Malware Analysis Report

2025-04-13 11:54

Sample ID 240819-hqdawazekb
Target 603cbf6c93b296fcafa13624daf1ede0N.exe
SHA256 ab2cb970c5d0f041de312ba78707aa90264b0ef3399742202d16e83671cd51de
Tags
quasar mib3kkkk discovery spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ab2cb970c5d0f041de312ba78707aa90264b0ef3399742202d16e83671cd51de

Threat Level: Known bad

The file 603cbf6c93b296fcafa13624daf1ede0N.exe was found to be: Known bad.

Malicious Activity Summary

quasar mib3kkkk discovery spyware trojan

Quasar RAT

Quasar payload

Suspicious use of SetThreadContext

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Runs regedit.exe

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-19 06:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-19 06:56

Reported

2024-08-19 06:58

Platform

win7-20240729-en

Max time kernel

93s

Max time network

74s

Command Line

"C:\Users\Admin\AppData\Local\Temp\603cbf6c93b296fcafa13624daf1ede0N.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1112 set thread context of 1972 N/A C:\Users\Admin\AppData\Local\Temp\603cbf6c93b296fcafa13624daf1ede0N.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004961a9603b5d8740891a04601e8b8fb900000000020000000000106600000001000020000000dacf4785a43f2c6492c806015b817930f339a6030bd4f4584d9787fbf18d2fa2000000000e8000000002000020000000004d5677b241c72c39d1b8e85bbd487f6415aaba205fd99030dff78155a0cea520000000799db09016a985311b3d05d3b3a4a55d64d9989e75a4d92a7e52a297f5fbb20140000000d7792ede66d3dc136767d5311580df15cf8d44abd1c72eb6ef4b46b6835ffd56e725cc32966c3b8ecf1e1a41e7efb825acde11028d8b8bfba45a7c1d65d3a548 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{20C942A1-5DF8-11EF-9DBD-525C7857EE89} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430212442" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004961a9603b5d8740891a04601e8b8fb900000000020000000000106600000001000020000000ad4a9a4e820a4f65d3d8e45e7e7093e6177195b9372d4f2823163acbecce1cdb000000000e80000000020000200000004a2bd83e17185264cdbace43e1b632baacc28dbe2b31ba10331082f1510775e490000000868d17492f89a8725087f111552e0aca1c77b833e28f3a455d97932686887cf85191aed7552364298a7cfabe031fcbf92fbb73673b0116cf34fcdad3cb0bedd23adf61096330de8998c67bc0d9cf2dee82b36a3f55a0049b3ea0e27da25947b3ea0011219d83137e9bdf7607ace78de661dcbc3e234906463cee2de5b579c36691b490508b9026fbf45fba72eeeff6c6400000002eb5f6beef205fab1af0c87207a6131649a6c91bc22f0ff32dfed0541e6bb1cdaf29fa2af1840057bb66379e2ed1b16f35c800aa6d1ad62055a089aea2feb26f C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0a98bf604f2da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A

Runs regedit.exe

Description Indicator Process Target
N/A N/A C:\Windows\regedit.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\603cbf6c93b296fcafa13624daf1ede0N.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1112 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\603cbf6c93b296fcafa13624daf1ede0N.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
PID 1112 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\603cbf6c93b296fcafa13624daf1ede0N.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
PID 1112 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\603cbf6c93b296fcafa13624daf1ede0N.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
PID 1112 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\603cbf6c93b296fcafa13624daf1ede0N.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
PID 1112 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\603cbf6c93b296fcafa13624daf1ede0N.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
PID 1112 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\603cbf6c93b296fcafa13624daf1ede0N.exe C:\Windows\System32\cmd.exe
PID 1112 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\603cbf6c93b296fcafa13624daf1ede0N.exe C:\Windows\System32\cmd.exe
PID 1112 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\603cbf6c93b296fcafa13624daf1ede0N.exe C:\Windows\System32\cmd.exe
PID 1112 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\603cbf6c93b296fcafa13624daf1ede0N.exe C:\Windows\System32\cmd.exe
PID 1112 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\603cbf6c93b296fcafa13624daf1ede0N.exe C:\Windows\System32\cmd.exe
PID 1112 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\603cbf6c93b296fcafa13624daf1ede0N.exe C:\Windows\System32\cmd.exe
PID 1112 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\603cbf6c93b296fcafa13624daf1ede0N.exe C:\Windows\System32\cmd.exe
PID 1112 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\603cbf6c93b296fcafa13624daf1ede0N.exe C:\Windows\regedit.exe
PID 1112 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\603cbf6c93b296fcafa13624daf1ede0N.exe C:\Windows\regedit.exe
PID 1112 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\603cbf6c93b296fcafa13624daf1ede0N.exe C:\Windows\regedit.exe
PID 1112 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\603cbf6c93b296fcafa13624daf1ede0N.exe C:\Windows\regedit.exe
PID 1112 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\603cbf6c93b296fcafa13624daf1ede0N.exe C:\Windows\regedit.exe
PID 1112 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\603cbf6c93b296fcafa13624daf1ede0N.exe C:\Windows\regedit.exe
PID 1112 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\603cbf6c93b296fcafa13624daf1ede0N.exe C:\Windows\regedit.exe
PID 1112 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\603cbf6c93b296fcafa13624daf1ede0N.exe C:\Windows\System32\calc.exe
PID 1112 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\603cbf6c93b296fcafa13624daf1ede0N.exe C:\Windows\System32\calc.exe
PID 1112 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\603cbf6c93b296fcafa13624daf1ede0N.exe C:\Windows\System32\calc.exe
PID 1112 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\603cbf6c93b296fcafa13624daf1ede0N.exe C:\Windows\System32\calc.exe
PID 1112 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\603cbf6c93b296fcafa13624daf1ede0N.exe C:\Windows\System32\calc.exe
PID 1112 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\603cbf6c93b296fcafa13624daf1ede0N.exe C:\Windows\System32\calc.exe
PID 1112 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\603cbf6c93b296fcafa13624daf1ede0N.exe C:\Windows\System32\calc.exe
PID 1112 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\603cbf6c93b296fcafa13624daf1ede0N.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 1112 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\603cbf6c93b296fcafa13624daf1ede0N.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 1112 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\603cbf6c93b296fcafa13624daf1ede0N.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 1112 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\603cbf6c93b296fcafa13624daf1ede0N.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 1112 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\603cbf6c93b296fcafa13624daf1ede0N.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 1112 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\603cbf6c93b296fcafa13624daf1ede0N.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 1112 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\603cbf6c93b296fcafa13624daf1ede0N.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 1112 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\603cbf6c93b296fcafa13624daf1ede0N.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 1112 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\603cbf6c93b296fcafa13624daf1ede0N.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 1972 wrote to memory of 2800 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1972 wrote to memory of 2800 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1972 wrote to memory of 2800 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1972 wrote to memory of 2800 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2800 wrote to memory of 2720 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2800 wrote to memory of 2720 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2800 wrote to memory of 2720 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2800 wrote to memory of 2720 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\603cbf6c93b296fcafa13624daf1ede0N.exe

"C:\Users\Admin\AppData\Local\Temp\603cbf6c93b296fcafa13624daf1ede0N.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe"

C:\Windows\System32\calc.exe

"C:\Windows\System32\calc.exe"

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=wmplayer.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2800 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 learn.microsoft.com udp
GB 95.100.246.21:443 learn.microsoft.com tcp
GB 95.100.246.21:443 learn.microsoft.com tcp
GB 95.100.246.21:443 learn.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/1972-0-0x0000000000400000-0x0000000000724000-memory.dmp

memory/1972-4-0x0000000000400000-0x0000000000724000-memory.dmp

memory/1972-2-0x0000000000400000-0x0000000000724000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab7FE9.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar806D.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 db238ef836e9d63f2e152cc3352a8a8d
SHA1 e881e5c0f18c27f4bd89c9f01df29fda5de1fa4b
SHA256 48df238429e0daed78ee3608af185cadadbed3679f11c2db60f6b8eacdf66014
SHA512 84737e7f5e7ff4668621036d4373cd7f72537be58009c50d86a756ebc14ef269f2abed5551cb4573baf36aa68b6bfb163b44859b6327363ff4486183a07e4a10

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8d33984c7b53574436502456868e58e4
SHA1 e6ab20d522e77cf190892bc19b548e018c6e6deb
SHA256 1d2d9c3a35dea117dbc9ef199e16dccab79152e90b0f70f5068df7572fd71453
SHA512 f2c532b11536020677c5e16ebf31b2ce04fbc5c1cddb0e7560ee78818cae2e61732124ab555c7cbb3d277a1cb4d9ee472288ddefdbdf39f0909f5063341ad586

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 259aea7d7e34fe839554e2b9de93d29d
SHA1 4af35c4f2ec4dc5531ec71d8bad17e3c5c561663
SHA256 e6c23ecc9cc60062c800e0b1e28782abe53c77b69391556b9ccca093a8a7034f
SHA512 f9fb09bbc19d7d3c0a55ff8a40345054f09befcef04ae6aeade40c952544a02d7d33f6aa3f88971919d97d8cef9292a18f090fa6bda56de493938240b0d1b7ec

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ce407661c19958e21fa7ec128bcd1b80
SHA1 52f30a383baeaf63585db5ceb99296ced4aa56cf
SHA256 448e358d6ee9a79cf091d13d5e561a403baee170539bc16a3ebc7c75521d7db5
SHA512 449f2fbfd45417f71158eebedac49608218130d7c93724ed3d6dce85118eae62c6571dc1f74c40b2ee8898dbe2fd2d70af0c7b8db0fc16840a25701d83b122db

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f9217ab479581a55af66c94df5c01ed5
SHA1 0c6b81ace0a9989626c31b86b3b189e744b57eae
SHA256 22c98456b05657998d4a092ab75db58575f79d4da24e3e7a779c1010ac2028b8
SHA512 17d15d51d71f9615f882d4de458f4d323993eb30ea67bc71f0a19ac079e6c5ba9802bef46144c4b3318c6cf5a980cda1180a180cb16d98856e56e6def6653f0c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C

MD5 f55da450a5fb287e1e0f0dcc965756ca
SHA1 7e04de896a3e666d00e687d33ffad93be83d349e
SHA256 31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0
SHA512 19bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4889d05ed5ab3fb6a9731c4312f8a901
SHA1 0f2fcdd96e05d942f9a290e477cf9f436605da67
SHA256 80fe82bb8911c615d990f8a129c86f111c41165f57b75e5b128cbdec9f43e1d3
SHA512 c8cfbdd7f3f2f7f1bdbd7953e2edd9d343aef35eac26451bdbf4dada666d7761b2dee842f2baa8899e83d8c19807a3b2ee4b3b7cb742d73b5328f423b075b9a0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2b8bdf70e9b9bb1c1ddbafee35b64cee
SHA1 094bf511f554e26e5b1b4ad206300e4e518e3e1a
SHA256 e1df99f4f5b2f61ff433921bfba299feec43bd4b20890011a8e5164609d8043f
SHA512 1342339bcc289f1b2eeb273aa726e203a83a2044c8b8bdc426361409eeaad7f15291c063e7e4912045e261bc1461929f6f26535c51cf48e804dd3516711cab8a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C

MD5 ab3ffe64eb2921a972e61b5c70d5615c
SHA1 2f9e6b4ca2fc3d88a90b88b3f1800b28250ec149
SHA256 425f887f2f973eb1d66b0ba4a4ef752888909070d1a7c0d8f966b69dde8c0cbf
SHA512 eaea4429fb71450c7aa019e117077844e33d4d361ecea20d209a166b68830afdbb9e3ee2826e5635e388017011d196fc469693d216d2f3e15bfcccf790ffaf9b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 27b0bf55bb30bebab0363520df6e38cc
SHA1 66820cc135299024861c53c3f919b1e45003595c
SHA256 57d531838c80ac960c52d0e425913a99a952a13c6c87991ceca95c6f4f769b9a
SHA512 6218dcfc34c50365e6f183312d46b3c2d5f17b5643d21c2f3929290b6c02ba2a6c32d77352113ad2ea73effb3da8cce0ee3a99d5867ea8d2c7cb5cd65b90dcf0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 22249dfc179024c179f77292af7b2b0f
SHA1 e4b8582ac1e5f3fe1a4cd22626b72c446e05ebb6
SHA256 f25aa5e841da48d698922e1fa4c90efce7610068170edfb5a9f27b083eedba00
SHA512 7ce55f5472e452805a108567274ef5859b44532f20b4db9cbceafe6ee3f4541dcd91613e90cc552efc0e711adc3b7037f2d95110194038389780685704aaa6d7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 50e52dc97b03bc359d581bcbd6ab21c8
SHA1 18cb5187a9c73ce3ee83f111bb719efd4f7ba2e1
SHA256 10e3bc34c8dafd8a84bb58b78c3cb103144ab34bcd7e9f38a977169097b56a08
SHA512 1325512c45d365689facb4e2959917bd4064baff2da70145450a5bbc90331b377067226598c3ba7dd1d1a8f5b7117fc9cd8cbdd0f274e4c3517625b57e9b474c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e46d2aeab6118e0d591e3ad28a75b2e2
SHA1 c2863923862ac162b2990156ca9a45ccd99c595a
SHA256 35e33e3b361f53b4f1069768efe6f2c2c95471d2acb990c02ecd6dca9b678298
SHA512 90c54f92c9dcae337a58cdfa5c47d7b3be64c17c77c63709c633c3a44f77e87f9fd41fb081cf2d88a04a0f64fbee4ce5e0babd13da0c3095ea523a884abe4bae

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c747d89c4dc5d8669999a975acfa92b9
SHA1 d5344c5027f230baebfe7d618c512fb225d14e25
SHA256 3bf9a56911c60869e91e2b9b2ca29af37c5c11c6830ca282658c570a4d257223
SHA512 c8f9f83af2d5fd6708d6a45bc22bfc2d1c0be7cab365b58667e2b6cefaf42f02dc6cac9a12ebd834eb0dde40c9909e88b8a393db60304e1c655e5eae7a5e21fe

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a8d1b1e211275146e65d2156e631c814
SHA1 7ea51dde1dfb0ee8d99516d5591618acf0e2b40c
SHA256 084aca7959a2510647821ec275a7f5c3611c6227215d8d9b374ac0e5a2310c4f
SHA512 23de008113f1a6c26ff55beaf60f19944da56cc73f7afde1ca9d2796c196a9e806df9484516e7fedc55a91e28394896e97c0af7e0914a7757a3ddd2d028c0f1d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dfcdb6f747a1774b95999447f2260a7a
SHA1 6f9a103020e82bc07d0d41d3f3d1dc0e955865eb
SHA256 7af1f334ef027ce9c5d804cf7918c1fc49c84ff2409177f065b6f1616fd785bf
SHA512 8ea52a8bd6642102a9007cda02f85fd405a6971ffbd90c91ac5e7f0ba0ee877ce4f6321effe7a14a2363e617455ca2ee8c1b956aa2e4d9d648b7499e0d04da5e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bc8560294759493ff32d516279dcc70e
SHA1 a9cd55f70c78405c5b6aa6927ea8bb87ae58b4b1
SHA256 a60c1bccef85a42cd71e61c300d8e36095243c5db507f231f1ae26533c0b5455
SHA512 c09320f0b604c2c24c3aab51f9551654bff25e6f2214bd43639580605e390924b312ad7ef3876599056bda79a2a318a70fd3958b51fa12346b5f91b2f69562c3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 02c2420727a1db4b68c3aa0cbe151c6c
SHA1 d7a0c2b91da526c2179077083c08e268d463ae4b
SHA256 e7632022684d5e6e2a0332ed6b97a868b24756e7be85a52c0af91b405312f3a1
SHA512 3f8c1077904d9a0a08d5f2a670e0baa2e8a42c5ecf63a5f6cd905d88b24ad470619674b77a5cefa8d27d536d330c56a699c2189676dd6f520ae518e6ab16c5da

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 406bb1accbb63c28e2add9b0a5838019
SHA1 e7eb532c0673eb5dcafab9aaa9d5c78c9ce967f7
SHA256 6eb3ee04ebc46a0342a9c22c543115f8fe43e7d19b6613c91da850992db01975
SHA512 a558e5e4cf6875cf88b48f76233b239901f99eae85202de4f9a7464eababfa3b81147be30482d98cfaf5b8de7696ef629399079c72818fadc9ff22c30a4131ce

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e94d86e3d529f9069095ef05b78e4211
SHA1 5bb580515ebdd9b6308bd2bbcb85afc393244ad3
SHA256 65227ba5b361548acd237df3559eb4687886d245eec7279a71fa7f0cef9a19f9
SHA512 465606a21618eb842fcf1815bed0b7f83e6fda78d37efda5195514d0dbfaaa58e65ed6bcebe85316bf85cce348b89dcb3ddc257ad16185118dc2aef2c60a3511

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 45536afb5ef8cfa9facc937c89e0cc6d
SHA1 087885ff043e096cdbe46965c69458f67e56097a
SHA256 c28783172c62f2289238a50ac09f587c02ed3594c3ba2b71bf976fdfbd916a34
SHA512 ad337600d428910e0e2a4b7bc33fffc1cb39f922d7a061ce0b14081da2b5b79996d8f9e8d275571188bc7f74a3933d056fbb6aaf1d523e1ec2229fc3effba321

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aa4cc72029c9143e4b12899ae39e0c98
SHA1 29f0306a870ca7f28e7740dff76080db01b22571
SHA256 8c20943cf487aa7384e6634096ece9d4e161eb3633bfecb34483e75d0f7bddc9
SHA512 7f485c2652b9864c4bf7e27664c6a748920ccc5a9bc41324642505c98f559f29d7be60b8244828b18d119aa2df7f13fd1955ee931276a7011b139044d5007845

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c164b1757d93ca615a234efce8e8a703
SHA1 f12c864946e0b2938ea3dbefb1b301518ba6eff6
SHA256 2dd8878bdb544846a8324c6bb9638b29db4b50b88abde1a7bb5ccb44ba393a4a
SHA512 990b2fd0fc1067fdd7014e15a9f26f043006984db23054efc80b6f9c01273ff5464323bc2d24f5a9eee4f3e4e590f0e9bf6bd00a32e44c05374da6e124725bc2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8bbe1b70306faedf1ced9603cabe1c71
SHA1 49b029f8219f2f78b658bc604bd1129f9b87aa83
SHA256 60f4f2a51e4c9cb9b8a04ad628081977d0d824b54178c7c47d7e95ab2fe83b37
SHA512 5a11135a38187ae6efa39aa3eb0c9aa035765add5f562a0818b344e8bc2508b80724b9fe4333bdd537125ab91a5141be2ecff590e3cdd0685fcc8cedd791858c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f3b7c561e153fbf33b5ec7fbc37f2251
SHA1 4ba1c37af43e316bfb3fa39256678c96da03da6b
SHA256 8550cf508c496b342caf53adab3c0c238eea2b9f4ad3364a6053ddbb0385d086
SHA512 ed1426a571cf6acfc31495ca206711a2c8ec4edcaa10e3a28cb572bf8bffe2efa3b7b814bb14e438b77e748d2889a9011d7c70a34172c86b53b3ba3c33454397

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 28ed1dc08d466c91dfd1c6ff22fe1e03
SHA1 598738394747e94b704e79f2a7c1d9f47d9bbb55
SHA256 ef50f1163be72271d09fe63bf196f25984a277c1a5807cf703482f42053d997d
SHA512 aeea578989e99fb3888577fcff6c2939c2f1a0b83433e5c985d880b0596fdcb125f2b07cf35f604cb979f6e506d51b80735e50bf4ccf31e897e6cf9f4257a634

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 678eb442fb88e8cf107d85f103cf4b56
SHA1 ce5e0925fb8bd9c68122b29f6a66f9a22db0482c
SHA256 13e60c58826fbe67829f9aa65533e23d670b64b2d0731e86fb4f50b0582e464c
SHA512 7225509b4e33ff11f1808bec668996dba3cd097f7b030658a46439bf8d13ccdca753f546169a146e436aed5c951deb9bd3f81dcae155306012c41aab66f3634b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e4baa4b3c3c16480f26545ead3e49554
SHA1 40e7f2c7b6f3e33fff9ed66c521531a69ee8924c
SHA256 c8ac32ec49468c60a1e5a06dabc72571d049a5c2347d506012513c5d1452b1cb
SHA512 fcf25588142972b02ade9d98b12a5966df81dbd83a5cf1304a86eb4f38943c42eeb660017f8f85ee8775e6005931a22cb90ac040e8e84b1f33b93f1aa646c6ee

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c842e7a243888ef6ba346d6bcb2a0193
SHA1 9da98bdc32563453e2e8ddd354e5bbead724bd97
SHA256 be8b3289811d0e8734e978ab825290daae9ff055e1aaf192730d555802fcca5d
SHA512 b7348ab13500e607505a9fc82181876f639352f712d2926658c3c913fc35928ea0060f83c8ddcd477c615768707808f37528bbe5327051531fdb69aca646ff31

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c64cb336bb947c7fe62dddb9c8e058ea
SHA1 cda270c827418d086e37f45ef6cfade7c7b6ffc3
SHA256 c4c191acdd0c27f89225b925510f9a5b51dff3cd70e3cf44437932e5e1031e2a
SHA512 8d0e164f22b009527485f3cab76b141b8145177b8a9ecb1bc39c297abd88f1fcfd6d6b072df268cdc273cb7207f0e27e0a385e8c049d330eb49f0a00171b56fc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 22f360f686be0e8f6c2cc7975124cb1e
SHA1 2d83095f603a7a3e07fe379049b0b3f3e537314c
SHA256 4f4eeb39c81fea9f22f7e7571a00089c65989c5ee927bb5bec16479131aac0fc
SHA512 5056a80835cbb6df83bc38d6835a4bd68205a5699e5ef4c9b08115f9f01ba6e1b474d0d18421aeae9cefd7330655a4763702ea89306de9426964a1a8076a6d4e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f19e9600401560b22ef5ba195db5b7eb
SHA1 d3febd458266efb39ae763555e4c48dcb075658a
SHA256 0c7bfa0bd0fe18efed91a4ec4b56d287238f75015d01143904d431a68184dffe
SHA512 81a4b38eb365e578680de480573d6c3d8d83ecd84d5fdc335ada45d9e9a92c10e9082ab29bcbff94595a7d592ddd0b5e737fff7c3a10b3ebe5c09ce4ca21ce9e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 17782601051e19e41e4335210ce9c40c
SHA1 4010cf6b1f882a1f1d05facc99a6eda735a94bc5
SHA256 d407eb922c387302bf3ec013568048a8650abb70652c5d46ad09f304330a57b2
SHA512 d2c3e9358f91ff6de9bfb2cdec982f65a6c8f415eec23a849a4ae873042e61363e6eec0b3551f1b0c73c0421e9c895c681610199f47b28e6f913904f5db54911

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-19 06:56

Reported

2024-08-19 06:58

Platform

win10v2004-20240802-en

Max time kernel

114s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\603cbf6c93b296fcafa13624daf1ede0N.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3504 set thread context of 1780 N/A C:\Users\Admin\AppData\Local\Temp\603cbf6c93b296fcafa13624daf1ede0N.exe C:\Program Files (x86)\Windows Mail\wab.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Windows Mail\wab.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\603cbf6c93b296fcafa13624daf1ede0N.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3504 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\603cbf6c93b296fcafa13624daf1ede0N.exe C:\Program Files (x86)\Windows Mail\wab.exe
PID 3504 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\603cbf6c93b296fcafa13624daf1ede0N.exe C:\Program Files (x86)\Windows Mail\wab.exe
PID 3504 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\603cbf6c93b296fcafa13624daf1ede0N.exe C:\Program Files (x86)\Windows Mail\wab.exe
PID 3504 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\603cbf6c93b296fcafa13624daf1ede0N.exe C:\Program Files (x86)\Windows Mail\wab.exe
PID 3504 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\603cbf6c93b296fcafa13624daf1ede0N.exe C:\Program Files (x86)\Windows Mail\wab.exe
PID 3504 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\603cbf6c93b296fcafa13624daf1ede0N.exe C:\Program Files (x86)\Windows Mail\wab.exe
PID 3504 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\603cbf6c93b296fcafa13624daf1ede0N.exe C:\Program Files (x86)\Windows Mail\wab.exe
PID 3504 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\603cbf6c93b296fcafa13624daf1ede0N.exe C:\Program Files (x86)\Windows Mail\wab.exe
PID 1780 wrote to memory of 2468 N/A C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1780 wrote to memory of 2468 N/A C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1780 wrote to memory of 2352 N/A C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1780 wrote to memory of 2352 N/A C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\603cbf6c93b296fcafa13624daf1ede0N.exe

"C:\Users\Admin\AppData\Local\Temp\603cbf6c93b296fcafa13624daf1ede0N.exe"

C:\Program Files (x86)\Windows Mail\wab.exe

"C:\Program Files (x86)\Windows Mail\wab.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4064,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=3776 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=wab.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=5060,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=4024 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=4088,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=5244 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5536,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=5544 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --field-trial-handle=5868,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=5836 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=5440,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=5268 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=wab.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=6240,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=6272 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=6404,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=6196 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=5696,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=5592 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=6308,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=5748 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5808,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=4036 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 13.107.6.158:443 business.bing.com tcp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
GB 92.123.142.200:443 bzib.nelreports.net tcp
US 8.8.8.8:53 learn.microsoft.com udp
US 8.8.8.8:53 learn.microsoft.com udp
US 8.8.8.8:53 learn.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
GB 95.100.246.21:443 learn.microsoft.com tcp
GB 51.140.242.104:443 nav-edge.smartscreen.microsoft.com tcp
GB 51.140.242.104:443 nav-edge.smartscreen.microsoft.com tcp
GB 51.140.242.104:443 nav-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
US 8.8.8.8:53 200.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 21.246.100.95.in-addr.arpa udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 js.monitor.azure.com udp
US 8.8.8.8:53 js.monitor.azure.com udp
US 13.107.246.64:443 js.monitor.azure.com tcp
US 13.107.246.64:443 js.monitor.azure.com tcp
GB 92.123.142.114:443 www.bing.com udp
US 8.8.8.8:53 browser.events.data.microsoft.com udp
US 8.8.8.8:53 browser.events.data.microsoft.com udp
US 20.189.173.28:443 browser.events.data.microsoft.com tcp
US 8.8.8.8:53 114.142.123.92.in-addr.arpa udp
US 20.189.173.28:443 browser.events.data.microsoft.com tcp
US 8.8.8.8:53 28.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 learn.microsoft.com udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
GB 92.123.142.114:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/1780-0-0x0000000000400000-0x0000000000724000-memory.dmp