exe

flow	ioc
57	raw.githubusercontent.com
58	raw.githubusercontent.com

pid	process
1436	schtasks.exe
4844	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 2 IoCs

Processes:

hello.exemsedge.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft-Build-Tools\Client.exe\:SmartScreen:$DATA	hello.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 473926.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid	process
1200	msedge.exe
1200	msedge.exe
1580	msedge.exe
1580	msedge.exe
1664	identity_helper.exe
1664	identity_helper.exe
1800	msedge.exe
1800	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

1580 msedge.exe
1580 msedge.exe
1580 msedge.exe
1580 msedge.exe
1580 msedge.exe
1580 msedge.exe
1580 msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

hello.exeClient.exehello.exehello.exehello.exe

description	pid	process
Token: SeDebugPrivilege	3480	hello.exe
Token: SeDebugPrivilege	2144	Client.exe
Token: SeDebugPrivilege	3480	hello.exe
Token: SeDebugPrivilege	448	hello.exe
Token: SeDebugPrivilege	2340	hello.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

msedge.exe

pid	process
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1580 wrote to memory of 3484	1580	msedge.exe	msedge.exe
PID 1580 wrote to memory of 3484	1580	msedge.exe	msedge.exe
PID 1580 wrote to memory of 4804	1580	msedge.exe	msedge.exe
PID 1580 wrote to memory of 4804	1580	msedge.exe	msedge.exe
PID 1580 wrote to memory of 4804	1580	msedge.exe	msedge.exe
PID 1580 wrote to memory of 4804	1580	msedge.exe	msedge.exe
PID 1580 wrote to memory of 4804	1580	msedge.exe	msedge.exe
PID 1580 wrote to memory of 4804	1580	msedge.exe	msedge.exe
PID 1580 wrote to memory of 4804	1580	msedge.exe	msedge.exe
PID 1580 wrote to memory of 4804	1580	msedge.exe	msedge.exe
PID 1580 wrote to memory of 4804	1580	msedge.exe	msedge.exe
PID 1580 wrote to memory of 4804	1580	msedge.exe	msedge.exe
PID 1580 wrote to memory of 4804	1580	msedge.exe	msedge.exe
PID 1580 wrote to memory of 4804	1580	msedge.exe	msedge.exe
PID 1580 wrote to memory of 4804	1580	msedge.exe	msedge.exe
PID 1580 wrote to memory of 4804	1580	msedge.exe	msedge.exe
PID 1580 wrote to memory of 4804	1580	msedge.exe	msedge.exe
PID 1580 wrote to memory of 4804	1580	msedge.exe	msedge.exe
PID 1580 wrote to memory of 4804	1580	msedge.exe	msedge.exe
PID 1580 wrote to memory of 4804	1580	msedge.exe	msedge.exe
PID 1580 wrote to memory of 4804	1580	msedge.exe	msedge.exe
PID 1580 wrote to memory of 4804	1580	msedge.exe	msedge.exe
PID 1580 wrote to memory of 4804	1580	msedge.exe	msedge.exe
PID 1580 wrote to memory of 4804	1580	msedge.exe	msedge.exe
PID 1580 wrote to memory of 4804	1580	msedge.exe	msedge.exe
PID 1580 wrote to memory of 4804	1580	msedge.exe	msedge.exe
PID 1580 wrote to memory of 4804	1580	msedge.exe	msedge.exe
PID 1580 wrote to memory of 4804	1580	msedge.exe	msedge.exe
PID 1580 wrote to memory of 4804	1580	msedge.exe	msedge.exe
PID 1580 wrote to memory of 4804	1580	msedge.exe	msedge.exe
PID 1580 wrote to memory of 4804	1580	msedge.exe	msedge.exe
PID 1580 wrote to memory of 4804	1580	msedge.exe	msedge.exe
PID 1580 wrote to memory of 4804	1580	msedge.exe	msedge.exe
PID 1580 wrote to memory of 4804	1580	msedge.exe	msedge.exe
PID 1580 wrote to memory of 4804	1580	msedge.exe	msedge.exe
PID 1580 wrote to memory of 4804	1580	msedge.exe	msedge.exe
PID 1580 wrote to memory of 4804	1580	msedge.exe	msedge.exe
PID 1580 wrote to memory of 4804	1580	msedge.exe	msedge.exe
PID 1580 wrote to memory of 4804	1580	msedge.exe	msedge.exe
PID 1580 wrote to memory of 4804	1580	msedge.exe	msedge.exe
PID 1580 wrote to memory of 4804	1580	msedge.exe	msedge.exe
PID 1580 wrote to memory of 4804	1580	msedge.exe	msedge.exe
PID 1580 wrote to memory of 1200	1580	msedge.exe	msedge.exe
PID 1580 wrote to memory of 1200	1580	msedge.exe	msedge.exe
PID 1580 wrote to memory of 1056	1580	msedge.exe	msedge.exe
PID 1580 wrote to memory of 1056	1580	msedge.exe	msedge.exe
PID 1580 wrote to memory of 1056	1580	msedge.exe	msedge.exe
PID 1580 wrote to memory of 1056	1580	msedge.exe	msedge.exe
PID 1580 wrote to memory of 1056	1580	msedge.exe	msedge.exe
PID 1580 wrote to memory of 1056	1580	msedge.exe	msedge.exe
PID 1580 wrote to memory of 1056	1580	msedge.exe	msedge.exe
PID 1580 wrote to memory of 1056	1580	msedge.exe	msedge.exe
PID 1580 wrote to memory of 1056	1580	msedge.exe	msedge.exe
PID 1580 wrote to memory of 1056	1580	msedge.exe	msedge.exe
PID 1580 wrote to memory of 1056	1580	msedge.exe	msedge.exe
PID 1580 wrote to memory of 1056	1580	msedge.exe	msedge.exe
PID 1580 wrote to memory of 1056	1580	msedge.exe	msedge.exe
PID 1580 wrote to memory of 1056	1580	msedge.exe	msedge.exe
PID 1580 wrote to memory of 1056	1580	msedge.exe	msedge.exe
PID 1580 wrote to memory of 1056	1580	msedge.exe	msedge.exe
PID 1580 wrote to memory of 1056	1580	msedge.exe	msedge.exe
PID 1580 wrote to memory of 1056	1580	msedge.exe	msedge.exe
PID 1580 wrote to memory of 1056	1580	msedge.exe	msedge.exe
PID 1580 wrote to memory of 1056	1580	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/aspdasdksa/TROLLLOLL/blob/main/hello.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdba7a46f8,0x7ffdba7a4708,0x7ffdba7a4718
  2⤵
  PID:3484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,11423453350452636814,6897382078375899521,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
  2⤵
  PID:4804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,11423453350452636814,6897382078375899521,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,11423453350452636814,6897382078375899521,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
  2⤵
  PID:1056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11423453350452636814,6897382078375899521,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:1584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11423453350452636814,6897382078375899521,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:4276
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,11423453350452636814,6897382078375899521,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 /prefetch:8
  2⤵
  PID:4312
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,11423453350452636814,6897382078375899521,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11423453350452636814,6897382078375899521,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1
  2⤵
  PID:3784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11423453350452636814,6897382078375899521,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
  2⤵
  PID:3652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11423453350452636814,6897382078375899521,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4140 /prefetch:1
  2⤵
  PID:1836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11423453350452636814,6897382078375899521,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1
  2⤵
  PID:4292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2128,11423453350452636814,6897382078375899521,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5716 /prefetch:8
  2⤵
  PID:4304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11423453350452636814,6897382078375899521,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1
  2⤵
  PID:704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2128,11423453350452636814,6897382078375899521,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6240 /prefetch:8
  2⤵
  PID:1940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,11423453350452636814,6897382078375899521,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6024 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1800
- C:\Users\Admin\Downloads\hello.exe
  "C:\Users\Admin\Downloads\hello.exe"
  2⤵
  - Executes dropped EXE
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  PID:3480
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "MS Build Tools" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft-Build-Tools\Client.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:4844
- - C:\Users\Admin\AppData\Roaming\Microsoft-Build-Tools\Client.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft-Build-Tools\Client.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2144
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "MS Build Tools" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft-Build-Tools\Client.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:1436
- C:\Users\Admin\Downloads\hello.exe
  "C:\Users\Admin\Downloads\hello.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3480
- C:\Users\Admin\Downloads\hello.exe
  "C:\Users\Admin\Downloads\hello.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:448
- C:\Users\Admin\Downloads\hello.exe
  "C:\Users\Admin\Downloads\hello.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,11423453350452636814,6897382078375899521,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4856 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1076

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1748

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\hello.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4f7152bc5a1a715ef481e37d1c791959

SHA1
c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7

SHA256
704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc

SHA512
2e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ea98e583ad99df195d29aa066204ab56

SHA1
f89398664af0179641aa0138b337097b617cb2db

SHA256
a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6

SHA512
e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
c0c92110614e33a2f3b5d1e48c40cdff

SHA1
14c1c6e5bde73a459394d5b093e7a07b87d84a80

SHA256
de0b19a2acc0152c56a06da424344e6a2253a7e565439d2b17ae47c6fd8f3de5

SHA512
05d4263c10b87ce8fbd34523c338aadaa92b1235bffc4d5bff64a50cd1f7040c34659e27cebde51db1859bb2300bdb17f76ee4425b9cdb3cac052046fb15975b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
454e7cd4fbb0751ffa354ec86870a258

SHA1
716d6739a2a278446c3e9c16cb72d996d042bc89

SHA256
9cbad050449dd86a473ca97a90c4b4f6076f3174f52ae515de52cb4793f3d5ca

SHA512
83e6e36c576ef32a555d6a6e3ed9fe4ad51d7681bbfcc6421c29b15cadb0bcc918e4a9d6388ca0e1a1ca750830164ef64ca8015d07a0a2b8ec81fb17c5bc6f87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e4c17579fb1ce900845947f532c23bc1

SHA1
6760a8870216f75585a26d114ea75d4e70815ab5

SHA256
54a56f9e0466723463dc9cc8ed44f0b48fc9d867fbf8a914b0591013b52489b2

SHA512
a07ae4fd4420d6fce91317afd00e80894cb246e377980550b4fd17d3a0024e2757b2561a77b569e1bffbdef5273fbd700fd2bba4e80f0fee3138d447a28a54a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
de40d5226ecaf15fadf21bfe9b40a38d

SHA1
ccd31ad08b06a031d651d73be475a198f12d81d6

SHA256
ccae8ed4c4a74b39e6dd0ffc274dea221a7ddbfb1027ea209f1a5b0a7d4cfc88

SHA512
d39db0d4d222b0a0cf6b35c36ebebbac411dca1b42c9efa159e6452e774b4a2ec39462bf40f421ae1269d9f911d3e228775b04bb618f0e4cbf64de68489b00d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
baba85da7eb91be074c5c1eb8d8b3c76

SHA1
9ff9bb66965e8cd346fd3d6bece1244e25cf0888

SHA256
49971391552be74cfcc0e3106be9a8eeeb6728dfaf36b106a3995bb6a924a48f

SHA512
ea064612dc67428acbdc3a3f41dce7ce2eed5e462a0d7a8cabf1507c26510f51d37919acafe1e6b664549681adcf54ca657264a0e38ef3a5103892cd2a662524

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3b824dc8a86e47fe87e6c6e1437b0c6a

SHA1
e384b84e7306dcdd4fc0e2c76a01232041728353

SHA256
8832e2419c709d3b6824e7a949c548408709209960fe7bc0d4ba4e824b104418

SHA512
557c2275ca4fe31fc08db81078f24a9b089743716689c7d6c4fb5a0d54f555b9890d853df061059e239a0ceda193b41060581a21d85ab230f869d724363fe501

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6bb4a62baf3df904a9871097a6503631

SHA1
0d3a557c130c0dcdfa54c99fb9a75380950e5cf7

SHA256
f87b11f1d52cdae78d4b58fa962e82ee53cbf2139adf761ba3146e7c8a0ce2da

SHA512
64c36eae2671ee546b0c34ac01e3b1daeb5da53d7b931ee63e3c46509315da710fea80b4fb4651d636d183482b967818203e4a07f8ad97110c94355880214977

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57a5a6.TMP

Filesize
874B

MD5
9bdb1925c9e94a7d3585cce3b3118c78

SHA1
12c5f8d30b25aa1f84181775f405216309482c75

SHA256
0d8b93d547802343da756eaa10c2bf788ed376a89d5bee45eec4ca79b0a20018

SHA512
ab1f6d75a46686e3be91e06ad7ec338275f32790a5e48bc06526dffcface39cae83d5d2fffdba2a07b5f59717ee89632980480ee2cdffba98ea49f81dad54143

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3e3d65ff63209a0f29bc9359d44f3340

SHA1
1580e8c7ccffb02acb651a7693539a4058b36dfe

SHA256
35f8be109af00d5f498d1d6c4a2ebfbc541ddf490fc119289517a9461b1214e5

SHA512
1377cb8dad8c27db369ea4d125d8093e4e8b4e034ab4041a66c1efe542d65bfd814decaaf665c0f0b6751efb6e0f3323438988d90095b40f39943d0b4cf306b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c565e06d17e40fa98f0eeb46bb7f6dee

SHA1
86c0769906845817644d17e70413d42b9cadd3c8

SHA256
8dff3cfab7341ee78957fa4839f814ec12aabe4d202f1f5a7c9839cb2efd1f42

SHA512
ecd7ce33c15f805ec0dcc6d58e7c78d843aff076a9c983787efb169e77cea9ca21a2b6dbb73edf91578b8a2ce286c0cd857b5d743f83f5626ef63e79f73c3a42

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 473926.crdownload

Filesize
3.1MB

MD5
b92b7e16f21a97fbe21c4c45deb00587

SHA1
e4af65acfac45c31dceacdf9a2e1d18cde2537c2

SHA256
651ed1a03871a47dcf548e56fe4cefb8862a89a27f01f2e377bd68dfe1ca531f

SHA512
7c5813bf73ee7deca78774861b2632d4a0fb7b3b62996cc54ae0b16baa62a0f360f31fa810b73c5fc922321b6ce0807e69bc02e35f98d7f350086283f8836931

Download Submit
\??\pipe\LOCAL\crashpad_1580_ODEEBELFTCHTMRMX

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2144-216-0x000000001C4A0000-0x000000001C4F0000-memory.dmp

Filesize
320KB

Download
memory/2144-217-0x000000001C5B0000-0x000000001C662000-memory.dmp

Filesize
712KB

Download
memory/3480-209-0x0000000000F50000-0x0000000001274000-memory.dmp

Filesize
3.1MB

Download