quasar | 5900b0e5f972927db833977bee140aa7f10863eeb40c8f7e4742c6c8bd3a3063

Analysis

max time kernel
147s
max time network
154s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
08-11-2024 18:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

f4b0be81680b72bae9c31f3225149616
SHA1

12dca5c6e3c2e7a91ba8e30ec4e56a888d3bfa8e
SHA256

5900b0e5f972927db833977bee140aa7f10863eeb40c8f7e4742c6c8bd3a3063
SHA512

1aeb4459bb0d558194033c451f631cfd75c9941a16c33aace8808816e36ddc3322a5e17152629594014d8e9f50b6335edc673dcbc67f3a3a32d272d233107d17
SSDEEP

49152:3vflL26AaNeWgPhlmVqvMQ7XSKwYEb6LxpeoGddLTHHB72eh2NT:3vtL26AaNeWgPhlmVqkQ7XSKwYEbPN

Score

10^/10

quasar client discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Client

192.168.2.106:9845

Mutex

886f65bf-be67-4863-9244-e6f9bebe60cf

Attributes

encryption_key
4723FE2DBDCD0127EBB880CBCA3A5D063F882349
install_name
WindowsUpdateConsole.exe
log_directory
Logs
reconnect_delay
3000
startup_key
WindowsSystemRun
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3648-1-0x0000000000030000-0x0000000000354000-memory.dmp	family_quasar
behavioral1/files/0x001a00000002aaa8-6.dat	family_quasar

Executes dropped EXE 1 IoCs

Processes:

WindowsUpdateConsole.exe

pid	Process
5088	WindowsUpdateConsole.exe

Drops file in System32 directory 5 IoCs

Processes:

WindowsUpdateConsole.exeClient-built.exe

description	ioc	Process
File opened for modification	C:\Windows\system32\SubDir	WindowsUpdateConsole.exe
File created	C:\Windows\system32\SubDir\WindowsUpdateConsole.exe	Client-built.exe
File opened for modification	C:\Windows\system32\SubDir\WindowsUpdateConsole.exe	Client-built.exe
File opened for modification	C:\Windows\system32\SubDir	Client-built.exe
File opened for modification	C:\Windows\system32\SubDir\WindowsUpdateConsole.exe	WindowsUpdateConsole.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exemsedge.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exe

pid	Process
2960	schtasks.exe
3128	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exemsedge.exe

pid	Process
5028	msedge.exe
5028	msedge.exe
1152	msedge.exe
1152	msedge.exe
3944	msedge.exe
3944	msedge.exe
4104	msedge.exe
4104	msedge.exe
4196	msedge.exe
4196	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

msedge.exemsedge.exe

pid	Process
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Client-built.exeWindowsUpdateConsole.exe

description	pid	Process
Token: SeDebugPrivilege	3648	Client-built.exe
Token: SeDebugPrivilege	5088	WindowsUpdateConsole.exe

Suspicious use of FindShellTrayWindow 53 IoCs

Processes:

WindowsUpdateConsole.exemsedge.exemsedge.exe

pid	Process
5088	WindowsUpdateConsole.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe

Suspicious use of SendNotifyMessage 25 IoCs

Processes:

WindowsUpdateConsole.exemsedge.exemsedge.exe

pid	Process
5088	WindowsUpdateConsole.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MiniSearchHost.exe

pid	Process
2028	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Client-built.exeWindowsUpdateConsole.exemsedge.exe

description	pid	Process	procid_target
PID 3648 wrote to memory of 3128	3648	Client-built.exe	80
PID 3648 wrote to memory of 3128	3648	Client-built.exe	80
PID 3648 wrote to memory of 5088	3648	Client-built.exe	82
PID 3648 wrote to memory of 5088	3648	Client-built.exe	82
PID 5088 wrote to memory of 2960	5088	WindowsUpdateConsole.exe	83
PID 5088 wrote to memory of 2960	5088	WindowsUpdateConsole.exe	83
PID 1152 wrote to memory of 500	1152	msedge.exe	90
PID 1152 wrote to memory of 500	1152	msedge.exe	90
PID 1152 wrote to memory of 3256	1152	msedge.exe	91
PID 1152 wrote to memory of 3256	1152	msedge.exe	91
PID 1152 wrote to memory of 3256	1152	msedge.exe	91
PID 1152 wrote to memory of 3256	1152	msedge.exe	91
PID 1152 wrote to memory of 3256	1152	msedge.exe	91
PID 1152 wrote to memory of 3256	1152	msedge.exe	91
PID 1152 wrote to memory of 3256	1152	msedge.exe	91
PID 1152 wrote to memory of 3256	1152	msedge.exe	91
PID 1152 wrote to memory of 3256	1152	msedge.exe	91
PID 1152 wrote to memory of 3256	1152	msedge.exe	91
PID 1152 wrote to memory of 3256	1152	msedge.exe	91
PID 1152 wrote to memory of 3256	1152	msedge.exe	91
PID 1152 wrote to memory of 3256	1152	msedge.exe	91
PID 1152 wrote to memory of 3256	1152	msedge.exe	91
PID 1152 wrote to memory of 3256	1152	msedge.exe	91
PID 1152 wrote to memory of 3256	1152	msedge.exe	91
PID 1152 wrote to memory of 3256	1152	msedge.exe	91
PID 1152 wrote to memory of 3256	1152	msedge.exe	91
PID 1152 wrote to memory of 3256	1152	msedge.exe	91
PID 1152 wrote to memory of 3256	1152	msedge.exe	91
PID 1152 wrote to memory of 3256	1152	msedge.exe	91
PID 1152 wrote to memory of 3256	1152	msedge.exe	91
PID 1152 wrote to memory of 3256	1152	msedge.exe	91
PID 1152 wrote to memory of 3256	1152	msedge.exe	91
PID 1152 wrote to memory of 3256	1152	msedge.exe	91
PID 1152 wrote to memory of 3256	1152	msedge.exe	91
PID 1152 wrote to memory of 3256	1152	msedge.exe	91
PID 1152 wrote to memory of 3256	1152	msedge.exe	91
PID 1152 wrote to memory of 3256	1152	msedge.exe	91
PID 1152 wrote to memory of 3256	1152	msedge.exe	91
PID 1152 wrote to memory of 3256	1152	msedge.exe	91
PID 1152 wrote to memory of 3256	1152	msedge.exe	91
PID 1152 wrote to memory of 3256	1152	msedge.exe	91
PID 1152 wrote to memory of 3256	1152	msedge.exe	91
PID 1152 wrote to memory of 3256	1152	msedge.exe	91
PID 1152 wrote to memory of 3256	1152	msedge.exe	91
PID 1152 wrote to memory of 3256	1152	msedge.exe	91
PID 1152 wrote to memory of 3256	1152	msedge.exe	91
PID 1152 wrote to memory of 3256	1152	msedge.exe	91
PID 1152 wrote to memory of 3256	1152	msedge.exe	91
PID 1152 wrote to memory of 5028	1152	msedge.exe	92
PID 1152 wrote to memory of 5028	1152	msedge.exe	92
PID 1152 wrote to memory of 4492	1152	msedge.exe	93
PID 1152 wrote to memory of 4492	1152	msedge.exe	93
PID 1152 wrote to memory of 4492	1152	msedge.exe	93
PID 1152 wrote to memory of 4492	1152	msedge.exe	93
PID 1152 wrote to memory of 4492	1152	msedge.exe	93
PID 1152 wrote to memory of 4492	1152	msedge.exe	93
PID 1152 wrote to memory of 4492	1152	msedge.exe	93
PID 1152 wrote to memory of 4492	1152	msedge.exe	93
PID 1152 wrote to memory of 4492	1152	msedge.exe	93
PID 1152 wrote to memory of 4492	1152	msedge.exe	93
PID 1152 wrote to memory of 4492	1152	msedge.exe	93
PID 1152 wrote to memory of 4492	1152	msedge.exe	93
PID 1152 wrote to memory of 4492	1152	msedge.exe	93
PID 1152 wrote to memory of 4492	1152	msedge.exe	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3648
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "WindowsSystemRun" /sc ONLOGON /tr "C:\Windows\system32\SubDir\WindowsUpdateConsole.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3128
- C:\Windows\system32\SubDir\WindowsUpdateConsole.exe
  "C:\Windows\system32\SubDir\WindowsUpdateConsole.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:5088
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "WindowsSystemRun" /sc ONLOGON /tr "C:\Windows\system32\SubDir\WindowsUpdateConsole.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2960

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://taskmngr/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffd1053cb8,0x7fffd1053cc8,0x7fffd1053cd8
  2⤵
  PID:500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1768,9665053620794560386,15590285659897237294,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
  2⤵
  PID:3256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1768,9665053620794560386,15590285659897237294,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1768,9665053620794560386,15590285659897237294,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2636 /prefetch:8
  2⤵
  PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1768,9665053620794560386,15590285659897237294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:4080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1768,9665053620794560386,15590285659897237294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:3460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1768,9665053620794560386,15590285659897237294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3924 /prefetch:1
  2⤵
  PID:2868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1768,9665053620794560386,15590285659897237294,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5048 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3944

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3828

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4864

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:1264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffd1053cb8,0x7fffd1053cc8,0x7fffd1053cd8
  2⤵
  PID:1056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,10522205198606601244,18071938846117978671,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1888 /prefetch:2
  2⤵
  PID:3240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,10522205198606601244,18071938846117978671,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,10522205198606601244,18071938846117978671,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2548 /prefetch:8
  2⤵
  PID:576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10522205198606601244,18071938846117978671,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:2464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10522205198606601244,18071938846117978671,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:4924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10522205198606601244,18071938846117978671,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4480 /prefetch:1
  2⤵
  PID:3200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10522205198606601244,18071938846117978671,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4520 /prefetch:1
  2⤵
  PID:1464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10522205198606601244,18071938846117978671,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
  2⤵
  PID:4936

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2844

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1f1320913e5599ff13990c090ee9fdb3

SHA1
e78e63ce8d4d403fd5e74d4fd3d4d6a4795c3c73

SHA256
f7e138b3d28da4c5b85115027417b784bfdd58cb8feaa1461fce35255dbbe8b9

SHA512
5e42e8402ecfef5ac6928797160741bf99b3a2ce3ff01082cba6cb1223e1fa2032e51277b283c1985eb9576f7f7efa3da4e8c081b5c9c60e55825845c6023857

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c2b66504b85d9952e378560c58c73463

SHA1
c9bd6f6d4e470ab5852ecc4b14c18fbabafb6e20

SHA256
e7f62d276a7f787e659fc1f79563189981744ae32fa1e6021ffd097022219042

SHA512
5bd543e02fd18c14aa3de4a1f59e26471ce33a81431ec155eeafb95afc1285b42039da5f13b59cb96b2c68172d0b97a82fa8b1894194c2fa882e2bd5610fc870

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e11c77d0fa99af6b1b282a22dcb1cf4a

SHA1
2593a41a6a63143d837700d01aa27b1817d17a4d

SHA256
d96f9bfcc81ba66db49a3385266a631899a919ed802835e6fb6b9f7759476ea0

SHA512
c8f69f503ab070a758e8e3ae57945c0172ead1894fdbfa2d853e5bb976ed3817ecc8f188eefd5092481effd4ef650788c8ff9a8d9a5ee4526f090952d7c859f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c0a1774f8079fe496e694f35dfdcf8bc

SHA1
da3b4b9fca9a3f81b6be5b0cd6dd700603d448d3

SHA256
c041da0b90a5343ede7364ccf0428852103832c4efa8065a0cd1e8ce1ff181cb

SHA512
60d9e87f8383fe3afa2c8935f0e5a842624bb24b03b2d8057e0da342b08df18cf70bf55e41fa3ae54f73bc40a274cf6393d79ae01f6a1784273a25fa2761728b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
03377aabc3d0c7635e975b037432ac2d

SHA1
80b4e7bc12d760a449f21cc2bd5c986a2f3bbc85

SHA256
802f01ee59dab06b848a564e5731151aecc4b4b9ed19bf499ffea28ad784c819

SHA512
bbc74ec934d43ea9f764fa9498ac8532c0a66fd9c111c8ce0573fa6c961581b6d27c4ebec1ff7ea5eee467707df264b2fffba3c097f1e72404a6d247e656ec21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
903e41beabff515e1dfb16a298dcd3d7

SHA1
dd599c71a7d4664aa85479a988c1dc67cb61a5d2

SHA256
fe90630727c407a89224a0c422eb3aa1cb278d59cdc44c562ffc760d67e03ace

SHA512
c70472f14cd06e0063c47314860488e385c8c0a3dc48f59ad8b6e4198ce163ba44306fb528af46eabc5b49b3c4689e10019434eda0e6d077eb5e9efc9df7c8a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
66de8df6852c510a0c38c5758057139b

SHA1
8d88de2511576cd7ccff6788077da5af56a9a949

SHA256
3bb2c588636b8eef6ce9b0fad04ad649e316854eb0579a135132af8c30f8fb18

SHA512
e87c94315e38167c86761fb1f58e14ee981fc4242f629f178255b3eb2a218dcc58653d6dbe376fad1a56aa407c5905bafff54b92c543aee80e2b384fff860d8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
6B

MD5
a9851aa4c3c8af2d1bd8834201b2ba51

SHA1
fa95986f7ebfac4aab3b261d3ed0a21b142e91fc

SHA256
e708be5e34097c8b4b6ecb50ead7705843d0dc4b0779b95ef57073d80f36c191

SHA512
41a1b4d650ff55b164f3db02c8440f044c4ec31d8ddbbbf56195d4e27473c6b1379dfad3581e16429650e2364791f5c19aae723efc11986bb986ef262538b818

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
248B

MD5
63f42f1c79e98255682111419bced474

SHA1
392a69cc46c562c9e64eca8816292a2fa62fabea

SHA256
b4961ea15fb968ed3aaa6eb5241233e07e85721d48a2448648f641f433064362

SHA512
fd54189b134af5d282743f6572bc86af41ff43e8f5c034c9c58cb96c3bb9160c8fe356c8d833ae96019b9834c5ac4c00043a91b97e8d3da6cac055605fa2e7e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
03b4e2d8671c16e796ff5fe263198ec2

SHA1
58437c46965daeb8a14a304ce099b95d681af2f6

SHA256
a11f4f712c92e0e18afa07c1fa66118306398b8fadaf6bc5c82dc0fca389226b

SHA512
4c29d3031cc7b94a688c65ad704b2836dc8910903be8470c75d00fb8076a82c132049950f888cd9efb7b89fd82c86f24cd7b00b7cf07f83e075f3ac9ca5a2b73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c1b97f46185b392c9c67c0323bd89e2c

SHA1
57f5db6a9d7abae72b69b9740b274a47e70d6c79

SHA256
08d48c23764d44812fbe3aa1b1e36d7adf84158e889037777fc4dc8b33a0145f

SHA512
800f157d29e69f39633ac9e54c87cefdc8f96e0788e0d5e5191ba29e97a9efb088c82b18fb3e1683368f14edfb0944e03f82fd8708e73ae06b3a36ffa374d605

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e2186af4a28dda471b0a143f80950aff

SHA1
d662d821abd55f4b5a3e582abc9a3b9c25c94c3e

SHA256
01e85373b1e78f32694268eda9acf02f4ba04046498bb6172ef5508f72bf080e

SHA512
12f03f87b4cb0a668a135d9eea61e2f4d033e63ab73b63df9a3a5d0f854da9eb7faae327a819ef81e5f0fd6e3469a128552ba04a2f3eea521dc3435c2d6cedc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
021cca9c60afba5a3ca09d132cbc3da7

SHA1
3b269abacd2cac6d8e85cb913935fe559cfbfbf0

SHA256
e71c02a702599d19d6a4fd705dbf812c0e24ec0f47030cd6a944c2671fafb098

SHA512
cc81e2d5ffef15d561b7b42ccd72348bdd0512fb99892ba3b3710a24a38eb2522713f8e611254049996352dd990d95bc2c4339a077603ae7d533c8835d90e001

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13375563130863866

Filesize
941B

MD5
75ecbb41b8a0da81061832fef8ea0c8a

SHA1
db494e4f5ab9057e08e39000b847d14d125e64d5

SHA256
2bc724f9bb44e1db6ed0fc2988397027912b23da9ece60e85b1284d9d673636a

SHA512
d3f2d00dfdf83ed99389fb12a5a6e5e72643269662dfdee0707ee04ffefbfb4d0ed313c85eb9ba0a2cbcd1fe59684c3dc2181ebf3b70d3a2f129edbe3965ecd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13375563131176866

Filesize
1KB

MD5
a4638bf159a64b7014dd635b05aec4a1

SHA1
309d15ae1a03cf93e1371c10036d96015481850e

SHA256
5c2d150cbbbd79ff44df89728fc36bb382d618f12878132b67b3c3451571411e

SHA512
dbb6504a06ab0e12c52aae8e4341c5d47c7e07e5e03b46681522a2632a9cb60ca43384d346af485e8700e3c03f299e2b6d80703bcd80984d0eb5debbe2a6d16c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
112B

MD5
b3df68a6287161a2135f5870fba8e435

SHA1
807a33fb96684fec53bee1c45e5493b9586c187d

SHA256
265e821889f5e50926578b35a78959375e3addf65905d08c185088076856e9d5

SHA512
03a6ec807ed86de23bb6d13d00b4d31353bc8a7d140f506722500293c5fd218a632c88942a430e82939dfb6bb6a7ba6bc463f105142deceffee8f46a4590a55c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
19fd0b19e21975ef58556c8ad429cafc

SHA1
7aedbee969c2a6ccc4c6a32eaefb413c0d73da9a

SHA256
dc1e17456cd911c1cccd3bdfda94564d933103d9347fa0837c79139c0c69a9cb

SHA512
9be7f6745efb859fd4f3583cc0f9135e9a3b527194eb77ae2ffb6a9ed237945a479435fb4b97c0be16d8c23c7c40c45d295bd421b1caabe7bc81494508e2caf8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
326B

MD5
6f189bab3e0e829f2ca24fc38c8fcb1b

SHA1
dae23a6d79d1e54dca7202ea85c45d9fc47ac3a5

SHA256
0e41a301aeef1ed9fc68d6476c2b20a02f8f7a3a3a1821c3dd00998c1d211a5a

SHA512
56ddd3b564904bf3dd035127d73aceda1f1979e6b7b960e2a8270eef89cfefee7cffa90aff685a95b916d514cd6a83f11a0060f1886f91e5b7cbb4f802731abf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
44KB

MD5
b39896f384fe73f4bd610d51e158b433

SHA1
15cb88a3c327b70989a719f2b5a900c6af49d07b

SHA256
0c5a1db5d10f31078dcf7a727c3f3799405c20decd3c964e194d9965bfe6b059

SHA512
8af5407f23ed2d73b250cc14f1ba06ec6dad476a9b125bb2f4a42e77b429c3eca55499298e6b4080190624cf6389c5773cd6289efe732bdd649e468d5d600c1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
319B

MD5
e30e738f6341423a69eeed9d5853a1c2

SHA1
83376cfbdf5165154d993f5b73ed32cb0d19321f

SHA256
2ee61e2da5b799fc9164202e67e402f805e2904e8fec29228c1fe72c50256e50

SHA512
c2dbdc663680a25b26251764adf9c8a7875ba3613e0072163b70bae5e63630c9eeefbd7af3639ed806eef4c72877ac0cbbbf88767ed277d9c74da7abd412911a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
337B

MD5
04f02c19d94de290c4503220d5018923

SHA1
e7b7a6e69bd9ed9d33294615ce80ad6eedc50594

SHA256
e7a052e099c50869531e1bc3d62749b34c0f7d7ed70b2e09ee3e4735c324c67b

SHA512
1161312e7be4dd8ebf7ad5bed8bba6966a845990e6ed0812e388a1d970b578d9d5696a6a921e575405a4ad3bbb2af21002f4bdfd9b50055a028d40314932979a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
4f1438eb798f974a0d5903a4ed709af3

SHA1
c7cd54e54aee9281260b61419c3428bcdbe5fc10

SHA256
ffdeff65b71f656a971a2479594e159d648bb00a03c2b3ce5d445a2a8d91d369

SHA512
aedfbf095f25958031143ce578ea95de4d345b7b59ffd565f4766528d74686d545dfa003f62ebb46850822ee9c53dc9f60a262be08a1bf46d6aa5f8f8172abca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
588d9358f30b19bddd58e9ac6744996a

SHA1
d06d0dce8bef32d7287274cd45e888c8e598b9c0

SHA256
0f88d2ff6c5e4f4d158680b1ca1bbae06b89c1160aa4abea756388db7b83cd7d

SHA512
a3b3f42f37322661bc6e80676359fbbfe4bdc9654e2fc6e4ee14b7f96efcdd8d40841fd560d28e940c037bcde89e98b9f63f32079d955e08398c6d7b3392290e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
102803e8e293ce3ea32eb1b79968bc5a

SHA1
a8bc8f938c0da3b32bbe211eff9a354f97354a63

SHA256
ee9797f29491f56e4762c9f4c56df2cd24add71187c8c6c46a71ae781545c7a0

SHA512
745a9ce937eab7b7b534fd7b94944a59c3072669bb21ba3d99cc9c3dac67c7596606f25eb61b1df07c8c3bcabc5bbb11f12a72d6e342c265563b281e464d604b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
b29bcf9cd0e55f93000b4bb265a9810b

SHA1
e662b8c98bd5eced29495dbe2a8f1930e3f714b8

SHA256
f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4

SHA512
e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2165ab8ed9b9f944ac543c35c72b6302

SHA1
cc15e7fe71eb676cfb1ba6e57b2096d129b8bcdf

SHA256
21e66676134592ff1176b17ac95ed41ea6d91694e02c063c0bc9f23f5c5f3bd4

SHA512
562726bdeae14c533fa02e0e6742ba1c83ab7709fd533d6160d452137a96fe5e4d0ed5790685b332d743d7e5dd3c37e422682b6466ae492e5926125b58aa0fe6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6be5be803502a48354e7ebd71f0a8756

SHA1
c5907f75e75092520bfbcc8b49eda600e75e2afa

SHA256
478b2e9a73b35b15bbf0cbde26c9be81c917b2423b7bb26df4387a4f9db68c04

SHA512
a2609ce209493d028c34240bba135822e5129934342018a3286baaee0e3f5bc0177ca3f6c12ed386073d0f71e9ba4ec6e905917758fadf74c1e7e2eae7b31858

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

Filesize
3B

MD5
478204d8ebd5385464ef69b841a90ac6

SHA1
4238f2e83b1acaa2f0ba449fb285a745ec6c1dfa

SHA256
1761d3251fefab7577cac37aceb485822cdfaf37ef9acc70c965c13bfffdf5a6

SHA512
2796be8227b2758255d5391ac1b0ed5e05db86e718e77bfb6578ea34c1a76f539e861756ab9393363a431c715f31f158f38e1c2706b1fd5a863638ce8bd932b0

Download Submit
C:\Windows\System32\SubDir\WindowsUpdateConsole.exe

Filesize
3.1MB

MD5
f4b0be81680b72bae9c31f3225149616

SHA1
12dca5c6e3c2e7a91ba8e30ec4e56a888d3bfa8e

SHA256
5900b0e5f972927db833977bee140aa7f10863eeb40c8f7e4742c6c8bd3a3063

SHA512
1aeb4459bb0d558194033c451f631cfd75c9941a16c33aace8808816e36ddc3322a5e17152629594014d8e9f50b6335edc673dcbc67f3a3a32d272d233107d17

Download Submit
\??\pipe\LOCAL\crashpad_1152_IKRSYBLSJEPTZASW

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3648-9-0x00007FFFD7BB0000-0x00007FFFD8672000-memory.dmp

Filesize
10.8MB

Download
memory/3648-1-0x0000000000030000-0x0000000000354000-memory.dmp

Filesize
3.1MB

Download
memory/3648-0-0x00007FFFD7BB3000-0x00007FFFD7BB5000-memory.dmp

Filesize
8KB

Download
memory/3648-2-0x00007FFFD7BB0000-0x00007FFFD8672000-memory.dmp

Filesize
10.8MB

Download
memory/5088-11-0x00007FFFD7BB0000-0x00007FFFD8672000-memory.dmp

Filesize
10.8MB

Download
memory/5088-13-0x000000001C6A0000-0x000000001C752000-memory.dmp

Filesize
712KB

Download
memory/5088-10-0x00007FFFD7BB0000-0x00007FFFD8672000-memory.dmp

Filesize
10.8MB

Download
memory/5088-14-0x00007FFFD7BB0000-0x00007FFFD8672000-memory.dmp

Filesize
10.8MB

Download
memory/5088-12-0x000000001C590000-0x000000001C5E0000-memory.dmp

Filesize
320KB

Download