quasar | hxxps://github[.]com/quasar/Quasar

System Information Discovery

Processes:

screenrec.exeQtWebEngineProcess.exescreenrec.exeQtWebEngineProcess.exeQtWebEngineProcess.exeQtWebEngineProcess.exeQtWebEngineProcess.exeQuasar.exeQtWebEngineProcess.exeWindows Updater.exeQtWebEngineProcess.exeQtWebEngineProcess.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	screenrec.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	QtWebEngineProcess.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	screenrec.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	QtWebEngineProcess.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	QtWebEngineProcess.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	QtWebEngineProcess.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	QtWebEngineProcess.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	Quasar.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	QtWebEngineProcess.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	Windows Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	QtWebEngineProcess.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	QtWebEngineProcess.exe

Executes dropped EXE 23 IoCs

Processes:

ScreenRec_webinstall_all.exevcredist_x64.exeSetup.exevc_redist.x64.exevc_redist.x64.exescreenrec.execrashpad_handler.exeQuasar.exeWindows Updater.exeWindows Updater.exeQtWebEngineProcess.exeQtWebEngineProcess.exeWindows Updater.exeWindows Updater.exey7KyUGcH7zQk.exescreenrec.execrashpad_handler.exeQtWebEngineProcess.exeQtWebEngineProcess.exeQtWebEngineProcess.exeQtWebEngineProcess.exeQtWebEngineProcess.exeQtWebEngineProcess.exe

pid	Process
2524	ScreenRec_webinstall_all.exe
5660	vcredist_x64.exe
6000	Setup.exe
1740	vc_redist.x64.exe
1252	vc_redist.x64.exe
4616	screenrec.exe
3192	crashpad_handler.exe
1440	Quasar.exe
5780	Windows Updater.exe
3024	Windows Updater.exe
1952	QtWebEngineProcess.exe
5504	QtWebEngineProcess.exe
3256	Windows Updater.exe
5240	Windows Updater.exe
2920	y7KyUGcH7zQk.exe
5536	screenrec.exe
1388	crashpad_handler.exe
5736	QtWebEngineProcess.exe
112	QtWebEngineProcess.exe
3868	QtWebEngineProcess.exe
6004	QtWebEngineProcess.exe
5712	QtWebEngineProcess.exe
1420	QtWebEngineProcess.exe

Loads dropped DLL 64 IoCs

Processes:

ScreenRec_webinstall_all.exeSetup.exevc_redist.x64.exescreenrec.execrashpad_handler.exe

pid	Process
2524	ScreenRec_webinstall_all.exe
2524	ScreenRec_webinstall_all.exe
2524	ScreenRec_webinstall_all.exe
2524	ScreenRec_webinstall_all.exe
2524	ScreenRec_webinstall_all.exe
2524	ScreenRec_webinstall_all.exe
2524	ScreenRec_webinstall_all.exe
2524	ScreenRec_webinstall_all.exe
2524	ScreenRec_webinstall_all.exe
2524	ScreenRec_webinstall_all.exe
2524	ScreenRec_webinstall_all.exe
2524	ScreenRec_webinstall_all.exe
2524	ScreenRec_webinstall_all.exe
2524	ScreenRec_webinstall_all.exe
6000	Setup.exe
6000	Setup.exe
6000	Setup.exe
6000	Setup.exe
6000	Setup.exe
1252	vc_redist.x64.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
3192	crashpad_handler.exe
3192	crashpad_handler.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

Processes:

Windows Updater.exeScreenRec_webinstall_all.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RAT = "C:\\Users\\Admin\\Pictures\\Windows Updater.exe"	Windows Updater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ScreenRec = "C:\\Users\\Admin\\AppData\\Local\\StreamingVideoProvider\\ScreenRec_app\\screenrec.exe"	ScreenRec_webinstall_all.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Updater = "\"C:\\Users\\Admin\\Pictures\\Windows Updater.exe\""	Windows Updater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\New Value #1	Windows Updater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RAT	Windows Updater.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 1 IoCs

Processes:

svchost.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

Processes:

flow	ioc
43	camo.githubusercontent.com
44	camo.githubusercontent.com
45	camo.githubusercontent.com
46	camo.githubusercontent.com
47	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241127014011.pma	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\74248075-fbc2-42fa-95db-46d15c493769.tmp	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Setup.exevc_redist.x64.exevc_redist.x64.exeScreenRec_webinstall_all.exevcredist_x64.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vc_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vc_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScreenRec_webinstall_all.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist_x64.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

svchost.exeSetup.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Setup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

Processes:

msedge.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

Command and Scripting Interpreter

T1059

Processes:

ipconfig.exe

pid	Process
1916	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

Processes:

explorer.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe

Modifies registry class 64 IoCs

Processes:

Quasar.exescreenrec.exemsedge.exeexplorer.exemsedge.exesvchost.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	Quasar.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	screenrec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5FA96407-7E77-483C-AC93-691D05850DE8}\GroupByDirection = "1"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Quasar.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5FA96407-7E77-483C-AC93-691D05850DE8}\IconSize = "96"	screenrec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5FA96407-7E77-483C-AC93-691D05850DE8}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000b474dbf787420341afbaf1b13dcd75cf64000000a000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000900444648b4cd1118b70080036b11a030300000078000000	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 01000000030000000200000000000000ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5FA96407-7E77-483C-AC93-691D05850DE8}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6	Quasar.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	Quasar.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 02000000030000000100000000000000ffffffff	Quasar.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 = 66003100000000007b59ce0d10005155415341527e312e3100004c0009000400efbe7b59bc0d7b59ce0d2e000000030d0400000004000000000000000000000000000000c2c8bd005100750061007300610072002000760031002e0034002e00310000001a000000	Quasar.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	Quasar.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3\MRUListEx = ffffffff	Quasar.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1669812756-2240353048-2660728061-1000\{BDDF9497-EAB0-4CC4-8C4D-3D5977C4E580}	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Quasar.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\MRUListEx = ffffffff	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5FA96407-7E77-483C-AC93-691D05850DE8}\FFlags = "1092616193"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5FA96407-7E77-483C-AC93-691D05850DE8}\Mode = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Quasar.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3 = 14002e80922b16d365937a46956b92703aca08af0000	Quasar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	Quasar.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2 = 14002e80d43aad2469a5304598e1ab02f9417aa80000	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	Quasar.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5FA96407-7E77-483C-AC93-691D05850DE8}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000b474dbf787420341afbaf1b13dcd75cf64000000a000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000900444648b4cd1118b70080036b11a030300000078000000	screenrec.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5FA96407-7E77-483C-AC93-691D05850DE8}	screenrec.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202020202	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\5	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 000000000500000004000000030000000200000001000000ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff	screenrec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Quasar.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 020000000100000000000000ffffffff	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupView = "0"	Quasar.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202	screenrec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Quasar.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 14002e8005398e082303024b98265d99428e115f0000	Quasar.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3\NodeSlot = "6"	Quasar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	msedge.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

Processes:

screenrec.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	screenrec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	screenrec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	screenrec.exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 921838.crdownload:SmartScreen	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
1688	schtasks.exe
2164	schtasks.exe
5416	schtasks.exe
2740	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 3 IoCs

Processes:

screenrec.exeexplorer.exescreenrec.exe

pid	Process
4616	screenrec.exe
1296	explorer.exe
5536	screenrec.exe

Suspicious behavior: EnumeratesProcesses 51 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exeScreenRec_webinstall_all.exeSetup.exescreenrec.exemsedge.exeQtWebEngineProcess.exeQtWebEngineProcess.execrashpad_handler.exemsedge.exescreenrec.exeQtWebEngineProcess.exemsedge.exeQtWebEngineProcess.exeQtWebEngineProcess.exeQtWebEngineProcess.exeQtWebEngineProcess.exeQtWebEngineProcess.exemsedge.exe

pid	Process
4404	msedge.exe
4404	msedge.exe
852	msedge.exe
852	msedge.exe
4580	identity_helper.exe
4580	identity_helper.exe
5220	msedge.exe
5220	msedge.exe
5220	msedge.exe
5220	msedge.exe
4292	msedge.exe
4292	msedge.exe
2524	ScreenRec_webinstall_all.exe
2524	ScreenRec_webinstall_all.exe
2524	ScreenRec_webinstall_all.exe
2524	ScreenRec_webinstall_all.exe
2524	ScreenRec_webinstall_all.exe
6000	Setup.exe
6000	Setup.exe
6000	Setup.exe
6000	Setup.exe
6000	Setup.exe
6000	Setup.exe
6000	Setup.exe
6000	Setup.exe
4616	screenrec.exe
4616	screenrec.exe
5996	msedge.exe
5996	msedge.exe
5504	QtWebEngineProcess.exe
1952	QtWebEngineProcess.exe
4616	screenrec.exe
4616	screenrec.exe
3192	crashpad_handler.exe
3192	crashpad_handler.exe
2400	msedge.exe
2400	msedge.exe
5536	screenrec.exe
5536	screenrec.exe
5736	QtWebEngineProcess.exe
5452	msedge.exe
5452	msedge.exe
112	QtWebEngineProcess.exe
3868	QtWebEngineProcess.exe
6004	QtWebEngineProcess.exe
5712	QtWebEngineProcess.exe
1420	QtWebEngineProcess.exe
1556	msedge.exe
1556	msedge.exe
5536	screenrec.exe
5536	screenrec.exe

Suspicious behavior: GetForegroundWindowSpam 6 IoCs

Processes:

screenrec.exeQuasar.exeWindows Updater.exeWindows Updater.exescreenrec.exemsedge.exe

pid	Process
4616	screenrec.exe
1440	Quasar.exe
3024	Windows Updater.exe
5240	Windows Updater.exe
5536	screenrec.exe
5452	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 49 IoCs

Processes:

msedge.exe

pid	Process
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AUDIODG.EXEscreenrec.exe7zG.exeQuasar.exeWindows Updater.exeWindows Updater.exe

description	pid	Process
Token: 33	5316	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5316	AUDIODG.EXE
Token: 33	4616	screenrec.exe
Token: SeIncBasePriorityPrivilege	4616	screenrec.exe
Token: SeRestorePrivilege	5568	7zG.exe
Token: 35	5568	7zG.exe
Token: SeSecurityPrivilege	5568	7zG.exe
Token: SeSecurityPrivilege	5568	7zG.exe
Token: SeDebugPrivilege	1440	Quasar.exe
Token: SeDebugPrivilege	5780	Windows Updater.exe
Token: SeDebugPrivilege	3024	Windows Updater.exe
Token: SeShutdownPrivilege	4616	screenrec.exe
Token: SeCreatePagefilePrivilege	4616	screenrec.exe
Token: SeShutdownPrivilege	4616	screenrec.exe
Token: SeCreatePagefilePrivilege	4616	screenrec.exe
Token: SeShutdownPrivilege	4616	screenrec.exe
Token: SeCreatePagefilePrivilege	4616	screenrec.exe
Token: SeShutdownPrivilege	4616	screenrec.exe
Token: SeCreatePagefilePrivilege	4616	screenrec.exe
Token: SeShutdownPrivilege	4616	screenrec.exe
Token: SeCreatePagefilePrivilege	4616	screenrec.exe
Token: SeShutdownPrivilege	4616	screenrec.exe
Token: SeCreatePagefilePrivilege	4616	screenrec.exe
Token: SeShutdownPrivilege	4616	screenrec.exe
Token: SeCreatePagefilePrivilege	4616	screenrec.exe
Token: SeShutdownPrivilege	4616	screenrec.exe
Token: SeCreatePagefilePrivilege	4616	screenrec.exe
Token: SeShutdownPrivilege	4616	screenrec.exe
Token: SeCreatePagefilePrivilege	4616	screenrec.exe
Token: SeShutdownPrivilege	4616	screenrec.exe
Token: SeCreatePagefilePrivilege	4616	screenrec.exe
Token: SeShutdownPrivilege	4616	screenrec.exe
Token: SeCreatePagefilePrivilege	4616	screenrec.exe
Token: SeShutdownPrivilege	4616	screenrec.exe
Token: SeCreatePagefilePrivilege	4616	screenrec.exe
Token: SeShutdownPrivilege	4616	screenrec.exe
Token: SeCreatePagefilePrivilege	4616	screenrec.exe
Token: SeShutdownPrivilege	4616	screenrec.exe
Token: SeCreatePagefilePrivilege	4616	screenrec.exe
Token: SeShutdownPrivilege	4616	screenrec.exe
Token: SeCreatePagefilePrivilege	4616	screenrec.exe
Token: SeShutdownPrivilege	4616	screenrec.exe
Token: SeCreatePagefilePrivilege	4616	screenrec.exe
Token: SeShutdownPrivilege	4616	screenrec.exe
Token: SeCreatePagefilePrivilege	4616	screenrec.exe
Token: SeShutdownPrivilege	4616	screenrec.exe
Token: SeCreatePagefilePrivilege	4616	screenrec.exe
Token: SeShutdownPrivilege	4616	screenrec.exe
Token: SeCreatePagefilePrivilege	4616	screenrec.exe
Token: SeShutdownPrivilege	4616	screenrec.exe
Token: SeCreatePagefilePrivilege	4616	screenrec.exe
Token: SeShutdownPrivilege	4616	screenrec.exe
Token: SeCreatePagefilePrivilege	4616	screenrec.exe
Token: SeShutdownPrivilege	4616	screenrec.exe
Token: SeCreatePagefilePrivilege	4616	screenrec.exe
Token: SeShutdownPrivilege	4616	screenrec.exe
Token: SeCreatePagefilePrivilege	4616	screenrec.exe
Token: SeShutdownPrivilege	4616	screenrec.exe
Token: SeCreatePagefilePrivilege	4616	screenrec.exe
Token: SeShutdownPrivilege	4616	screenrec.exe
Token: SeCreatePagefilePrivilege	4616	screenrec.exe
Token: SeShutdownPrivilege	4616	screenrec.exe
Token: SeCreatePagefilePrivilege	4616	screenrec.exe
Token: SeShutdownPrivilege	4616	screenrec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exescreenrec.exe7zG.exeQuasar.exescreenrec.exe

pid	Process
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
5568	7zG.exe
1440	Quasar.exe
1440	Quasar.exe
4616	screenrec.exe
1440	Quasar.exe
1440	Quasar.exe
1440	Quasar.exe
1440	Quasar.exe
1440	Quasar.exe
1440	Quasar.exe
1440	Quasar.exe
5536	screenrec.exe
5536	screenrec.exe
5536	screenrec.exe
5536	screenrec.exe
5536	screenrec.exe
5536	screenrec.exe

Suspicious use of SendNotifyMessage 38 IoCs

Processes:

msedge.exescreenrec.exeQuasar.exescreenrec.exe

pid	Process
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
1440	Quasar.exe
1440	Quasar.exe
1440	Quasar.exe
1440	Quasar.exe
1440	Quasar.exe
1440	Quasar.exe
5536	screenrec.exe
5536	screenrec.exe
5536	screenrec.exe
5536	screenrec.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

screenrec.exe

pid	Process
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe
4616	screenrec.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	Process	procid_target
PID 852 wrote to memory of 4936	852	msedge.exe	81
PID 852 wrote to memory of 4936	852	msedge.exe	81
PID 852 wrote to memory of 3224	852	msedge.exe	82
PID 852 wrote to memory of 3224	852	msedge.exe	82
PID 852 wrote to memory of 3224	852	msedge.exe	82
PID 852 wrote to memory of 3224	852	msedge.exe	82
PID 852 wrote to memory of 3224	852	msedge.exe	82
PID 852 wrote to memory of 3224	852	msedge.exe	82
PID 852 wrote to memory of 3224	852	msedge.exe	82
PID 852 wrote to memory of 3224	852	msedge.exe	82
PID 852 wrote to memory of 3224	852	msedge.exe	82
PID 852 wrote to memory of 3224	852	msedge.exe	82
PID 852 wrote to memory of 3224	852	msedge.exe	82
PID 852 wrote to memory of 3224	852	msedge.exe	82
PID 852 wrote to memory of 3224	852	msedge.exe	82
PID 852 wrote to memory of 3224	852	msedge.exe	82
PID 852 wrote to memory of 3224	852	msedge.exe	82
PID 852 wrote to memory of 3224	852	msedge.exe	82
PID 852 wrote to memory of 3224	852	msedge.exe	82
PID 852 wrote to memory of 3224	852	msedge.exe	82
PID 852 wrote to memory of 3224	852	msedge.exe	82
PID 852 wrote to memory of 3224	852	msedge.exe	82
PID 852 wrote to memory of 3224	852	msedge.exe	82
PID 852 wrote to memory of 3224	852	msedge.exe	82
PID 852 wrote to memory of 3224	852	msedge.exe	82
PID 852 wrote to memory of 3224	852	msedge.exe	82
PID 852 wrote to memory of 3224	852	msedge.exe	82
PID 852 wrote to memory of 3224	852	msedge.exe	82
PID 852 wrote to memory of 3224	852	msedge.exe	82
PID 852 wrote to memory of 3224	852	msedge.exe	82
PID 852 wrote to memory of 3224	852	msedge.exe	82
PID 852 wrote to memory of 3224	852	msedge.exe	82
PID 852 wrote to memory of 3224	852	msedge.exe	82
PID 852 wrote to memory of 3224	852	msedge.exe	82
PID 852 wrote to memory of 3224	852	msedge.exe	82
PID 852 wrote to memory of 3224	852	msedge.exe	82
PID 852 wrote to memory of 3224	852	msedge.exe	82
PID 852 wrote to memory of 3224	852	msedge.exe	82
PID 852 wrote to memory of 3224	852	msedge.exe	82
PID 852 wrote to memory of 3224	852	msedge.exe	82
PID 852 wrote to memory of 3224	852	msedge.exe	82
PID 852 wrote to memory of 3224	852	msedge.exe	82
PID 852 wrote to memory of 4404	852	msedge.exe	83
PID 852 wrote to memory of 4404	852	msedge.exe	83
PID 852 wrote to memory of 3348	852	msedge.exe	84
PID 852 wrote to memory of 3348	852	msedge.exe	84
PID 852 wrote to memory of 3348	852	msedge.exe	84
PID 852 wrote to memory of 3348	852	msedge.exe	84
PID 852 wrote to memory of 3348	852	msedge.exe	84
PID 852 wrote to memory of 3348	852	msedge.exe	84
PID 852 wrote to memory of 3348	852	msedge.exe	84
PID 852 wrote to memory of 3348	852	msedge.exe	84
PID 852 wrote to memory of 3348	852	msedge.exe	84
PID 852 wrote to memory of 3348	852	msedge.exe	84
PID 852 wrote to memory of 3348	852	msedge.exe	84
PID 852 wrote to memory of 3348	852	msedge.exe	84
PID 852 wrote to memory of 3348	852	msedge.exe	84
PID 852 wrote to memory of 3348	852	msedge.exe	84
PID 852 wrote to memory of 3348	852	msedge.exe	84
PID 852 wrote to memory of 3348	852	msedge.exe	84
PID 852 wrote to memory of 3348	852	msedge.exe	84
PID 852 wrote to memory of 3348	852	msedge.exe	84
PID 852 wrote to memory of 3348	852	msedge.exe	84
PID 852 wrote to memory of 3348	852	msedge.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/quasar/Quasar
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7fff23b146f8,0x7fff23b14708,0x7fff23b14718
  2⤵
  PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
  2⤵
  PID:3224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
  2⤵
  PID:3348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
  2⤵
  PID:3748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1
  2⤵
  PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5960 /prefetch:8
  2⤵
  PID:2160
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:3116
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x114,0x110,0x25c,0x11c,0x7ff6490d5460,0x7ff6490d5470,0x7ff6490d5480
    3⤵
    PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5960 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:1
  2⤵
  PID:2748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:1
  2⤵
  PID:4728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
  2⤵
  PID:2800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1
  2⤵
  PID:3748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6628 /prefetch:1
  2⤵
  PID:3820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
  2⤵
  PID:4408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
  2⤵
  PID:3128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6908 /prefetch:1
  2⤵
  PID:1008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7120 /prefetch:1
  2⤵
  PID:696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7136 /prefetch:1
  2⤵
  PID:3748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6444 /prefetch:1
  2⤵
  PID:4648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:1
  2⤵
  PID:4332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:1
  2⤵
  PID:5428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6652 /prefetch:1
  2⤵
  PID:5572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6536 /prefetch:1
  2⤵
  PID:5588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
  2⤵
  PID:5840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6572 /prefetch:1
  2⤵
  PID:5928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
  2⤵
  PID:944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4944 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1
  2⤵
  PID:2700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2728 /prefetch:1
  2⤵
  PID:2984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3852 /prefetch:1
  2⤵
  PID:3980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
  2⤵
  PID:5576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:1
  2⤵
  PID:4320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7156 /prefetch:1
  2⤵
  PID:3988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1184 /prefetch:1
  2⤵
  PID:6056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3960 /prefetch:1
  2⤵
  PID:1624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6884 /prefetch:8
  2⤵
  PID:4024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=7104 /prefetch:8
  2⤵
  PID:5536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2680 /prefetch:1
  2⤵
  PID:5540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7404 /prefetch:8
  2⤵
  PID:540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7464 /prefetch:1
  2⤵
  PID:5452
- C:\Users\Admin\Downloads\ScreenRec_webinstall_all.exe
  "C:\Users\Admin\Downloads\ScreenRec_webinstall_all.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2524
- - C:\Users\Admin\AppData\Local\StreamingVideoProvider\ScreenRec_app\vcredist_x64.exe
    "C:\Users\Admin\AppData\Local\StreamingVideoProvider\ScreenRec_app\vcredist_x64.exe" /passive /norestart
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5660
  - - \??\f:\fec4dc67d701dc7b27b65cc673ff19\Setup.exe
      f:\fec4dc67d701dc7b27b65cc673ff19\Setup.exe /passive /norestart
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:6000
- - C:\Users\Admin\AppData\Local\StreamingVideoProvider\ScreenRec_app\vc_redist.x64.exe
    "C:\Users\Admin\AppData\Local\StreamingVideoProvider\ScreenRec_app\vc_redist.x64.exe" /passive /norestart
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1740
  - - C:\Windows\Temp\{38E8C18E-A091-4B4A-90A6-2644EE4F83B1}\.cr\vc_redist.x64.exe
      "C:\Windows\Temp\{38E8C18E-A091-4B4A-90A6-2644EE4F83B1}\.cr\vc_redist.x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\StreamingVideoProvider\ScreenRec_app\vc_redist.x64.exe" -burn.filehandle.attached=556 -burn.filehandle.self=576 /passive /norestart
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1252
- - C:\Users\Admin\AppData\Local\StreamingVideoProvider\ScreenRec_app\screenrec.exe
    "C:\Users\Admin\AppData\Local\StreamingVideoProvider\ScreenRec_app\screenrec.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:4616
  - - C:\Users\Admin\AppData\Local\StreamingVideoProvider\ScreenRec_app\crashpad_handler.exe
      C:\Users\Admin\AppData\Local\StreamingVideoProvider\ScreenRec_app\crashpad_handler.exe --no-rate-limit --database=C:\Users\Admin\AppData\Local\StreamingVideoProvider\ScreenRec_app\.sentry-native --metrics-dir=C:\Users\Admin\AppData\Local\StreamingVideoProvider\ScreenRec_app\.sentry-native --url=https://o83388.ingest.sentry.io:443/api/4505567339675648/minidump/?sentry_client=sentry.native/0.6.1&sentry_key=d4ad0b68f5f5425ebf1a6e2f0a31638c --attachment=C:\Users\Admin\AppData\Local\StreamingVideoProvider\ScreenRec_app\.sentry-native\cd87b988-fd6c-4200-a618-17e509211871.run\__sentry-event --attachment=C:\Users\Admin\AppData\Local\StreamingVideoProvider\ScreenRec_app\.sentry-native\cd87b988-fd6c-4200-a618-17e509211871.run\__sentry-breadcrumb1 --attachment=C:\Users\Admin\AppData\Local\StreamingVideoProvider\ScreenRec_app\.sentry-native\cd87b988-fd6c-4200-a618-17e509211871.run\__sentry-breadcrumb2 --initial-client-data=0x768,0x76c,0x770,0x764,0x774,0x7fff13733708,0x7fff13733720,0x7fff13733738
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:3192
  - - C:\Users\Admin\AppData\Local\StreamingVideoProvider\ScreenRec_app\QtWebEngineProcess.exe
      "C:\Users\Admin\AppData\Local\StreamingVideoProvider\ScreenRec_app\QtWebEngineProcess.exe" --type=renderer --webengine-schemes=qrc:sV --first-renderer-process --disable-speech-api --enable-threaded-compositing --disable-databases --disable-gpu-compositing --disable-blink-features=EyeDropperAPI --lang=en --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --mojo-platform-channel-handle=1848 --enable-features=NetworkServiceInProcess2,TracingServiceInProcess --disable-features=BackgroundFetch,ConsolidatedMovementXY,EyeDropper,InstalledApp,PictureInPicture,WebOTP,WebPayments,WebUSB /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1952
  - - C:\Users\Admin\AppData\Local\StreamingVideoProvider\ScreenRec_app\QtWebEngineProcess.exe
      "C:\Users\Admin\AppData\Local\StreamingVideoProvider\ScreenRec_app\QtWebEngineProcess.exe" --type=renderer --webengine-schemes=qrc:sV --disable-speech-api --enable-threaded-compositing --disable-databases --disable-gpu-compositing --disable-blink-features=EyeDropperAPI --lang=en --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=5140 --enable-features=NetworkServiceInProcess2,TracingServiceInProcess --disable-features=BackgroundFetch,ConsolidatedMovementXY,EyeDropper,InstalledApp,PictureInPicture,WebOTP,WebPayments,WebUSB /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:5504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2684 /prefetch:1
  2⤵
  PID:1076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3536 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3104 /prefetch:8
  2⤵
  PID:348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
  2⤵
  PID:5516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
  2⤵
  PID:1796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7284 /prefetch:1
  2⤵
  PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6148 /prefetch:8
  2⤵
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6400 /prefetch:1
  2⤵
  PID:6128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
  2⤵
  PID:4764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
  2⤵
  PID:5168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6956 /prefetch:1
  2⤵
  PID:4216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
  2⤵
  PID:1108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7748 /prefetch:1
  2⤵
  PID:5172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7832 /prefetch:1
  2⤵
  PID:4300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8044 /prefetch:1
  2⤵
  PID:1252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6752 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7952 /prefetch:1
  2⤵
  PID:1972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2732 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:5452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1920 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7700 /prefetch:1
  2⤵
  PID:4280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2812 /prefetch:1
  2⤵
  PID:1348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8288 /prefetch:1
  2⤵
  PID:2212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:1
  2⤵
  PID:2312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6736 /prefetch:1
  2⤵
  PID:5984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7677880397984160708,15264615446584025769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8664 /prefetch:1
  2⤵
  PID:772

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:32

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3808

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f8 0x338
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5316

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
PID:3236

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2492

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap25667:88:7zEvent5830
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5568

C:\Users\Admin\Downloads\Quasar v1.4.1\Quasar.exe
"C:\Users\Admin\Downloads\Quasar v1.4.1\Quasar.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1440
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe" /select, "C:\Users\Admin\Downloads\Quasar v1.4.1\quasar.p12"
  2⤵
  PID:4100

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:1296

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:4456
- C:\Windows\system32\ipconfig.exe
  ipconfig
  2⤵
  - Gathers network information
  PID:1916

C:\Users\Admin\Pictures\Windows Updater.exe
"C:\Users\Admin\Pictures\Windows Updater.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5780
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Windows Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows Updater.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2164
- C:\Users\Admin\AppData\Roaming\SubDir\Windows Updater.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Windows Updater.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:3024
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Windows Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows Updater.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5416

C:\Users\Admin\Pictures\Windows Updater.exe
"C:\Users\Admin\Pictures\Windows Updater.exe"
1⤵
- Executes dropped EXE
PID:3256
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Windows Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows Updater.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2740
- C:\Users\Admin\AppData\Roaming\SubDir\Windows Updater.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Windows Updater.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  PID:5240
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Windows Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows Updater.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1688
- - C:\Users\Admin\AppData\Local\Temp\y7KyUGcH7zQk.exe
    "C:\Users\Admin\AppData\Local\Temp\y7KyUGcH7zQk.exe"
    3⤵
    - Executes dropped EXE
    PID:2920

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:5104

C:\Users\Admin\AppData\Local\StreamingVideoProvider\ScreenRec_app\screenrec.exe
"C:\Users\Admin\AppData\Local\StreamingVideoProvider\ScreenRec_app\screenrec.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5536
- C:\Users\Admin\AppData\Local\StreamingVideoProvider\ScreenRec_app\crashpad_handler.exe
  C:\Users\Admin\AppData\Local\StreamingVideoProvider\ScreenRec_app\crashpad_handler.exe --no-rate-limit --database=C:\Users\Admin\AppData\Local\StreamingVideoProvider\ScreenRec_app\.sentry-native --metrics-dir=C:\Users\Admin\AppData\Local\StreamingVideoProvider\ScreenRec_app\.sentry-native --url=https://o83388.ingest.sentry.io:443/api/4505567339675648/minidump/?sentry_client=sentry.native/0.6.1&sentry_key=d4ad0b68f5f5425ebf1a6e2f0a31638c --attachment=C:\Users\Admin\AppData\Local\StreamingVideoProvider\ScreenRec_app\.sentry-native\6ec16797-44c3-4f49-9bff-14d7868aaa8c.run\__sentry-event --attachment=C:\Users\Admin\AppData\Local\StreamingVideoProvider\ScreenRec_app\.sentry-native\6ec16797-44c3-4f49-9bff-14d7868aaa8c.run\__sentry-breadcrumb1 --attachment=C:\Users\Admin\AppData\Local\StreamingVideoProvider\ScreenRec_app\.sentry-native\6ec16797-44c3-4f49-9bff-14d7868aaa8c.run\__sentry-breadcrumb2 --initial-client-data=0x754,0x760,0x764,0x750,0x768,0x7fff13823708,0x7fff13823720,0x7fff13823738
  2⤵
  - Executes dropped EXE
  PID:1388
- C:\Users\Admin\AppData\Local\StreamingVideoProvider\ScreenRec_app\QtWebEngineProcess.exe
  "C:\Users\Admin\AppData\Local\StreamingVideoProvider\ScreenRec_app\QtWebEngineProcess.exe" --type=renderer --webengine-schemes=qrc:sV --first-renderer-process --disable-speech-api --enable-threaded-compositing --disable-databases --disable-gpu-compositing --disable-blink-features=EyeDropperAPI --lang=en --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --mojo-platform-channel-handle=4608 --enable-features=NetworkServiceInProcess2,TracingServiceInProcess --disable-features=BackgroundFetch,ConsolidatedMovementXY,EyeDropper,InstalledApp,PictureInPicture,WebOTP,WebPayments,WebUSB /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:5736
- C:\Users\Admin\AppData\Local\StreamingVideoProvider\ScreenRec_app\QtWebEngineProcess.exe
  "C:\Users\Admin\AppData\Local\StreamingVideoProvider\ScreenRec_app\QtWebEngineProcess.exe" --type=renderer --webengine-schemes=qrc:sV --disable-speech-api --enable-threaded-compositing --disable-databases --disable-gpu-compositing --disable-blink-features=EyeDropperAPI --lang=en --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=5748 --enable-features=NetworkServiceInProcess2,TracingServiceInProcess --disable-features=BackgroundFetch,ConsolidatedMovementXY,EyeDropper,InstalledApp,PictureInPicture,WebOTP,WebPayments,WebUSB /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:112
- C:\Users\Admin\AppData\Local\StreamingVideoProvider\ScreenRec_app\QtWebEngineProcess.exe
  "C:\Users\Admin\AppData\Local\StreamingVideoProvider\ScreenRec_app\QtWebEngineProcess.exe" --type=renderer --webengine-schemes=qrc:sV --disable-speech-api --enable-threaded-compositing --disable-databases --disable-gpu-compositing --disable-blink-features=EyeDropperAPI --lang=en --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=5756 --enable-features=NetworkServiceInProcess2,TracingServiceInProcess --disable-features=BackgroundFetch,ConsolidatedMovementXY,EyeDropper,InstalledApp,PictureInPicture,WebOTP,WebPayments,WebUSB /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3868
- C:\Users\Admin\AppData\Local\StreamingVideoProvider\ScreenRec_app\QtWebEngineProcess.exe
  "C:\Users\Admin\AppData\Local\StreamingVideoProvider\ScreenRec_app\QtWebEngineProcess.exe" --type=renderer --webengine-schemes=qrc:sV --disable-speech-api --enable-threaded-compositing --disable-databases --disable-gpu-compositing --disable-blink-features=EyeDropperAPI --lang=en --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=7052 --enable-features=NetworkServiceInProcess2,TracingServiceInProcess --disable-features=BackgroundFetch,ConsolidatedMovementXY,EyeDropper,InstalledApp,PictureInPicture,WebOTP,WebPayments,WebUSB /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:6004
- C:\Users\Admin\AppData\Local\StreamingVideoProvider\ScreenRec_app\QtWebEngineProcess.exe
  "C:\Users\Admin\AppData\Local\StreamingVideoProvider\ScreenRec_app\QtWebEngineProcess.exe" --type=renderer --webengine-schemes=qrc:sV --disable-speech-api --enable-threaded-compositing --disable-databases --disable-gpu-compositing --disable-blink-features=EyeDropperAPI --lang=en --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=6988 --enable-features=NetworkServiceInProcess2,TracingServiceInProcess --disable-features=BackgroundFetch,ConsolidatedMovementXY,EyeDropper,InstalledApp,PictureInPicture,WebOTP,WebPayments,WebUSB /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:5712
- C:\Users\Admin\AppData\Local\StreamingVideoProvider\ScreenRec_app\QtWebEngineProcess.exe
  "C:\Users\Admin\AppData\Local\StreamingVideoProvider\ScreenRec_app\QtWebEngineProcess.exe" --type=renderer --webengine-schemes=qrc:sV --disable-speech-api --enable-threaded-compositing --disable-databases --disable-gpu-compositing --disable-blink-features=EyeDropperAPI --lang=en --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=6980 --enable-features=NetworkServiceInProcess2,TracingServiceInProcess --disable-features=BackgroundFetch,ConsolidatedMovementXY,EyeDropper,InstalledApp,PictureInPicture,WebOTP,WebPayments,WebUSB /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1420

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

System Information Discovery