quasar | c4f4b783e9b152a00d5cac8b82d2ae0c74fa848aaa4a524dc5cb81b1576aaab5

Analysis

max time kernel
277s
max time network
295s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
02-06-2024 06:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uni/Uni - Copy (2).exe
Size

409KB
MD5

b70fdac25a99501e3cae11f1b775249e
SHA1

3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256

51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512

43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44
SSDEEP

12288:gpbJjGut6AoE3hVVdFaC/eZPTMTDlpgfJCKuMsVs:oVaurMLcDlpRKai

Score

10^/10

quasar seroxen spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

panel-slave.gl.at.ply.gg:57059

panel-slave.gl.at.ply.gg:27892

Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes

encryption_key
Lme7VBS3l58VwLM69PNM
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT 3 IoCs
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Processes:

schtasks.exe

pid process

516 schtasks.exe
10 ip-api.com
24 api.ipify.org

pid	process
516	schtasks.exe
10	ip-api.com
24	api.ipify.org

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1320-1-0x0000000000F90000-0x0000000000FFC000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Executes dropped EXE 2 IoCs

Processes:

Client.exeU4EfipgU5ws7.exe

pid process

4872 Client.exe
3544 U4EfipgU5ws7.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

24 api.ipify.org
10 ip-api.com
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeSCHTASKS.exeschtasks.exe

pid process

516 schtasks.exe
3044 SCHTASKS.exe
1612 schtasks.exe

pid	process
4872	Client.exe
3544	U4EfipgU5ws7.exe

flow	ioc
24	api.ipify.org
10	ip-api.com

pid	process
516	schtasks.exe
3044	SCHTASKS.exe
1612	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Uni - Copy (2).exeClient.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	1320	Uni - Copy (2).exe
Token: SeDebugPrivilege	4872	Client.exe
Token: 33	3136	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3136	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Client.exeU4EfipgU5ws7.exe

pid process

4872 Client.exe
3544 U4EfipgU5ws7.exe

pid	process
4872	Client.exe
3544	U4EfipgU5ws7.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

Uni - Copy (2).exeClient.exefirefox.exe

description	pid	process	target process
PID 1320 wrote to memory of 516	1320	Uni - Copy (2).exe	schtasks.exe
PID 1320 wrote to memory of 516	1320	Uni - Copy (2).exe	schtasks.exe
PID 1320 wrote to memory of 516	1320	Uni - Copy (2).exe	schtasks.exe
PID 1320 wrote to memory of 4872	1320	Uni - Copy (2).exe	Client.exe
PID 1320 wrote to memory of 4872	1320	Uni - Copy (2).exe	Client.exe
PID 1320 wrote to memory of 4872	1320	Uni - Copy (2).exe	Client.exe
PID 1320 wrote to memory of 3044	1320	Uni - Copy (2).exe	SCHTASKS.exe
PID 1320 wrote to memory of 3044	1320	Uni - Copy (2).exe	SCHTASKS.exe
PID 1320 wrote to memory of 3044	1320	Uni - Copy (2).exe	SCHTASKS.exe
PID 4872 wrote to memory of 1612	4872	Client.exe	schtasks.exe
PID 4872 wrote to memory of 1612	4872	Client.exe	schtasks.exe
PID 4872 wrote to memory of 1612	4872	Client.exe	schtasks.exe
PID 4872 wrote to memory of 3544	4872	Client.exe	U4EfipgU5ws7.exe
PID 4872 wrote to memory of 3544	4872	Client.exe	U4EfipgU5ws7.exe
PID 4872 wrote to memory of 3544	4872	Client.exe	U4EfipgU5ws7.exe
PID 2160 wrote to memory of 4212	2160	firefox.exe	firefox.exe
PID 2160 wrote to memory of 4212	2160	firefox.exe	firefox.exe
PID 2160 wrote to memory of 4212	2160	firefox.exe	firefox.exe
PID 2160 wrote to memory of 4212	2160	firefox.exe	firefox.exe
PID 2160 wrote to memory of 4212	2160	firefox.exe	firefox.exe
PID 2160 wrote to memory of 4212	2160	firefox.exe	firefox.exe
PID 2160 wrote to memory of 4212	2160	firefox.exe	firefox.exe
PID 2160 wrote to memory of 4212	2160	firefox.exe	firefox.exe
PID 2160 wrote to memory of 4212	2160	firefox.exe	firefox.exe
PID 2160 wrote to memory of 4212	2160	firefox.exe	firefox.exe
PID 2160 wrote to memory of 4212	2160	firefox.exe	firefox.exe

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (2).exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (2).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (2).exe" /rl HIGHEST /f
2⤵
- Quasar RAT
- Creates scheduled task(s)
PID:516

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4872

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:1612

C:\Users\Admin\AppData\Local\Temp\U4EfipgU5ws7.exe
"C:\Users\Admin\AppData\Local\Temp\U4EfipgU5ws7.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3544

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (2).exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (2).exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:3044

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4a0 0x4c4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3136

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2160

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
PID:4212

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4212.0.1580220508\949001541" -parentBuildID 20230214051806 -prefsHandle 1692 -prefMapHandle 1684 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dd8025db-06cf-4d7a-aabb-69eac61edeb7} 4212 "\\.\pipe\gecko-crash-server-pipe.4212" 1784 26091b0d458 gpu
3⤵
PID:920

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4212.1.2050485190\1997180275" -parentBuildID 20230214051806 -prefsHandle 2372 -prefMapHandle 2368 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6cad0897-aee7-4d3f-87f2-854b98d09cc8} 4212 "\\.\pipe\gecko-crash-server-pipe.4212" 2400 26084d86558 socket
3⤵
PID:3456

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4212.2.1766213155\1008074746" -childID 1 -isForBrowser -prefsHandle 3320 -prefMapHandle 2888 -prefsLen 22215 -prefMapSize 235121 -jsInitHandle 908 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {abc365b4-efe6-43af-afd4-33eb50f8fa24} 4212 "\\.\pipe\gecko-crash-server-pipe.4212" 3408 2609441e158 tab
3⤵
PID:1924

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4212.3.954499372\340898518" -childID 2 -isForBrowser -prefsHandle 4040 -prefMapHandle 4036 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 908 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ad54d78-2fae-40e6-aa35-3b28e4b35476} 4212 "\\.\pipe\gecko-crash-server-pipe.4212" 4064 26084d76e58 tab
3⤵
PID:1756

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4212.4.796155217\658759765" -childID 3 -isForBrowser -prefsHandle 5060 -prefMapHandle 5052 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 908 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6440d9b7-55db-4728-9a26-18df297897b0} 4212 "\\.\pipe\gecko-crash-server-pipe.4212" 5068 260981cbb58 tab
3⤵
PID:5180

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4212.5.1088884531\1214968989" -childID 4 -isForBrowser -prefsHandle 5132 -prefMapHandle 5136 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 908 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {485cfa42-ddb6-46bb-94c3-fef7a1a2454a} 4212 "\\.\pipe\gecko-crash-server-pipe.4212" 5016 260981cb258 tab
3⤵
PID:5188

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4212.6.1469243845\663962762" -childID 5 -isForBrowser -prefsHandle 5332 -prefMapHandle 5336 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 908 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {507e7941-8193-4238-ba8b-e7acec10ec25} 4212 "\\.\pipe\gecko-crash-server-pipe.4212" 5320 2609828e658 tab
3⤵
PID:5196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://www.bing.com/search?q=show%20desktop%20icons%20windows%2010%20site:microsoft.com&form=B00032&ocid=SettingsHAQ-BingIA&mkt=en-US
1⤵
PID:5540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff818c446f8,0x7ff818c44708,0x7ff818c44718
2⤵
PID:5564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1952,10668429900298921394,15196845894352942982,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2000 /prefetch:2
2⤵
PID:5932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1952,10668429900298921394,15196845894352942982,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2464 /prefetch:3
2⤵
PID:5940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1952,10668429900298921394,15196845894352942982,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
2⤵
PID:6024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,10668429900298921394,15196845894352942982,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
2⤵
PID:5292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,10668429900298921394,15196845894352942982,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
2⤵
PID:2056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,10668429900298921394,15196845894352942982,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:1
2⤵
PID:656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,10668429900298921394,15196845894352942982,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4200 /prefetch:1
2⤵
PID:6228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,10668429900298921394,15196845894352942982,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4556 /prefetch:1
2⤵
PID:6588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,10668429900298921394,15196845894352942982,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
2⤵
PID:6724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,10668429900298921394,15196845894352942982,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:1
2⤵
PID:6668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1952,10668429900298921394,15196845894352942982,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5632 /prefetch:8
2⤵
PID:6660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1952,10668429900298921394,15196845894352942982,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5652 /prefetch:8
2⤵
PID:6672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,10668429900298921394,15196845894352942982,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
2⤵
PID:6676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://www.bing.com/search?q=show%20desktop%20icons%20windows%2010%20site:microsoft.com&form=B00032&ocid=SettingsHAQ-BingIA&mkt=en-US
1⤵
PID:5620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xfc,0x128,0x7ff818c446f8,0x7ff818c44708,0x7ff818c44718
2⤵
PID:5632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,12305059735933399513,15521507947661754896,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:3
2⤵
PID:5248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://www.bing.com/search?q=show%20desktop%20icons%20windows%2010%20site:microsoft.com&form=B00032&ocid=SettingsHAQ-BingIA&mkt=en-US
1⤵
PID:6112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff818c446f8,0x7ff818c44708,0x7ff818c44718
2⤵
PID:2580

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5304

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8b167567021ccb1a9fdf073fa9112ef0

SHA1
3baf293fbfaa7c1e7cdacb5f2975737f4ef69898

SHA256
26764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513

SHA512
726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
537815e7cc5c694912ac0308147852e4

SHA1
2ccdd9d9dc637db5462fe8119c0df261146c363c

SHA256
b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f

SHA512
63969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002
Filesize
40KB

MD5
5daa4ea518f05f1b174e7cfc5f4ce161

SHA1
87414a8565b2863c519c27ec5e8dc3ca37336545

SHA256
bf961bd22239c8db046cceb1be178353f481888c4f4cade9b464735758468269

SHA512
d5a8563f3c377cdcfa2218edd19d23ad3997b832573f92c0633e09d8d2aad1d8c625576f46a4a5bf6a63fe945472fb7f4264504f18545bdb75dc08d6a8a852cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
ed5762089d97e7dada7f06ac0c2acecc

SHA1
c985b527614cc3233ea1f03c7110e7ee96695e85

SHA256
61a157cfcaf5176ec7c45d2a2d326c67a30372e424ed208e732e98bd486674a2

SHA512
e3a5043659aa3529cbaf521bc339d706a199efdea13fd5da4bdb32a07bd2b42ccbf606a0d6f25bc5b88a6f5be307201f7c17e9e9fa8ce2a596e64801e7ead831

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
4467876cd8f6471eb1c4e4fd714b2bfb

SHA1
10e417dd61d72975ed4c325447139d92863147d8

SHA256
f079299d157a7881f5cb2047e65ebe01bcad480166b40fc323b7fd193d27ec7d

SHA512
719228d41467ee04a1d44c0c3df29037043292834c666e107e4430e3c2d9ffb75a8b94af0d7a3eb6c9080b9667cf28292bf40be07823ad17c395ce03156b1c3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
d231e426d17120fc66e436c4da7fe025

SHA1
1d07c68374788ee6462e098419050ad3ef719c82

SHA256
132cec794fc76f20ba3e61be0499f7730e7f3c9f29d15ce1641877c5d141f8b5

SHA512
a364d72130ea42c2814dfaa31ceb3b71151d4bac8de6f31d82d24a0b7fa24cbb35b39182619607bec10a2f483f7c4c957e63bfd976d4279dd48c36dc7747aa4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
9c9e697b659f451045957cc8fdac5c61

SHA1
813943bac1ef863d661d46c54ae9f332e5114061

SHA256
779107767e2daf8b7b433d21a7fe507c982a2baf98a4ef7a78f1804cbc24e014

SHA512
e93bc5cb55e5a6763d78d8b66f18a2bff8809f0c9faded46a1a205362a568a7da6fba3d6b9db040c083ab5e1ad176d8bb68f2d78c8125a7c0f7632ae37e02b59

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\activity-stream.discovery_stream.json.tmp
Filesize
27KB

MD5
08c97d66a12a40f7968e56e765b0ff63

SHA1
e4d49086df691375500f6b51e041fd3991b43ac4

SHA256
96975ab470dc9bde874173b383fcfca7a1fd725505409d75da5c7d48ab543c0d

SHA512
b18f38944a6d50bfade1d224f3c8ae2fd50ca04f6cb33d8e7218be8201e40347ef89676441160fe1cdbadfdf23e5d081530913b17125c66788d6a01b2adc1904

Download Submit
C:\Users\Admin\AppData\Local\Temp\U4EfipgU5ws7.exe
Filesize
277KB

MD5
dac0c5b2380cbdd93b46763427c9f8df

SHA1
038089e1a0ac8375be797fc3ce7ae719abc72834

SHA256
d02538788fb57f568ece292f5fc20e9775c86d504de67f57e22534f84adc73c6

SHA512
05cc1f6bf25a6545a06c735ae7a4a7fc25489bdb9fbc8d5797be623982662c4a93cba2d20bfe14313ef1548eaaa691e55fabdd8e3d3e45de9ab42dc62f9a7023

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\prefs.js
Filesize
6KB

MD5
98c324d6dd6e1dfb2f30d8debe63f34e

SHA1
c1b87425622f0504bde4aa5139bac8c08053356c

SHA256
e394606ce329d1d758c4a72698bcd206d91999620d454175fc90a2df1cb03c19

SHA512
0caa7e4f8ca1a9604d51fa6d43c32d227fea6e508d7b40418b8f8a614b9d97ef8622f1e8a87156c81c44190bdcfc889171066f6984c827fd31a42a29f550113c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
4de141b78dbad522f8cfd8bf427132ea

SHA1
856a90e5358e8270698bce4217249e75ada04489

SHA256
49431a980f7938000b2d62b1a9f7eff3289ef48d5ccf7e15d5de31d2a4e0ccf1

SHA512
43f0f13476a01b888a22fa797a35ce5450953a9898127543e871f848113848f0ca1e41cd5a8a671835691240183bcb9d292bfc1404cd82fd52c57d30dcdabeed

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
409KB

MD5
b70fdac25a99501e3cae11f1b775249e

SHA1
3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71

SHA256
51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246

SHA512
43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

Download Submit
\??\pipe\LOCAL\crashpad_5540_CYDNHFIHATMZTNAX
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1320-6-0x0000000005E30000-0x0000000005E42000-memory.dmp

Filesize
72KB

Download
memory/1320-15-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/1320-0-0x000000007474E000-0x000000007474F000-memory.dmp

Filesize
4KB

Download
memory/1320-5-0x0000000005B00000-0x0000000005B66000-memory.dmp

Filesize
408KB

Download
memory/1320-4-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/1320-3-0x00000000059D0000-0x0000000005A62000-memory.dmp

Filesize
584KB

Download
memory/1320-2-0x0000000005E60000-0x0000000006404000-memory.dmp

Filesize
5.6MB

Download
memory/1320-1-0x0000000000F90000-0x0000000000FFC000-memory.dmp

Filesize
432KB

Download
memory/4872-19-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/4872-18-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/4872-17-0x00000000068F0000-0x00000000068FA000-memory.dmp

Filesize
40KB

Download
memory/4872-13-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/4872-12-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download