Analysis
-
max time kernel
156s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04-06-2024 20:55
Static task
static1
URLScan task
urlscan1
Malware Config
Extracted
quasar
1.4.1
EmmasSub
85.23.24.170:4782
85.23.109.34:4782
82.128.254.93:4782
f82c7021-f558-4f6f-bbb3-fbe420c708e5
-
encryption_key
4DC093FC202D016F95DCEE92AAF2874F56ACC3F2
-
install_name
RuntimeBroker.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Update
-
subdirectory
WindowsSecureManager
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\Downloads\Unconfirmed 734114.crdownload family_quasar behavioral1/memory/2788-243-0x0000000000890000-0x0000000000BB4000-memory.dmp family_quasar -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
RunMe.exeRuntimeBroker.exepid process 2788 RunMe.exe 3312 RuntimeBroker.exe -
Drops file in System32 directory 6 IoCs
Processes:
RunMe.exeRuntimeBroker.exedescription ioc process File created C:\Windows\System32\WindowsSecureManager\RuntimeBroker.exe\:SmartScreen:$DATA RunMe.exe File opened for modification C:\Windows\system32\WindowsSecureManager RunMe.exe File opened for modification C:\Windows\system32\WindowsSecureManager\RuntimeBroker.exe RuntimeBroker.exe File opened for modification C:\Windows\system32\WindowsSecureManager RuntimeBroker.exe File created C:\Windows\system32\WindowsSecureManager\RuntimeBroker.exe RunMe.exe File opened for modification C:\Windows\system32\WindowsSecureManager\RuntimeBroker.exe RunMe.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1564 schtasks.exe 1948 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings msedge.exe -
NTFS ADS 1 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 734114.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exetaskmgr.exepid process 4004 msedge.exe 4004 msedge.exe 3052 msedge.exe 3052 msedge.exe 4396 identity_helper.exe 4396 identity_helper.exe 3092 msedge.exe 3092 msedge.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 1708 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
Processes:
msedge.exepid process 3052 msedge.exe 3052 msedge.exe 3052 msedge.exe 3052 msedge.exe 3052 msedge.exe 3052 msedge.exe 3052 msedge.exe 3052 msedge.exe 3052 msedge.exe 3052 msedge.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
RunMe.exeRuntimeBroker.exetaskmgr.exedescription pid process Token: SeDebugPrivilege 2788 RunMe.exe Token: SeDebugPrivilege 3312 RuntimeBroker.exe Token: SeDebugPrivilege 1708 taskmgr.exe Token: SeSystemProfilePrivilege 1708 taskmgr.exe Token: SeCreateGlobalPrivilege 1708 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exetaskmgr.exepid process 3052 msedge.exe 3052 msedge.exe 3052 msedge.exe 3052 msedge.exe 3052 msedge.exe 3052 msedge.exe 3052 msedge.exe 3052 msedge.exe 3052 msedge.exe 3052 msedge.exe 3052 msedge.exe 3052 msedge.exe 3052 msedge.exe 3052 msedge.exe 3052 msedge.exe 3052 msedge.exe 3052 msedge.exe 3052 msedge.exe 3052 msedge.exe 3052 msedge.exe 3052 msedge.exe 3052 msedge.exe 3052 msedge.exe 3052 msedge.exe 3052 msedge.exe 3052 msedge.exe 3052 msedge.exe 3052 msedge.exe 3052 msedge.exe 3052 msedge.exe 3052 msedge.exe 3052 msedge.exe 3052 msedge.exe 3052 msedge.exe 3052 msedge.exe 3052 msedge.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
msedge.exetaskmgr.exepid process 3052 msedge.exe 3052 msedge.exe 3052 msedge.exe 3052 msedge.exe 3052 msedge.exe 3052 msedge.exe 3052 msedge.exe 3052 msedge.exe 3052 msedge.exe 3052 msedge.exe 3052 msedge.exe 3052 msedge.exe 3052 msedge.exe 3052 msedge.exe 3052 msedge.exe 3052 msedge.exe 3052 msedge.exe 3052 msedge.exe 3052 msedge.exe 3052 msedge.exe 3052 msedge.exe 3052 msedge.exe 3052 msedge.exe 3052 msedge.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe 1708 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RuntimeBroker.exepid process 3312 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 3052 wrote to memory of 3556 3052 msedge.exe msedge.exe PID 3052 wrote to memory of 3556 3052 msedge.exe msedge.exe PID 3052 wrote to memory of 2596 3052 msedge.exe msedge.exe PID 3052 wrote to memory of 2596 3052 msedge.exe msedge.exe PID 3052 wrote to memory of 2596 3052 msedge.exe msedge.exe PID 3052 wrote to memory of 2596 3052 msedge.exe msedge.exe PID 3052 wrote to memory of 2596 3052 msedge.exe msedge.exe PID 3052 wrote to memory of 2596 3052 msedge.exe msedge.exe PID 3052 wrote to memory of 2596 3052 msedge.exe msedge.exe PID 3052 wrote to memory of 2596 3052 msedge.exe msedge.exe PID 3052 wrote to memory of 2596 3052 msedge.exe msedge.exe PID 3052 wrote to memory of 2596 3052 msedge.exe msedge.exe PID 3052 wrote to memory of 2596 3052 msedge.exe msedge.exe PID 3052 wrote to memory of 2596 3052 msedge.exe msedge.exe PID 3052 wrote to memory of 2596 3052 msedge.exe msedge.exe PID 3052 wrote to memory of 2596 3052 msedge.exe msedge.exe PID 3052 wrote to memory of 2596 3052 msedge.exe msedge.exe PID 3052 wrote to memory of 2596 3052 msedge.exe msedge.exe PID 3052 wrote to memory of 2596 3052 msedge.exe msedge.exe PID 3052 wrote to memory of 2596 3052 msedge.exe msedge.exe PID 3052 wrote to memory of 2596 3052 msedge.exe msedge.exe PID 3052 wrote to memory of 2596 3052 msedge.exe msedge.exe PID 3052 wrote to memory of 2596 3052 msedge.exe msedge.exe PID 3052 wrote to memory of 2596 3052 msedge.exe msedge.exe PID 3052 wrote to memory of 2596 3052 msedge.exe msedge.exe PID 3052 wrote to memory of 2596 3052 msedge.exe msedge.exe PID 3052 wrote to memory of 2596 3052 msedge.exe msedge.exe PID 3052 wrote to memory of 2596 3052 msedge.exe msedge.exe PID 3052 wrote to memory of 2596 3052 msedge.exe msedge.exe PID 3052 wrote to memory of 2596 3052 msedge.exe msedge.exe PID 3052 wrote to memory of 2596 3052 msedge.exe msedge.exe PID 3052 wrote to memory of 2596 3052 msedge.exe msedge.exe PID 3052 wrote to memory of 2596 3052 msedge.exe msedge.exe PID 3052 wrote to memory of 2596 3052 msedge.exe msedge.exe PID 3052 wrote to memory of 2596 3052 msedge.exe msedge.exe PID 3052 wrote to memory of 2596 3052 msedge.exe msedge.exe PID 3052 wrote to memory of 2596 3052 msedge.exe msedge.exe PID 3052 wrote to memory of 2596 3052 msedge.exe msedge.exe PID 3052 wrote to memory of 2596 3052 msedge.exe msedge.exe PID 3052 wrote to memory of 2596 3052 msedge.exe msedge.exe PID 3052 wrote to memory of 2596 3052 msedge.exe msedge.exe PID 3052 wrote to memory of 2596 3052 msedge.exe msedge.exe PID 3052 wrote to memory of 4004 3052 msedge.exe msedge.exe PID 3052 wrote to memory of 4004 3052 msedge.exe msedge.exe PID 3052 wrote to memory of 3372 3052 msedge.exe msedge.exe PID 3052 wrote to memory of 3372 3052 msedge.exe msedge.exe PID 3052 wrote to memory of 3372 3052 msedge.exe msedge.exe PID 3052 wrote to memory of 3372 3052 msedge.exe msedge.exe PID 3052 wrote to memory of 3372 3052 msedge.exe msedge.exe PID 3052 wrote to memory of 3372 3052 msedge.exe msedge.exe PID 3052 wrote to memory of 3372 3052 msedge.exe msedge.exe PID 3052 wrote to memory of 3372 3052 msedge.exe msedge.exe PID 3052 wrote to memory of 3372 3052 msedge.exe msedge.exe PID 3052 wrote to memory of 3372 3052 msedge.exe msedge.exe PID 3052 wrote to memory of 3372 3052 msedge.exe msedge.exe PID 3052 wrote to memory of 3372 3052 msedge.exe msedge.exe PID 3052 wrote to memory of 3372 3052 msedge.exe msedge.exe PID 3052 wrote to memory of 3372 3052 msedge.exe msedge.exe PID 3052 wrote to memory of 3372 3052 msedge.exe msedge.exe PID 3052 wrote to memory of 3372 3052 msedge.exe msedge.exe PID 3052 wrote to memory of 3372 3052 msedge.exe msedge.exe PID 3052 wrote to memory of 3372 3052 msedge.exe msedge.exe PID 3052 wrote to memory of 3372 3052 msedge.exe msedge.exe PID 3052 wrote to memory of 3372 3052 msedge.exe msedge.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/TERzy21⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc451246f8,0x7ffc45124708,0x7ffc451247182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1988,13195491827406671325,7783004323398346399,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2004 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1988,13195491827406671325,7783004323398346399,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2552 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1988,13195491827406671325,7783004323398346399,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,13195491827406671325,7783004323398346399,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,13195491827406671325,7783004323398346399,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,13195491827406671325,7783004323398346399,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,13195491827406671325,7783004323398346399,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3968 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1988,13195491827406671325,7783004323398346399,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4900 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1988,13195491827406671325,7783004323398346399,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4900 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,13195491827406671325,7783004323398346399,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,13195491827406671325,7783004323398346399,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,13195491827406671325,7783004323398346399,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,13195491827406671325,7783004323398346399,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,13195491827406671325,7783004323398346399,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1988,13195491827406671325,7783004323398346399,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3624 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,13195491827406671325,7783004323398346399,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1988,13195491827406671325,7783004323398346399,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6388 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1988,13195491827406671325,7783004323398346399,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6588 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Desktop\RunMe.exe"C:\Users\Admin\Desktop\RunMe.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Windows\system32\WindowsSecureManager\RuntimeBroker.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\WindowsSecureManager\RuntimeBroker.exe"C:\Windows\system32\WindowsSecureManager\RuntimeBroker.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Windows\system32\WindowsSecureManager\RuntimeBroker.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\0929a8cb-e18d-4760-99e2-f6c870456a02.tmpFilesize
11KB
MD51c5a6d5ab02015842d5dadbfb037f01a
SHA1c4f9d6d047258ef73e75136710b1c2ef26d8ba65
SHA256441ccba2791cba0497c892e7e287343929c92c37669424515cfeb44d483539c7
SHA512867e2162f08695bbb26cfa207ff6ec4295b8fadb05aa702760de08057c527cd5555c3e6a311a415c9ac7287db26ebde9fb607536097b79f66c797220d62e42ff
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD556641592f6e69f5f5fb06f2319384490
SHA16a86be42e2c6d26b7830ad9f4e2627995fd91069
SHA25602d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455
SHA512c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5612a6c4247ef652299b376221c984213
SHA1d306f3b16bde39708aa862aee372345feb559750
SHA2569d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a
SHA51234a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
288B
MD5397d892071330e082c09c877eb8ec307
SHA1a1acea79ee0701c294db4ac483e20d47998e2e26
SHA2567b585c4ba6587d75af635bb6ea3d70845802f8464af8235d026c36910ec0d021
SHA512fcb55d18423d72423c8c739cdb655400115b4b506fc00d194cc562ebaef46f710727cb82b4d630cbceadd3270d467415399e1dc12596408e08365ed08f649039
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
856B
MD5e7e681435cc552aa6ff794d3b4e94066
SHA10a46e40066f19dcb100ca7174c2ee059417579b7
SHA256f7eea30ba3e3b84a7cd2270934bd072c3125fde21282dc04f99d5603e72e4558
SHA512334cc143c9deb1177a1975996619721dd99816157fc6554735d1064095c1aa5c3b287b05e59e930341bf1e090df61880693520b4753f38841e7cba6931fc72d7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD50594231709cf8f28340b84864596b561
SHA1f02390ba6d76bd3b235128887c6058b47b7310e4
SHA256454e51547a398dcd396287eec6ae33b588cc2a8b37e13b743f8bbe9b1ee00a19
SHA5129d0a8f4c3d33355f37b750182f2282f047cad3a348e10e9447c396e308447881340a6e3f9847244c29a674d8fe46709dac01de8a5b2020a4ca8fab5dcc5d687f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD50cf5db03b3096035ed41d810903cebff
SHA1307e198f202f553adf0601e22acac5d7995700bd
SHA256ad603591b676e2d0c429c4c889c1f42f2476efe5701b69d34259ad529c8f5ae2
SHA51249a4ba42baba68d1d10f433d78e92e8963756ecafb14199c63de5c780d54a6126646a12fd6e9bf36cb4629c550461a37457a69429fbdb1cf42133013dd731631
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD50f0b90dc807bcb5cc80187bfbf0372db
SHA11381c1cc6651f5a912a0ebdd6fbe97b5d517ea7d
SHA256d1c25f1b16a2bba453fecc376d7d54cb05a9a4b770c042d4668badfb3798df45
SHA5126c70ba2664d52027c6db8364a868abd302dbe28ed11c04e910262d420452a7683ff920456f7cd37a8d08ff410d2540174d71781b8ad82fd2354c04e2748a0a4a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD502135d331728ff09a68d62b35106e1c6
SHA17fb8569d24e54811be0f8e1c47600fa11fae02d3
SHA2569917e1789912f17c9fb6d3b643d1bc2aeb1dc59e1278958649726eb7f3bb0f91
SHA5127e06f8866ed81c57cc300d04a6cd4e3cd4041ddfed950dc1d1e530068de197861cc9b68b06d513876756afa07ae43162d16bbb758e0f4deb66bfd00d83a2514e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5601051e578102aaa8f634d6d36c26107
SHA1ac380b99d6e85c4a381b4196ba91c5542d3fe499
SHA25630947baf292ab2f4714a7728f399c700db1e7f93c1d0f012623aac53f38fe52c
SHA512bdb47ab3029f46612b166953a798d007a6a459183f0eadfe2accb51bca42c260ba8ff2850b503df81fc936191325f90fe467a01ab44b6681e77e5a4c8a47674e
-
C:\Users\Admin\Downloads\Unconfirmed 734114.crdownloadFilesize
3.1MB
MD5392a6ea0718747e4ad443f730047715b
SHA1808d682efeb32bd7f98e49b7b99350683162059e
SHA25636be936ba0fc160a314bfaf9be4c8689730ad9c11c3cf6fb7d066c43a934b257
SHA512b033da7b04a2dc9a342de4970ae1fe26cda4d82bd3fe4a2a2f34507675832912cc6d66456a8a846f75a705523514d4b52bbd120e7b629c3d38467d999d2e95b4
-
\??\pipe\LOCAL\crashpad_3052_NWFXFTWMIKDZMOIEMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1708-264-0x000001D484A50000-0x000001D484A51000-memory.dmpFilesize
4KB
-
memory/1708-253-0x000001D484A50000-0x000001D484A51000-memory.dmpFilesize
4KB
-
memory/1708-255-0x000001D484A50000-0x000001D484A51000-memory.dmpFilesize
4KB
-
memory/1708-254-0x000001D484A50000-0x000001D484A51000-memory.dmpFilesize
4KB
-
memory/1708-265-0x000001D484A50000-0x000001D484A51000-memory.dmpFilesize
4KB
-
memory/1708-263-0x000001D484A50000-0x000001D484A51000-memory.dmpFilesize
4KB
-
memory/1708-262-0x000001D484A50000-0x000001D484A51000-memory.dmpFilesize
4KB
-
memory/1708-261-0x000001D484A50000-0x000001D484A51000-memory.dmpFilesize
4KB
-
memory/1708-260-0x000001D484A50000-0x000001D484A51000-memory.dmpFilesize
4KB
-
memory/1708-259-0x000001D484A50000-0x000001D484A51000-memory.dmpFilesize
4KB
-
memory/2788-243-0x0000000000890000-0x0000000000BB4000-memory.dmpFilesize
3.1MB
-
memory/3312-251-0x000000001C390000-0x000000001C3E0000-memory.dmpFilesize
320KB
-
memory/3312-252-0x000000001CCC0000-0x000000001CD72000-memory.dmpFilesize
712KB