quasar | 3e2e9b64c2701ed6fdd503b5cd52dcda17909a3f9f5f0f6c6b42ef8c9ae23c95

Resubmissions

05/12/2024, 20:18

241205-y3mm3szpcx 3

05/12/2024, 12:32

241205-pqsh5avkc1 3

05/12/2024, 12:24

241205-pk96zstrft 10

Analysis

max time kernel
93s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2024, 12:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

registry.html
Size

1KB
MD5

689a1880d6c5c0af7d0e3e567fe3df23
SHA1

0e6f59da774e68d9aa8e18ae06865c473a721900
SHA256

3e2e9b64c2701ed6fdd503b5cd52dcda17909a3f9f5f0f6c6b42ef8c9ae23c95
SHA512

2ea34967d9a2c2478734537731fda96017e97fef4fd8ede1ec025e4fef992ca99fb8c412b15569edd697d451f26c6bce589783e0393dfe9538c158a7f1207160

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

JonahOscendoskY-53420.portmap.host:53420

Mutex

f38ec230-fd60-44ab-91a9-17577e4487f9

Attributes

encryption_key
E127FB40EABF3C6167749BEDDDBC64167ED27B67
install_name
Registry.exe
log_directory
Logs
reconnect_delay
1000
startup_key
Registry
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023c71-101.dat	family_quasar
behavioral2/memory/4980-146-0x00000000001C0000-0x00000000004E4000-memory.dmp	family_quasar

Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
4980	registry.exe
2224	Registry.exe
4348	registry.exe
3112	registry.exe
1168	registry.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\SubDir\Registry.exe	registry.exe
File opened for modification	C:\Windows\system32\SubDir\Registry.exe	registry.exe
File created	C:\Windows\System32\SubDir\Registry.exe\:SmartScreen:$DATA	registry.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 347977.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 140521.crdownload:SmartScreen	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4828	schtasks.exe
1808	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4016	msedge.exe
4016	msedge.exe
392	msedge.exe
392	msedge.exe
2312	identity_helper.exe
2312	identity_helper.exe
2544	msedge.exe
2544	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4980	registry.exe
Token: SeDebugPrivilege	2224	Registry.exe
Token: SeDebugPrivilege	4348	registry.exe
Token: SeDebugPrivilege	3112	registry.exe
Token: SeDebugPrivilege	1168	registry.exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe
392	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2224	Registry.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 392 wrote to memory of 1040	392	msedge.exe	82
PID 392 wrote to memory of 1040	392	msedge.exe	82
PID 392 wrote to memory of 3004	392	msedge.exe	83
PID 392 wrote to memory of 3004	392	msedge.exe	83
PID 392 wrote to memory of 3004	392	msedge.exe	83
PID 392 wrote to memory of 3004	392	msedge.exe	83
PID 392 wrote to memory of 3004	392	msedge.exe	83
PID 392 wrote to memory of 3004	392	msedge.exe	83
PID 392 wrote to memory of 3004	392	msedge.exe	83
PID 392 wrote to memory of 3004	392	msedge.exe	83
PID 392 wrote to memory of 3004	392	msedge.exe	83
PID 392 wrote to memory of 3004	392	msedge.exe	83
PID 392 wrote to memory of 3004	392	msedge.exe	83
PID 392 wrote to memory of 3004	392	msedge.exe	83
PID 392 wrote to memory of 3004	392	msedge.exe	83
PID 392 wrote to memory of 3004	392	msedge.exe	83
PID 392 wrote to memory of 3004	392	msedge.exe	83
PID 392 wrote to memory of 3004	392	msedge.exe	83
PID 392 wrote to memory of 3004	392	msedge.exe	83
PID 392 wrote to memory of 3004	392	msedge.exe	83
PID 392 wrote to memory of 3004	392	msedge.exe	83
PID 392 wrote to memory of 3004	392	msedge.exe	83
PID 392 wrote to memory of 3004	392	msedge.exe	83
PID 392 wrote to memory of 3004	392	msedge.exe	83
PID 392 wrote to memory of 3004	392	msedge.exe	83
PID 392 wrote to memory of 3004	392	msedge.exe	83
PID 392 wrote to memory of 3004	392	msedge.exe	83
PID 392 wrote to memory of 3004	392	msedge.exe	83
PID 392 wrote to memory of 3004	392	msedge.exe	83
PID 392 wrote to memory of 3004	392	msedge.exe	83
PID 392 wrote to memory of 3004	392	msedge.exe	83
PID 392 wrote to memory of 3004	392	msedge.exe	83
PID 392 wrote to memory of 3004	392	msedge.exe	83
PID 392 wrote to memory of 3004	392	msedge.exe	83
PID 392 wrote to memory of 3004	392	msedge.exe	83
PID 392 wrote to memory of 3004	392	msedge.exe	83
PID 392 wrote to memory of 3004	392	msedge.exe	83
PID 392 wrote to memory of 3004	392	msedge.exe	83
PID 392 wrote to memory of 3004	392	msedge.exe	83
PID 392 wrote to memory of 3004	392	msedge.exe	83
PID 392 wrote to memory of 3004	392	msedge.exe	83
PID 392 wrote to memory of 3004	392	msedge.exe	83
PID 392 wrote to memory of 4016	392	msedge.exe	84
PID 392 wrote to memory of 4016	392	msedge.exe	84
PID 392 wrote to memory of 4012	392	msedge.exe	85
PID 392 wrote to memory of 4012	392	msedge.exe	85
PID 392 wrote to memory of 4012	392	msedge.exe	85
PID 392 wrote to memory of 4012	392	msedge.exe	85
PID 392 wrote to memory of 4012	392	msedge.exe	85
PID 392 wrote to memory of 4012	392	msedge.exe	85
PID 392 wrote to memory of 4012	392	msedge.exe	85
PID 392 wrote to memory of 4012	392	msedge.exe	85
PID 392 wrote to memory of 4012	392	msedge.exe	85
PID 392 wrote to memory of 4012	392	msedge.exe	85
PID 392 wrote to memory of 4012	392	msedge.exe	85
PID 392 wrote to memory of 4012	392	msedge.exe	85
PID 392 wrote to memory of 4012	392	msedge.exe	85
PID 392 wrote to memory of 4012	392	msedge.exe	85
PID 392 wrote to memory of 4012	392	msedge.exe	85
PID 392 wrote to memory of 4012	392	msedge.exe	85
PID 392 wrote to memory of 4012	392	msedge.exe	85
PID 392 wrote to memory of 4012	392	msedge.exe	85
PID 392 wrote to memory of 4012	392	msedge.exe	85
PID 392 wrote to memory of 4012	392	msedge.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\registry.html
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff994ef46f8,0x7ff994ef4708,0x7ff994ef4718
  2⤵
  PID:1040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,7744970146946354105,5558132433281369969,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
  2⤵
  PID:3004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,7744970146946354105,5558132433281369969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,7744970146946354105,5558132433281369969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:8
  2⤵
  PID:4012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7744970146946354105,5558132433281369969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7744970146946354105,5558132433281369969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:552
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,7744970146946354105,5558132433281369969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5880 /prefetch:8
  2⤵
  PID:2168
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,7744970146946354105,5558132433281369969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5880 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7744970146946354105,5558132433281369969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
  2⤵
  PID:4632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7744970146946354105,5558132433281369969,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:1
  2⤵
  PID:2112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7744970146946354105,5558132433281369969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
  2⤵
  PID:556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7744970146946354105,5558132433281369969,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
  2⤵
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7744970146946354105,5558132433281369969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
  2⤵
  PID:2576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2040,7744970146946354105,5558132433281369969,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5816 /prefetch:8
  2⤵
  PID:4924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7744970146946354105,5558132433281369969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1980 /prefetch:1
  2⤵
  PID:4964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7744970146946354105,5558132433281369969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
  2⤵
  PID:4632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7744970146946354105,5558132433281369969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
  2⤵
  PID:3772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2040,7744970146946354105,5558132433281369969,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5748 /prefetch:8
  2⤵
  PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2040,7744970146946354105,5558132433281369969,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4992 /prefetch:8
  2⤵
  PID:2328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2040,7744970146946354105,5558132433281369969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2672 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2544
- C:\Users\Admin\Downloads\registry.exe
  "C:\Users\Admin\Downloads\registry.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:4980
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Registry" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Registry.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4828
- - C:\Windows\system32\SubDir\Registry.exe
    "C:\Windows\system32\SubDir\Registry.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2224
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Registry" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Registry.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1808
- C:\Users\Admin\Downloads\registry.exe
  "C:\Users\Admin\Downloads\registry.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4348
- C:\Users\Admin\Downloads\registry.exe
  "C:\Users\Admin\Downloads\registry.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7744970146946354105,5558132433281369969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6176 /prefetch:1
  2⤵
  PID:700

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2880

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4768

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:428

C:\Users\Admin\Downloads\registry.exe
"C:\Users\Admin\Downloads\registry.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Registry.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dc058ebc0f8181946a312f0be99ed79c

SHA1
0c6f376ed8f2d4c275336048c7c9ef9edf18bff0

SHA256
378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a

SHA512
36e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a0486d6f8406d852dd805b66ff467692

SHA1
77ba1f63142e86b21c951b808f4bc5d8ed89b571

SHA256
c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be

SHA512
065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
676B

MD5
9b3f8ce20fa4f670580b7511e740e6ec

SHA1
6ae1dd82b521fe4229b1ca4b96b55f651c486dca

SHA256
4ef1b834c948f1deabe92a7e3a1522af35f95c12db3cd863c95981170c5cdd68

SHA512
8f97f1ea5df089016e6b899121cb1a6837b1176c9c0ce6c2cb2547f9f8f030c0ec59b79ece5d91500d2b1db364379ada6002e67db966af10f08e29e5fcae5fa3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
07263c3c661fc80458c16ef765253072

SHA1
45f9d8f93fb704a21a097150506d071a01a95336

SHA256
74c9e5bec7e2804c4506624e2eda137a6f077670e805d6b803c929493af49ffb

SHA512
b6401c5e4dd0bf338a15273053d7f478bdc325a0585ccae1b440cdc0736ad5d05f84fe35822a75b3cb97a27bedc14bcba390b3adafaecd98c8513f68eabd0bc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7ee203ad2653e91ceef68c66427d671c

SHA1
5c68daf22b0934a66f10f511699d177600589035

SHA256
c3734c9f75bce269ea9c9e194a49ffa20a7b4c2e280e4bc97870972fc03a50cf

SHA512
4dbf87cc417cdadfeefa159da74148ef606e9b750cf31485b6e62e94a32a2d89b38a56e751d87c6d997ec3f4559b6ed4fd5987aff6969ec48b2e162ce385169d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7caacc23f1fdb034d1ec8c33b77dd735

SHA1
561bc74d9f9ad11781b099a2424e9578f879260c

SHA256
39dfe465613db3f643aeb15455d69d02a097e9d46b5d22ffddb83dc611483670

SHA512
b5b89c0799d38f805c5024865baeb882748670548d6d20c474216094ceee37a20aa7711a4eb593529816dff948cc207c2219c632a5c99be2a102659683848946

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6e0ecf9ae5a921b6a595fa384d246a00

SHA1
a6e5a7c0ed90e64a19fd851fedcfb6e809ff3616

SHA256
478b6aa35a9de8bfd8cd5185a874d02b48f8600d6a0295d6a154e253a3175693

SHA512
8e29850ebf2b43e5ffc78e8f32fa103e8c87f4837a5015aedc49ab602e42061e4df78051877e9e6a2284789c1d3110787d5f606373b90b1aa19243fb09b982c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1ef19a7113d915f8c9950a01333de129

SHA1
59ebc7607ad64146ae156d7c1faac1f76e526dad

SHA256
bf7d5109cec17dc117be818d9eab30ad5d793cd72992a7ab93494f77b04ef100

SHA512
2994af21c4cffedbec3bec85742b332854cdb7bd973e3f6f99557dc4f128e30621695d47e21908bdf2822a29283d71a13050dbaaab8bc5e0c8af674905076a13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
370B

MD5
733bd87f7b277eae07216612a10eb531

SHA1
2abdef3f44d693e1a22dd1fd9e72d77b058632aa

SHA256
16d3765a9c028f6a78fc7a11016ade94893aa58cc82dc7250a34bae2b7a75aac

SHA512
94ce86ac7af8f1ecdff61d465f1ffe77664e7a41874b65f8c6966de9734056e6bbdcc4a672b25c8a76cdeb71005e2bf6563c0e793d24c7f371725f257781ebf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe583294.TMP

Filesize
203B

MD5
f94f8c1d94f106868a2d9b8d8f932cd4

SHA1
caa6cfab1f64042e7a43bea30fde5c4b1771fbdd

SHA256
db71cee11bdc3c65fb90ca31536f31db22c7d17da1815e15ee2d1948e100fde5

SHA512
aa17fce3045cb4732662da82d8e1e48f31bb4e03ab0fd67ab72855e66d3e01c403179dd18f6b4d80f1a2213e9468e91c07bb77489f1edd553dec0dfc2dfaa428

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
77e59b2f498ea6ff5053e2f51d6a7ddb

SHA1
8092341c1769af6d9c824a0e5679539ce0c84521

SHA256
36332dacab5e45866021690c3ce9c257610618e65836ccf0b4a97e3e91e16a3e

SHA512
ba487ef1786e6cedd93c4001d9a15297518ee564f2f4324df032094970c8b54467f2b31da1a5f03e1ba80fdf356ea92def9b72e31ad86a84f5e95be200dad051

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
bc94a4d0628b5d36aa7bf0e8637e1f56

SHA1
5d45c820eba875bbb7994431b6fd82a433f2eb4c

SHA256
76459f0fd29c3973e7273da054b46e6c5a2cd1b92072f6258f13cbf62c371f1e

SHA512
4578920b4e5903c56fa8b41fe137770913da9956f4a8508183599ca154f28fa9df9d9083f8065086b00478b20f33937656a14ef0ee282b76495a682274d77688

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 347977.crdownload

Filesize
3.1MB

MD5
856af8902c2dafc7a5bc1756300b7e6b

SHA1
234f69af2257f17e7961656413794bb2968af432

SHA256
d888126c2f1e9639469e7038e4ab840a52c7bcdcedbceac7a55e14e391d01cbd

SHA512
24fbbad0b282cfb5e5555683319e681ecc723ebd61066ccf02f055abf898b5fab68cfcf26891884faca1d54e706f845b8d561dc368bae2163ac8cabcfaea2490

Download Submit
memory/2224-156-0x000000001BC20000-0x000000001BC70000-memory.dmp

Filesize
320KB

Download
memory/2224-157-0x000000001BD30000-0x000000001BDE2000-memory.dmp

Filesize
712KB

Download
memory/2224-160-0x000000001BC70000-0x000000001BC82000-memory.dmp

Filesize
72KB

Download
memory/2224-161-0x000000001BCD0000-0x000000001BD0C000-memory.dmp

Filesize
240KB

Download
memory/4980-146-0x00000000001C0000-0x00000000004E4000-memory.dmp

Filesize
3.1MB

Download