quasar | 1d540999c78833cce0176eef65096caf459d4cd56472c068ce728868653aac8f

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-11-2024 19:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

niggarab.exe
Size

3.1MB
MD5

448ec0f3a024768ba82ca362ac35e54f
SHA1

6b0f1d6976283f31ce29c83ce5bc2f5bc2e94a49
SHA256

1d540999c78833cce0176eef65096caf459d4cd56472c068ce728868653aac8f
SHA512

cbb7fc6143e59c3b376dee87435ae19c987f130926e01d0c8ddf6ce303488047697f35ad3d26d0f55a0894a74271fb9b52beb859959e05f5709dbde75eb8aae7
SSDEEP

49152:Xv7cfX2hcawDEhPLl8r/ptXpga584Qx9E1zxk/Jx6oGdRTHHB72eh2NT:Xvwv2hcawDEhPLl8r/XXpga584Qx3U

Score

10^/10

quasar jaffacakes лох, сдохнет от спида!!! i hate niggers discovery phishing spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

JaffaCakes лох, сдохнет от спида!!! I hate Niggers

rab1.premium-televizor.net:18651

Mutex

af92703d-a16f-40c6-8fff-b3793fd59f85

Attributes

encryption_key
0F1B05653C3B3AB3BB4ECD772DD024668CBE8DF1
install_name
system32.exe
log_directory
Keyboard
reconnect_delay
3000
startup_key
Trusted Installer
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/1380-1-0x0000000000FE0000-0x0000000001304000-memory.dmp	family_quasar
behavioral2/files/0x000a000000023b80-7.dat	family_quasar

A potential corporate email address has been identified in the URL: httpswww.youtube.com@WarGackcbrd1
phishing

Executes dropped EXE 1 IoCs

pid	Process
3424	system32.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\system32\SubDir\system32.exe	niggarab.exe
File opened for modification	C:\Windows\system32\SubDir\system32.exe	niggarab.exe
File opened for modification	C:\Windows\system32\SubDir	niggarab.exe
File opened for modification	C:\Windows\system32\SubDir\system32.exe	system32.exe
File opened for modification	C:\Windows\system32\SubDir	system32.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1792	schtasks.exe
3660	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2656	msedge.exe
2656	msedge.exe
3592	msedge.exe
3592	msedge.exe
2012	identity_helper.exe
2012	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	1380	niggarab.exe
Token: SeDebugPrivilege	3424	system32.exe
Token: SeBackupPrivilege	1792	svchost.exe
Token: SeRestorePrivilege	1792	svchost.exe
Token: SeSecurityPrivilege	1792	svchost.exe
Token: SeTakeOwnershipPrivilege	1792	svchost.exe
Token: 35	1792	svchost.exe
Token: 33	1180	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1180	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3424	system32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1380 wrote to memory of 1792	1380	niggarab.exe	86
PID 1380 wrote to memory of 1792	1380	niggarab.exe	86
PID 1380 wrote to memory of 3424	1380	niggarab.exe	88
PID 1380 wrote to memory of 3424	1380	niggarab.exe	88
PID 3424 wrote to memory of 3660	3424	system32.exe	91
PID 3424 wrote to memory of 3660	3424	system32.exe	91
PID 3592 wrote to memory of 1620	3592	msedge.exe	111
PID 3592 wrote to memory of 1620	3592	msedge.exe	111
PID 3592 wrote to memory of 2728	3592	msedge.exe	112
PID 3592 wrote to memory of 2728	3592	msedge.exe	112
PID 3592 wrote to memory of 2728	3592	msedge.exe	112
PID 3592 wrote to memory of 2728	3592	msedge.exe	112
PID 3592 wrote to memory of 2728	3592	msedge.exe	112
PID 3592 wrote to memory of 2728	3592	msedge.exe	112
PID 3592 wrote to memory of 2728	3592	msedge.exe	112
PID 3592 wrote to memory of 2728	3592	msedge.exe	112
PID 3592 wrote to memory of 2728	3592	msedge.exe	112
PID 3592 wrote to memory of 2728	3592	msedge.exe	112
PID 3592 wrote to memory of 2728	3592	msedge.exe	112
PID 3592 wrote to memory of 2728	3592	msedge.exe	112
PID 3592 wrote to memory of 2728	3592	msedge.exe	112
PID 3592 wrote to memory of 2728	3592	msedge.exe	112
PID 3592 wrote to memory of 2728	3592	msedge.exe	112
PID 3592 wrote to memory of 2728	3592	msedge.exe	112
PID 3592 wrote to memory of 2728	3592	msedge.exe	112
PID 3592 wrote to memory of 2728	3592	msedge.exe	112
PID 3592 wrote to memory of 2728	3592	msedge.exe	112
PID 3592 wrote to memory of 2728	3592	msedge.exe	112
PID 3592 wrote to memory of 2728	3592	msedge.exe	112
PID 3592 wrote to memory of 2728	3592	msedge.exe	112
PID 3592 wrote to memory of 2728	3592	msedge.exe	112
PID 3592 wrote to memory of 2728	3592	msedge.exe	112
PID 3592 wrote to memory of 2728	3592	msedge.exe	112
PID 3592 wrote to memory of 2728	3592	msedge.exe	112
PID 3592 wrote to memory of 2728	3592	msedge.exe	112
PID 3592 wrote to memory of 2728	3592	msedge.exe	112
PID 3592 wrote to memory of 2728	3592	msedge.exe	112
PID 3592 wrote to memory of 2728	3592	msedge.exe	112
PID 3592 wrote to memory of 2728	3592	msedge.exe	112
PID 3592 wrote to memory of 2728	3592	msedge.exe	112
PID 3592 wrote to memory of 2728	3592	msedge.exe	112
PID 3592 wrote to memory of 2728	3592	msedge.exe	112
PID 3592 wrote to memory of 2728	3592	msedge.exe	112
PID 3592 wrote to memory of 2728	3592	msedge.exe	112
PID 3592 wrote to memory of 2728	3592	msedge.exe	112
PID 3592 wrote to memory of 2728	3592	msedge.exe	112
PID 3592 wrote to memory of 2728	3592	msedge.exe	112
PID 3592 wrote to memory of 2728	3592	msedge.exe	112
PID 3592 wrote to memory of 2656	3592	msedge.exe	113
PID 3592 wrote to memory of 2656	3592	msedge.exe	113
PID 3592 wrote to memory of 1432	3592	msedge.exe	114
PID 3592 wrote to memory of 1432	3592	msedge.exe	114
PID 3592 wrote to memory of 1432	3592	msedge.exe	114
PID 3592 wrote to memory of 1432	3592	msedge.exe	114
PID 3592 wrote to memory of 1432	3592	msedge.exe	114
PID 3592 wrote to memory of 1432	3592	msedge.exe	114
PID 3592 wrote to memory of 1432	3592	msedge.exe	114
PID 3592 wrote to memory of 1432	3592	msedge.exe	114
PID 3592 wrote to memory of 1432	3592	msedge.exe	114
PID 3592 wrote to memory of 1432	3592	msedge.exe	114
PID 3592 wrote to memory of 1432	3592	msedge.exe	114
PID 3592 wrote to memory of 1432	3592	msedge.exe	114
PID 3592 wrote to memory of 1432	3592	msedge.exe	114
PID 3592 wrote to memory of 1432	3592	msedge.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\niggarab.exe
"C:\Users\Admin\AppData\Local\Temp\niggarab.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1380
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Trusted Installer" /sc ONLOGON /tr "C:\Windows\system32\SubDir\system32.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1792
- C:\Windows\system32\SubDir\system32.exe
  "C:\Windows\system32\SubDir\system32.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3424
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Trusted Installer" /sc ONLOGON /tr "C:\Windows\system32\SubDir\system32.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8f3cc46f8,0x7ff8f3cc4708,0x7ff8f3cc4718
  2⤵
  PID:1620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,9346551889203358830,5725015028844172899,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
  2⤵
  PID:2728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,9346551889203358830,5725015028844172899,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,9346551889203358830,5725015028844172899,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:8
  2⤵
  PID:1432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,9346551889203358830,5725015028844172899,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:1616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,9346551889203358830,5725015028844172899,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:4804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,9346551889203358830,5725015028844172899,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4268 /prefetch:1
  2⤵
  PID:408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,9346551889203358830,5725015028844172899,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
  2⤵
  PID:4012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,9346551889203358830,5725015028844172899,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1
  2⤵
  PID:2548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,9346551889203358830,5725015028844172899,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
  2⤵
  PID:2372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,9346551889203358830,5725015028844172899,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
  2⤵
  PID:4308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,9346551889203358830,5725015028844172899,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
  2⤵
  PID:920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,9346551889203358830,5725015028844172899,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
  2⤵
  PID:4264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,9346551889203358830,5725015028844172899,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
  2⤵
  PID:832
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,9346551889203358830,5725015028844172899,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3496 /prefetch:8
  2⤵
  PID:1364
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,9346551889203358830,5725015028844172899,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3496 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,9346551889203358830,5725015028844172899,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3704 /prefetch:1
  2⤵
  PID:4576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,9346551889203358830,5725015028844172899,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
  2⤵
  PID:4044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,9346551889203358830,5725015028844172899,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2056 /prefetch:1
  2⤵
  PID:4620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,9346551889203358830,5725015028844172899,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
  2⤵
  PID:3528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,9346551889203358830,5725015028844172899,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
  2⤵
  PID:5112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,9346551889203358830,5725015028844172899,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:1
  2⤵
  PID:4132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2104,9346551889203358830,5725015028844172899,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6032 /prefetch:8
  2⤵
  PID:3284

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4580

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3316

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x478 0x4f0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1180

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
e59bd28a9bfd1df082d9a82d96fed95d

SHA1
9e1b10dbc28f7605f43020a81dea4d7d50f03222

SHA256
1e737f399be72e76d39cd76d48fb95843fe14f7344066598c2a7613f33f28e0b

SHA512
08ac8de7f5a61f2460a7c9264814160cfad600ecb6664439501bc80fd197e81169eb1fb5d0f51799f44ab8f741299db1ff1d2402defb45fa38892ef4e30d6dd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
d29951aa9796668628c477b105e7df64

SHA1
e5b3e45431696ff4f47f2f4bba1607dff8ad6b3f

SHA256
02ee5ed2d2f6534c8f08ae2b087acfebbce94c8cacb4e546e95515645ed369a0

SHA512
81174af9f04c8a73ca269c0e96de43e99b8ada6e259a42ffd070f815bfe1ad3de38705b0f3174994b9673be83b81b25c956a017ae548f6c3bcd99ae198c45c98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
388d1ca2c241f35293ab1f13054bc9a3

SHA1
197700ecbf84ff49c057c35ac60b396fe2a09eb2

SHA256
895c4bf676a8a02e80bce119598c79e6077eabf1887664620b01ba0635fb0672

SHA512
b585a162d1e69c47ff5ef7a1abd8bc138634e20114947db296c0a0c40ef29aec2ca7cc472bde3141f89d4ef63845d5f7c2b0ecc9b768bf5a89d1eedf976c2222

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
f8dc24514f22d5124513a0ca17743083

SHA1
d2df94370663b28efa0f954fb6f3087baa6553ec

SHA256
71b150754f0e0230190341b1fe653bb3e106582733085c271fec3c12fc2abaa7

SHA512
451199fcba7ec74d4b1d97d02b2d50559276ecbdd8f903d608fcb103943d25d062ae5e6257b7e9fb4879ea2eeb799e2893d7417ddbb692a8225fb37febcfd1bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9b06ff0ddc36053805d79cdce8ff5187

SHA1
d1a412dc0537ceedb42f2a9e429005f65b8c5b6e

SHA256
f85fd739891e62bf5a6f5911a9d47d3f93698555015f25827a7c116707157ae6

SHA512
7bb7e094432dde5092399f327dcf60a538143f2c45cc5c68cff102b8efa1f66037821695287adcf9f139e06059eb2f2b701a9bfe6715d11144162cc290022ce3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5b71698ffb1b424cf851e3611372f685

SHA1
0231bb02a031a085177ee7f2c164a6170110dcff

SHA256
b48f14c0b405e7db106d4065bb91c04008f878340d5cf7b0551242312b726543

SHA512
11258693b4385a5988be1358328a98bb8726d608e6217a6ce073ff2acde6c8fdeb74b2ba6567c861e6094d5f7d47f8ac2beddafc97c19e9bbdc9f1d56ec053ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
55e75c4c1c6cb3272393901de1b80d43

SHA1
c285fd88ae2d966c051948a1e0ff3747ecc8196f

SHA256
fe9bc3dcdf871f47eef4f0d56c6bd390d0ab997a85603ec78343cc3e39ef3c76

SHA512
0ed037ac4a4720d2ce3e5928f094634c3269fb868b60fa404372de2f8cba315cb931ff1cdd8864ea3eaa4ca55c82c8e65d54deaa30eeeb90d49ec06c64483eea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\057467fb-a02b-41b2-be1e-d59f00211c42\index-dir\the-real-index

Filesize
624B

MD5
fb7b839103e4d642579bc2adf1fd67f5

SHA1
504278f174178245f6caea74e9a1d9ac34d22cb6

SHA256
d7247e31517b92ffff5c7ab808f2c27cdf89ca5eaa46038968d3da2620158ba6

SHA512
677b75278e6cb77ba583dae07baf1541e78f134e047f1c4553283040916cc384f920849b2177d117ee47d175d583a5a6683e80de6c82a620faaedd8b8067be39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\057467fb-a02b-41b2-be1e-d59f00211c42\index-dir\the-real-index~RFe591880.TMP

Filesize
48B

MD5
69751e4742b9f5aec6ca437880eb3508

SHA1
917aba98f1de3f0b747d6ff803701370f1a329db

SHA256
24c55d2a43dcd46d3584d05975c3478bae5c0058ee177d67f1f6537cb4d31d19

SHA512
c3bcae5351379ece126881632992efeb61243968cf9e97d86f77ec03f6fb719e5ed89abd8c6a7803bcd30c8b99e611dbba53d71e26fc1e79678311307074cebf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\c02b0db1-bd0a-4edd-a334-0315fc98bdff\index-dir\the-real-index

Filesize
2KB

MD5
3950d3ace24842669a6872831cf8e1b7

SHA1
bd9caad05627dae0a0a5b0c870e401c90e804b8a

SHA256
abb1a9ddd4eba0b78ccb8a0aa1d2b6b16fd3c86c4c54a6975d4172a4d2c9c7fe

SHA512
c04d7d729aa2a060e175c3b78b0cf5226041bb80a0eb0fb7bf383cccab39dfc1731b11915c94551634624d729f6e69ced2bdb85ef82e1766877ec9d876612bed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\c02b0db1-bd0a-4edd-a334-0315fc98bdff\index-dir\the-real-index~RFe591f17.TMP

Filesize
48B

MD5
8e3fbba3d70f8e78a6f470cfbebe0da8

SHA1
ca4f1637de98c67d20ae81d60743cecddb690623

SHA256
afc276951c072294831a1ed24ca7d639a20dd667b4d3f6ae003173976b4d6f2b

SHA512
6c18bea142c17c3f82fc96d9145d7faff5d4fb30c4842f2c8e2f920e0e709660431faec0d01bd8780b13b73bad3274082881c50f0ef9e7422aa395966837ccfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
8846c2f9cf41a42cbe5206da369488cc

SHA1
db92dbde4ed7fcbec179ab4d8d73b7f6a11af7b0

SHA256
94f8c1d2dd247f3349ced5070185b400e68ecd55495d8fd5278a43a3d47e314e

SHA512
67482e5d80268c9839ad29744b85e701b930755f6cd5e280ed785f65f370267d2b8b5d3fd8aa67c077cea9e8b3ca07f9feea672db19fb3e66eb0008feba9b46e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
92bc825fcd6ec89eba95516aafd54c8d

SHA1
5ae0d08086430e9bce910228246b7bc8e4127800

SHA256
ab77701eb9faa1ded9ab8a85e2598f81e2f19844e2d68f39d9b25db6579b6a23

SHA512
275822e2baa68e182b4cf8980fadb90da73822f25bb51a43d6115de635e500763e7be5379342a4c0fa84e4bc426ae13bf8f50d9dfb00689d53f169d16a19e190

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
155B

MD5
8a8273b93832adc526097e730f26ca65

SHA1
cd1fa165c8f8f3be67e08225af93fb8be94fde49

SHA256
3f62014d6ccf0eb33ef8e6897cc7ce38596b3866a468fc7176d5d11c5dedce79

SHA512
2b198ba14ed739ccd4d6f52edd9919de72898b53e832e34e753a668edf4dc988bebb7071693321e4fbd546db5a46c7e1bf4a3475fdfd9a4a86bd463a0fdbe1d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
0f3aa518e5aebbb59538f8193009c6b2

SHA1
df519edfc5c0414035a01d915c9c99be4fec8fe6

SHA256
6fd71937e62abf10372ad53c02c43abe69913eb97d07943ecaecb80db70af34e

SHA512
b497758d59e3282f4a40523e40626ba6379c911f7738f2d2226303bab726a6840d0e7ae6aa0555ed6ee56a9d42bc905bbb627063a33500888dc93d49b6e99f29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
153B

MD5
ee4f20d3ae270515e204ee483533e02a

SHA1
5c9bcfcefe09a58dc97b3321e5dff398331ac476

SHA256
52ed18c23bab96a17e22f59bf77e1e9cb27d00a52d2d9209f2613e615df14770

SHA512
6834413c2cda114f1097ecaf4efd5e2dbb442b0da1fc36619f7be2602422fe2cf7cf41e71feded92a21b46c3f1b77c9be2e12df454f2470c8eade4c536b54642

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
ce9341516a051c40fc4dd445111f6715

SHA1
2e5d57efffbdee05dc3d341240b2c419522b69db

SHA256
7b1a99367b952821bcef081cbc37e348dd6cbbd481af17cf5f9aedd656de804f

SHA512
9f349b2742eb1e5994bac365e4581b1c7d1236c43b98cb01a2938e29a5d79f05094d1d1bd0d2a3eedcea8e0aa6049d25057f5350428abe5a5935c07875dc401b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe591090.TMP

Filesize
48B

MD5
0dfc5043f562368cfcd32b3d8d08ab68

SHA1
c77e9ae1bd5d9178bf34b617133059c7860b6f10

SHA256
de5e9a50775fc28d57a483af024c06ae74bcc543888753bf2139367a8200a1d4

SHA512
0cf86f3b6f1f9e9cbcd36af3c465bc0c0ac87ecfca1f763573c9026f7077d3aaf94f7e3d9bdd8f526f8635eec3f88bb73736caaf2c4ad20736c0fd0af0d2b434

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
052c4458e40fe94fa5f33d1e32eded4e

SHA1
82d477a2baf2cc0f32b7a4fa61d7f75157fd5d89

SHA256
87ed3cfe8d8aac8bd556fbe49501d8b2fe9feb3bb050d2951f910750cfd9ab88

SHA512
555bb2e1fa25a9b897081f179cd720d627342372c73c90f3efd46454a239431939b2bc0f59d71a12bffab6d64773822a5a12c018014daa41807dad16fa787086

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58dea3.TMP

Filesize
872B

MD5
fa0a09fcd7a3a24e8e51e9f7813993d5

SHA1
16696f8217a347be0575fa61c8f595620f602e61

SHA256
e17b9ba967e9f0d47a179532119bed736780cce2c84afeb65bdcbcb48b5b0926

SHA512
affdd4a106a0a1a9c66e87be1e362853b642131f203bc8715fbca47f8f6383bd6a405b9625f87f4ff57b730fda55806fba7a021bc775925600168c61257dcd7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c2b9865a409be04fce11c00b8823f681

SHA1
518a97f3e67545a0184ee22c4ba74dc3574a066d

SHA256
8f46fda2f68283f55883b47c5503b821c5391c4c3ca4705261e6a67d5dc425f6

SHA512
cbe94fc08b57bd45ee9b9beb5f1e34d407387283abeea5848695bf530b21d5659b48bc79f451c60cf7038f74ab60e9a25018cc1ea9ba7c54d5ee5200ec17061b

Download Submit
C:\Windows\system32\SubDir\system32.exe

Filesize
3.1MB

MD5
448ec0f3a024768ba82ca362ac35e54f

SHA1
6b0f1d6976283f31ce29c83ce5bc2f5bc2e94a49

SHA256
1d540999c78833cce0176eef65096caf459d4cd56472c068ce728868653aac8f

SHA512
cbb7fc6143e59c3b376dee87435ae19c987f130926e01d0c8ddf6ce303488047697f35ad3d26d0f55a0894a74271fb9b52beb859959e05f5709dbde75eb8aae7

Download Submit
memory/1380-1-0x0000000000FE0000-0x0000000001304000-memory.dmp

Filesize
3.1MB

Download
memory/1380-0-0x00007FF8FC723000-0x00007FF8FC725000-memory.dmp

Filesize
8KB

Download
memory/1380-2-0x00007FF8FC720000-0x00007FF8FD1E1000-memory.dmp

Filesize
10.8MB

Download
memory/1380-9-0x00007FF8FC720000-0x00007FF8FD1E1000-memory.dmp

Filesize
10.8MB

Download
memory/3424-13-0x000000001B910000-0x000000001B9C2000-memory.dmp

Filesize
712KB

Download
memory/3424-12-0x000000001B0D0000-0x000000001B120000-memory.dmp

Filesize
320KB

Download
memory/3424-11-0x00007FF8FC720000-0x00007FF8FD1E1000-memory.dmp

Filesize
10.8MB

Download
memory/3424-16-0x000000001B0A0000-0x000000001B0B2000-memory.dmp

Filesize
72KB

Download
memory/3424-10-0x00007FF8FC720000-0x00007FF8FD1E1000-memory.dmp

Filesize
10.8MB

Download
memory/3424-17-0x000000001B890000-0x000000001B8CC000-memory.dmp

Filesize
240KB

Download
memory/3424-18-0x00007FF8FC720000-0x00007FF8FD1E1000-memory.dmp

Filesize
10.8MB

Download
memory/3424-49-0x000000001DC60000-0x000000001E188000-memory.dmp

Filesize
5.2MB

Download