quasar | hxxps://dosya[.]co/leoztjlscue7/Hack[.]exe[.]html

Analysis

max time kernel
299s
max time network
304s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-10-2024 19:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://dosya.co/leoztjlscue7/Hack.exe.html

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.72.128:4782

Mutex

aee623af-65d4-4b76-8d80-509b8dbb1af7

Attributes

encryption_key
A2C1CBAC22B62E42E0DFDE9F6CA17AC9BD8355F1
install_name
Client.exe
log_directory
Logs
reconnect_delay
2000
startup_key
CMD Client
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0004000000022ae8-80.dat	family_quasar
behavioral1/memory/5736-119-0x0000000000900000-0x0000000000C24000-memory.dmp	family_quasar

Downloads MZ/PE file

Executes dropped EXE 5 IoCs

Processes:

Hack.exeClient.exeHack.exeHack.exeHack.exe

pid	Process
5736	Hack.exe
5920	Client.exe
3464	Hack.exe
5664	Hack.exe
5232	Hack.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	msedge.exe

NTFS ADS 2 IoCs

Processes:

msedge.exeHack.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 259409.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe\:SmartScreen:$DATA	Hack.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exe

pid	Process
5860	schtasks.exe
5964	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid	Process
3436	msedge.exe
3436	msedge.exe
3104	msedge.exe
3104	msedge.exe
4384	identity_helper.exe
4384	identity_helper.exe
5608	msedge.exe
5608	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

Processes:

msedge.exe

pid	Process
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

Hack.exeClient.exeHack.exeHack.exeHack.exe

description	pid	Process
Token: SeDebugPrivilege	5736	Hack.exe
Token: SeDebugPrivilege	5920	Client.exe
Token: SeDebugPrivilege	3464	Hack.exe
Token: SeDebugPrivilege	5664	Hack.exe
Token: SeDebugPrivilege	5232	Hack.exe

Suspicious use of FindShellTrayWindow 38 IoCs

Processes:

msedge.exeClient.exe

pid	Process
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
5920	Client.exe
3104	msedge.exe

Suspicious use of SendNotifyMessage 25 IoCs

Processes:

msedge.exeClient.exe

pid	Process
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
5920	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	Process	procid_target
PID 3104 wrote to memory of 4488	3104	msedge.exe	85
PID 3104 wrote to memory of 4488	3104	msedge.exe	85
PID 3104 wrote to memory of 4316	3104	msedge.exe	86
PID 3104 wrote to memory of 4316	3104	msedge.exe	86
PID 3104 wrote to memory of 4316	3104	msedge.exe	86
PID 3104 wrote to memory of 4316	3104	msedge.exe	86
PID 3104 wrote to memory of 4316	3104	msedge.exe	86
PID 3104 wrote to memory of 4316	3104	msedge.exe	86
PID 3104 wrote to memory of 4316	3104	msedge.exe	86
PID 3104 wrote to memory of 4316	3104	msedge.exe	86
PID 3104 wrote to memory of 4316	3104	msedge.exe	86
PID 3104 wrote to memory of 4316	3104	msedge.exe	86
PID 3104 wrote to memory of 4316	3104	msedge.exe	86
PID 3104 wrote to memory of 4316	3104	msedge.exe	86
PID 3104 wrote to memory of 4316	3104	msedge.exe	86
PID 3104 wrote to memory of 4316	3104	msedge.exe	86
PID 3104 wrote to memory of 4316	3104	msedge.exe	86
PID 3104 wrote to memory of 4316	3104	msedge.exe	86
PID 3104 wrote to memory of 4316	3104	msedge.exe	86
PID 3104 wrote to memory of 4316	3104	msedge.exe	86
PID 3104 wrote to memory of 4316	3104	msedge.exe	86
PID 3104 wrote to memory of 4316	3104	msedge.exe	86
PID 3104 wrote to memory of 4316	3104	msedge.exe	86
PID 3104 wrote to memory of 4316	3104	msedge.exe	86
PID 3104 wrote to memory of 4316	3104	msedge.exe	86
PID 3104 wrote to memory of 4316	3104	msedge.exe	86
PID 3104 wrote to memory of 4316	3104	msedge.exe	86
PID 3104 wrote to memory of 4316	3104	msedge.exe	86
PID 3104 wrote to memory of 4316	3104	msedge.exe	86
PID 3104 wrote to memory of 4316	3104	msedge.exe	86
PID 3104 wrote to memory of 4316	3104	msedge.exe	86
PID 3104 wrote to memory of 4316	3104	msedge.exe	86
PID 3104 wrote to memory of 4316	3104	msedge.exe	86
PID 3104 wrote to memory of 4316	3104	msedge.exe	86
PID 3104 wrote to memory of 4316	3104	msedge.exe	86
PID 3104 wrote to memory of 4316	3104	msedge.exe	86
PID 3104 wrote to memory of 4316	3104	msedge.exe	86
PID 3104 wrote to memory of 4316	3104	msedge.exe	86
PID 3104 wrote to memory of 4316	3104	msedge.exe	86
PID 3104 wrote to memory of 4316	3104	msedge.exe	86
PID 3104 wrote to memory of 4316	3104	msedge.exe	86
PID 3104 wrote to memory of 4316	3104	msedge.exe	86
PID 3104 wrote to memory of 3436	3104	msedge.exe	87
PID 3104 wrote to memory of 3436	3104	msedge.exe	87
PID 3104 wrote to memory of 3616	3104	msedge.exe	88
PID 3104 wrote to memory of 3616	3104	msedge.exe	88
PID 3104 wrote to memory of 3616	3104	msedge.exe	88
PID 3104 wrote to memory of 3616	3104	msedge.exe	88
PID 3104 wrote to memory of 3616	3104	msedge.exe	88
PID 3104 wrote to memory of 3616	3104	msedge.exe	88
PID 3104 wrote to memory of 3616	3104	msedge.exe	88
PID 3104 wrote to memory of 3616	3104	msedge.exe	88
PID 3104 wrote to memory of 3616	3104	msedge.exe	88
PID 3104 wrote to memory of 3616	3104	msedge.exe	88
PID 3104 wrote to memory of 3616	3104	msedge.exe	88
PID 3104 wrote to memory of 3616	3104	msedge.exe	88
PID 3104 wrote to memory of 3616	3104	msedge.exe	88
PID 3104 wrote to memory of 3616	3104	msedge.exe	88
PID 3104 wrote to memory of 3616	3104	msedge.exe	88
PID 3104 wrote to memory of 3616	3104	msedge.exe	88
PID 3104 wrote to memory of 3616	3104	msedge.exe	88
PID 3104 wrote to memory of 3616	3104	msedge.exe	88
PID 3104 wrote to memory of 3616	3104	msedge.exe	88
PID 3104 wrote to memory of 3616	3104	msedge.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://dosya.co/leoztjlscue7/Hack.exe.html
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9b00e46f8,0x7ff9b00e4708,0x7ff9b00e4718
  2⤵
  PID:4488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,2851448202982989030,12952281832422776650,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
  2⤵
  PID:4316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,2851448202982989030,12952281832422776650,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,2851448202982989030,12952281832422776650,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2956 /prefetch:8
  2⤵
  PID:3616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2851448202982989030,12952281832422776650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2851448202982989030,12952281832422776650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2851448202982989030,12952281832422776650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
  2⤵
  PID:1180
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,2851448202982989030,12952281832422776650,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5600 /prefetch:8
  2⤵
  PID:2972
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,2851448202982989030,12952281832422776650,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5600 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2851448202982989030,12952281832422776650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2876 /prefetch:1
  2⤵
  PID:3964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2851448202982989030,12952281832422776650,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
  2⤵
  PID:3440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2168,2851448202982989030,12952281832422776650,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5028 /prefetch:8
  2⤵
  PID:4952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2851448202982989030,12952281832422776650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:1
  2⤵
  PID:4676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2168,2851448202982989030,12952281832422776650,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6356 /prefetch:8
  2⤵
  PID:5132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2851448202982989030,12952281832422776650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6372 /prefetch:1
  2⤵
  PID:5192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2851448202982989030,12952281832422776650,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6436 /prefetch:1
  2⤵
  PID:5200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2168,2851448202982989030,12952281832422776650,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5608
- C:\Users\Admin\Downloads\Hack.exe
  "C:\Users\Admin\Downloads\Hack.exe"
  2⤵
  - Executes dropped EXE
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  PID:5736
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "CMD Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5860
- - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:5920
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "CMD Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,2851448202982989030,12952281832422776650,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1816 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2851448202982989030,12952281832422776650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3888 /prefetch:1
  2⤵
  PID:5676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2851448202982989030,12952281832422776650,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
  2⤵
  PID:5620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2851448202982989030,12952281832422776650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2140 /prefetch:1
  2⤵
  PID:2132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2851448202982989030,12952281832422776650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2312 /prefetch:1
  2⤵
  PID:5864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2851448202982989030,12952281832422776650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
  2⤵
  PID:808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2851448202982989030,12952281832422776650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3116 /prefetch:1
  2⤵
  PID:3176

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4616

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2292

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6068

C:\Users\Admin\Downloads\Hack.exe
"C:\Users\Admin\Downloads\Hack.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3464

C:\Users\Admin\Downloads\Hack.exe
"C:\Users\Admin\Downloads\Hack.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5664

C:\Users\Admin\Downloads\Hack.exe
"C:\Users\Admin\Downloads\Hack.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Hack.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b8880802fc2bb880a7a869faa01315b0

SHA1
51d1a3fa2c272f094515675d82150bfce08ee8d3

SHA256
467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

SHA512
e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ba6ef346187b40694d493da98d5da979

SHA1
643c15bec043f8673943885199bb06cd1652ee37

SHA256
d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

SHA512
2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
99d9c7fe44f08b978bc934726e835d36

SHA1
4e89b8f57020db0501f88c4b06abae273876a78c

SHA256
b3b7a2999d5eb92c1d78c773238095c3d0458b248ef8dc419a6aaeaf479c0a5f

SHA512
a2ff5a2cc10c59397c86e95d9f6702a9565a0004809b31faff2a8ea65d297990b0a8023ef323e856990c82b6ff04231539c740cfde489d24caeb23bdb8208c66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
1be8773f9f222829e9b52c4147131241

SHA1
78170e9e6bb6f370f8dc64d7ee9f7cfa82bf21ed

SHA256
2323884d074525be03dc974162bfeca022bcefb39e20aa4811b4afa68776ee8d

SHA512
e2fa6fae7d33ce76954e4a2cce975f9751ac7f0062fdeeba3c048806fad7c78fb794c8922ad3aef326665e2d5bdd90f50349fab9e557fd55a1c4b4baa1acf3a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
fb61635bddcab31a664dd239c15b248d

SHA1
d15202c676f7be398ed7e5f64212132e7b652e7d

SHA256
ab4c92d134f2df0f7fe5df5a7889525f942e32429ce5dc1337742475be7f193a

SHA512
686d4030fa98534707e60ab1045de95cb6b08211caf44931e9572d80983213c7661a5a42412af208f9121936042ebbf544fe69af6309d83db696cf16fbfd9c79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
bade995abd63fff8a24e63eb6772b199

SHA1
5490d28836e2264a65408f3ac9673d1fb44306b9

SHA256
296eac372b9f5c7985c7e001164b8465510749d11ee71bc9ccc64b3e46dd8cb5

SHA512
e5af7d6c4e87a81dd5fb8df3efd2cefc253ac8bf27c3cf8ac47e101635462c93d2db9fd1ec953315a45611cce40ad1e3d08ee36ffb4be6716cce55f3acdeee03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7a41239e79b83dd9a45bffaad196f176

SHA1
60aecfb9183d79ce66667352a664be69831a8dbc

SHA256
00680cab14a4f4660c176abb4741dd481af7595bce0a79db25514a31823f2890

SHA512
5ee14f6180a2120efecf48ed4509db9c5349fbd070264e4b1f49863ff89e29ee9b33a9d3d1d4c7157aa762a4fb57f114764494639236697e0483037070711087

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
2fdceb996b3d1dedc9e16eaf35c23d82

SHA1
342657840531caec7d31788434ca3daa280c3e75

SHA256
9295b5e1435ddc00f1c58864bbb9874973fcb2af1c1eac2c6f4d725bfa7a6f2e

SHA512
6f522e4082347d0b1f85f75bde5475ad70f6a5d0129b4a4064934854d18ec99fb2975e73235ffbc18138036dc9648818149ccc060532061a6445c34ff3dc7676

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
2f8a51dcab188e138b5584d72a2d9d6a

SHA1
3513248241733409ede3f119ea872867056df531

SHA256
bb8be564b943b359c8248e151d7e1f6d2dc0debde6bdd6609f6e85eab7d29453

SHA512
7b63e29dd60252e94a96cf143b6b0fa58e6bff4c68882c3acad86c760604b7d77ad07c869bf53c42554ac7efe2460d19c37f229f706309de3f0257aefd0fab8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
dc0ba425dd1f0094ab2b17a0273548a6

SHA1
4ae1919401d5cdbccf3d628ba52e96c0866c4666

SHA256
bafe07f7755e153416a561acdf038d8285f9f399cb3928e7e2178b430eb7f98f

SHA512
6753d13792d3559289a99a94479126c9a7ae4c851f005b350b8bc305e72a077992576a65c095ca75231eb7a90e667269dc2be6d2bfbd6c07a4537ab293fc5f50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
98c7fed5057814ce951b8660d84bf44c

SHA1
ca37b33dae539021c6e8e83671212cb0443c2685

SHA256
2cda44078f971e72d63916da443a143cf0ceabb33c680b81e6a68b524e678067

SHA512
05c6558d3205c634d16ca3e645f089f10a134c8f6754b797465e050b93206db671925719b624d8b133638fa3a45880331a05bb99dbf5699dd27e257edc53d922

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59b2fa.TMP

Filesize
1KB

MD5
e97cde38fed322a83f37cb445434459f

SHA1
6ed36879938ca8463faa5bdac1b93444d3eb1aaa

SHA256
793e19481751e98c16ee55c05f308ab9cde8091a34511d6102154985c3d4c445

SHA512
d8bd87f91df5b5aa0a6a50ba54b65bda998fa4bc2d7be2ec2ccc277b2ce4835fb089af56951df2be601f2969b65478290292516af5ceccbf0bee1bf7f094181b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5a7106471c2d667debff5d2a3a6e27ed

SHA1
e63c76540951f36f8057dda3c4c4ec8e14ef4525

SHA256
d36545cf613fcda8c110e1675e13d27e685527de9a0061449d0ddb23b3a23551

SHA512
ed171177bdfaae00248bfa20ab0bff2c89a3a7dd5ec5f6b9d5399dae3c10e4fb8555ffff040fac9af609e84b6553b495d6b68d21d346d5dc124f115d66721deb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
15ac8a653ee13d56a8b26ac1f0d9b9a8

SHA1
77d00a20ea89125cb1dda7d6b4b033859d14fd6e

SHA256
d625e789ef87cca5130dfc7439025a9426c469c55ac86127c08c4f979c28544b

SHA512
0782338ef8ec6ef3d1dcd5e7889f1fb5e9c8399d92087d5a70b347f75b5822ab3cfab8fac4f43cec6ca9605ee951a26e52df70a7d5906d7a45b88d8302fa92e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
a5b901bc4b8f198924b40b9950ca6dab

SHA1
00ba1828cb39f3de699cb80387c32b5173ed9e7f

SHA256
89f5b7fb8ab0ac6138f2c924c934235c6f09355525bdf21cd1c95df7cfc212eb

SHA512
b332dee1bfbe12ad49f1e62b4169a0d1021faebd662d0dd5300869d12db104d8dce104567259d6d52aca7f64fa081389b10a575cadc89efca359a6a464d82730

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 259409.crdownload

Filesize
3.1MB

MD5
a6538474fa6fee1b9901c128d222c603

SHA1
8f93b03cb0f1454ae3f343e70325ab937e585cbd

SHA256
1dd32cce9f71b8966a8d9a22373e4993ea2da7e6db752abf6ada27f2a757f3bf

SHA512
27593d735883e3d163ed21f477c99c16c36b2bd192325932c012856fcdab44c38646088799c059418351bf309345073d115b227a1956189274f31cc0a9dc739e

Download Submit
\??\pipe\LOCAL\crashpad_3104_DIHWEKZXBYSYAUOL

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/5736-119-0x0000000000900000-0x0000000000C24000-memory.dmp

Filesize
3.1MB

Download
memory/5920-127-0x000000001C890000-0x000000001C942000-memory.dmp

Filesize
712KB

Download
memory/5920-126-0x000000001C780000-0x000000001C7D0000-memory.dmp

Filesize
320KB

Download