quasar | hxxps://gofile[.]io/d/FwnpgK

Resubmissions

11-12-2024 21:19

241211-z6pghstjgq 10

11-12-2024 21:18

241211-z5x29synbz 3

Analysis

max time kernel
139s
max time network
128s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
11-12-2024 21:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/FwnpgK

Score

10^/10

quasar c0nvar defense_evasion discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

c0nvar

10.0.2.15:4782

Mutex

5f356d1d-9478-4b8b-bb7a-36cdaf711a22

Attributes

encryption_key
5316134D3D004512946441D81B03C1383BD4BF32
install_name
matcall.exe
log_directory
WindowsDiagnostics
reconnect_delay
3000
startup_key
Microsoft Attribute Caller
subdirectory
UserRequired

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001900000002aaf4-78.dat	family_quasar
behavioral1/memory/1136-106-0x0000000000CE0000-0x0000000001004000-memory.dmp	family_quasar

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
1136	RealtekRdrivers.exe
1780	matcall.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\RealtekRdrivers.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 293922.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\RealtekRdrivers.exe:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\UserRequired\matcall.exe\:SmartScreen:$DATA	RealtekRdrivers.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4816	schtasks.exe
4104	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3736	vlc.exe
3404	vlc.exe

Suspicious behavior: EnumeratesProcesses 61 IoCs

pid	Process
4300	msedge.exe
4300	msedge.exe
2356	msedge.exe
2356	msedge.exe
896	msedge.exe
896	msedge.exe
5072	identity_helper.exe
5072	identity_helper.exe
1396	msedge.exe
1396	msedge.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3736	vlc.exe
3404	vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1136	RealtekRdrivers.exe
Token: SeDebugPrivilege	1780	matcall.exe
Token: SeDebugPrivilege	4072	taskmgr.exe
Token: SeSystemProfilePrivilege	4072	taskmgr.exe
Token: SeCreateGlobalPrivilege	4072	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
3736	vlc.exe
3736	vlc.exe
3736	vlc.exe
3736	vlc.exe
3736	vlc.exe
3736	vlc.exe
3736	vlc.exe
3736	vlc.exe
3736	vlc.exe
3404	vlc.exe
3404	vlc.exe
3404	vlc.exe
3404	vlc.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
2356	msedge.exe
3736	vlc.exe
3736	vlc.exe
3736	vlc.exe
3736	vlc.exe
3736	vlc.exe
3736	vlc.exe
3736	vlc.exe
3736	vlc.exe
3404	vlc.exe
3404	vlc.exe
3404	vlc.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe
4072	taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1780	matcall.exe
3736	vlc.exe
3404	vlc.exe
880	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 1104	2356	msedge.exe	77
PID 2356 wrote to memory of 1104	2356	msedge.exe	77
PID 2356 wrote to memory of 4580	2356	msedge.exe	78
PID 2356 wrote to memory of 4580	2356	msedge.exe	78
PID 2356 wrote to memory of 4580	2356	msedge.exe	78
PID 2356 wrote to memory of 4580	2356	msedge.exe	78
PID 2356 wrote to memory of 4580	2356	msedge.exe	78
PID 2356 wrote to memory of 4580	2356	msedge.exe	78
PID 2356 wrote to memory of 4580	2356	msedge.exe	78
PID 2356 wrote to memory of 4580	2356	msedge.exe	78
PID 2356 wrote to memory of 4580	2356	msedge.exe	78
PID 2356 wrote to memory of 4580	2356	msedge.exe	78
PID 2356 wrote to memory of 4580	2356	msedge.exe	78
PID 2356 wrote to memory of 4580	2356	msedge.exe	78
PID 2356 wrote to memory of 4580	2356	msedge.exe	78
PID 2356 wrote to memory of 4580	2356	msedge.exe	78
PID 2356 wrote to memory of 4580	2356	msedge.exe	78
PID 2356 wrote to memory of 4580	2356	msedge.exe	78
PID 2356 wrote to memory of 4580	2356	msedge.exe	78
PID 2356 wrote to memory of 4580	2356	msedge.exe	78
PID 2356 wrote to memory of 4580	2356	msedge.exe	78
PID 2356 wrote to memory of 4580	2356	msedge.exe	78
PID 2356 wrote to memory of 4580	2356	msedge.exe	78
PID 2356 wrote to memory of 4580	2356	msedge.exe	78
PID 2356 wrote to memory of 4580	2356	msedge.exe	78
PID 2356 wrote to memory of 4580	2356	msedge.exe	78
PID 2356 wrote to memory of 4580	2356	msedge.exe	78
PID 2356 wrote to memory of 4580	2356	msedge.exe	78
PID 2356 wrote to memory of 4580	2356	msedge.exe	78
PID 2356 wrote to memory of 4580	2356	msedge.exe	78
PID 2356 wrote to memory of 4580	2356	msedge.exe	78
PID 2356 wrote to memory of 4580	2356	msedge.exe	78
PID 2356 wrote to memory of 4580	2356	msedge.exe	78
PID 2356 wrote to memory of 4580	2356	msedge.exe	78
PID 2356 wrote to memory of 4580	2356	msedge.exe	78
PID 2356 wrote to memory of 4580	2356	msedge.exe	78
PID 2356 wrote to memory of 4580	2356	msedge.exe	78
PID 2356 wrote to memory of 4580	2356	msedge.exe	78
PID 2356 wrote to memory of 4580	2356	msedge.exe	78
PID 2356 wrote to memory of 4580	2356	msedge.exe	78
PID 2356 wrote to memory of 4580	2356	msedge.exe	78
PID 2356 wrote to memory of 4580	2356	msedge.exe	78
PID 2356 wrote to memory of 4300	2356	msedge.exe	79
PID 2356 wrote to memory of 4300	2356	msedge.exe	79
PID 2356 wrote to memory of 3136	2356	msedge.exe	80
PID 2356 wrote to memory of 3136	2356	msedge.exe	80
PID 2356 wrote to memory of 3136	2356	msedge.exe	80
PID 2356 wrote to memory of 3136	2356	msedge.exe	80
PID 2356 wrote to memory of 3136	2356	msedge.exe	80
PID 2356 wrote to memory of 3136	2356	msedge.exe	80
PID 2356 wrote to memory of 3136	2356	msedge.exe	80
PID 2356 wrote to memory of 3136	2356	msedge.exe	80
PID 2356 wrote to memory of 3136	2356	msedge.exe	80
PID 2356 wrote to memory of 3136	2356	msedge.exe	80
PID 2356 wrote to memory of 3136	2356	msedge.exe	80
PID 2356 wrote to memory of 3136	2356	msedge.exe	80
PID 2356 wrote to memory of 3136	2356	msedge.exe	80
PID 2356 wrote to memory of 3136	2356	msedge.exe	80
PID 2356 wrote to memory of 3136	2356	msedge.exe	80
PID 2356 wrote to memory of 3136	2356	msedge.exe	80
PID 2356 wrote to memory of 3136	2356	msedge.exe	80
PID 2356 wrote to memory of 3136	2356	msedge.exe	80
PID 2356 wrote to memory of 3136	2356	msedge.exe	80
PID 2356 wrote to memory of 3136	2356	msedge.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/FwnpgK
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa3c4a3cb8,0x7ffa3c4a3cc8,0x7ffa3c4a3cd8
  2⤵
  PID:1104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,14471317068210277067,7518550742918196976,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1972 /prefetch:2
  2⤵
  PID:4580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1928,14471317068210277067,7518550742918196976,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1928,14471317068210277067,7518550742918196976,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2620 /prefetch:8
  2⤵
  PID:3136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,14471317068210277067,7518550742918196976,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:3996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,14471317068210277067,7518550742918196976,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:3404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,14471317068210277067,7518550742918196976,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4524 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1928,14471317068210277067,7518550742918196976,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3780 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:896
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1928,14471317068210277067,7518550742918196976,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,14471317068210277067,7518550742918196976,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:1
  2⤵
  PID:1892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,14471317068210277067,7518550742918196976,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2256 /prefetch:1
  2⤵
  PID:3352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,14471317068210277067,7518550742918196976,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:1420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,14471317068210277067,7518550742918196976,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
  2⤵
  PID:4944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,14471317068210277067,7518550742918196976,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
  2⤵
  PID:640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,14471317068210277067,7518550742918196976,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
  2⤵
  PID:2860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1928,14471317068210277067,7518550742918196976,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5576 /prefetch:8
  2⤵
  PID:3112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1928,14471317068210277067,7518550742918196976,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5956 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1396
- C:\Users\Admin\Downloads\RealtekRdrivers.exe
  "C:\Users\Admin\Downloads\RealtekRdrivers.exe"
  2⤵
  - Executes dropped EXE
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  PID:1136
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Microsoft Attribute Caller" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\UserRequired\matcall.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4104
- - C:\Users\Admin\AppData\Roaming\UserRequired\matcall.exe
    "C:\Users\Admin\AppData\Roaming\UserRequired\matcall.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1780
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Microsoft Attribute Caller" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\UserRequired\matcall.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4816

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:948

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3244

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\GetStop.m4v"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3736

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\ResolveJoin.avi"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3404

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:880

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4072

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:3904

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fdee96b970080ef7f5bfa5964075575e

SHA1
2c821998dc2674d291bfa83a4df46814f0c29ab4

SHA256
a241023f360b300e56b2b0e1205b651e1244b222e1f55245ca2d06d3162a62f0

SHA512
20875c3002323f5a9b1b71917d6bd4e4c718c9ca325c90335bd475ddcb25eac94cb3f29795fa6476d6d6e757622b8b0577f008eec2c739c2eec71d2e8b372cff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
46e6ad711a84b5dc7b30b75297d64875

SHA1
8ca343bfab1e2c04e67b9b16b8e06ba463b4f485

SHA256
77b51492a40a511e57e7a7ecf76715a2fd46533c0f0d0d5a758f0224e201c77f

SHA512
8472710b638b0aeee4678f41ed2dff72b39b929b2802716c0c9f96db24c63096b94c9969575e4698f16e412f82668b5c9b5cb747e8a2219429dbb476a31d297e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
b8da4f3feceaa64efb84d753dec73320

SHA1
bea0632e8203664fbcc635550d5981a1e22b5657

SHA256
49afda7058626a332bc3aaeadc34cb73cfb6a5cdaa331c35e3e5d75a02a39f63

SHA512
02d9e65f7b1e98cc720cd7d3d5aac77e479162403d432ac394043fd8ea8c2e9ac1912d06e0d9b28eb0bc0f763fa7b77e073d6af259fdac0f6240ada965c15136

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
391B

MD5
ab275d2f26e9f1f7bddfd70d4a6c83b0

SHA1
fc2f34a41fde8c1efefa22a4752ed10e05d535f8

SHA256
4f4d38c0d6fe7b3375b7ef066d3a80a7b04271803725757754253ec5dcd372bf

SHA512
f8d9fee45a9174ef588730aa31c01159fa0aeca2b1dd1d8c016a5697271e83339f6d503e321d28ee4797ab8ff282c7d3aa081370914b749c4b41c034b7b9c921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4ca8c2546390d9f2f04374bb81f1ccf2

SHA1
715b4046fd2c252a1a94b28f50da31578425936a

SHA256
f57f2a2dd3c84ba6328ce3c3210df1a19fdf301622cde39b3f9316ad93a2df6a

SHA512
8e42fc1d93e7c1d2f8979e8b7bbda22fe849306a9219c958c9f41fc4993084dd26a76b4ecfff03b785e31a9f8d0e1cc9f60b7e7ad742e0654b2efb797917215f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
34cbb5d58022ff8464fba07342bbb0c8

SHA1
091b95aed6d5108cd46934e46c2d31d1aac0b65c

SHA256
91a1dcc40cdc33f87ce330b03cedc7d831622bde40aa1a7d2d447d50780eaba1

SHA512
6c6fc197bdd8c28f805ad7b774ed72dd888d510e51aa899c2d4217675ece878c31a6feb9543386e78b16a9336d42a90bc9c50730ccb0def3b7753669d0b74976

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
21ff144fbb26ec07f307377fc7ebe749

SHA1
3ac5cbd31e14f5acc8ddef91c34936e20d1d3776

SHA256
b743b275e0caf65d476966cf0634b84b92a8876f16088090e9fad46bf0a43cb1

SHA512
29e1d8e2ec4d40772b9ce106197d49d2f613817dc4d0b6d7455033892feb50b03d5deb0086df5225f6a03e13b4b511649fdee21a8bf2267923b0230b7610f459

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9a17d85de4f4e5b2ca5ee89ad6116861

SHA1
990315f77d72bb58c1b504ac9aea2aa23d59837d

SHA256
99f6c697f366d2597913e946b559e2c05c36ef754618a97efade2dc9e669b6e3

SHA512
6ad4bdd14d80cc133da7b510be57184e66c5f4e47833ee9bc1db16b146caa73482a893cd2699b2e9cfb912c473e480bf1dd5eb657b4cfd98cb0c046b17b26827

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
69631d169fe5b265062f8410e34d5ee5

SHA1
b72c663c0f5b8a13c3517d56b36342b8c1c0a48f

SHA256
d86096aff80178617b578eeccff06f5e144f829663bff52b2dd916b3050623bd

SHA512
6399859b95af8f43cd36f723c0882c3fca036b8f9404a63f0dc9e744f5450a81fccc80a527e46197f2d297b9534a0885ebc172cd6ea78307484af84f5f8610b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1be80d7bb99893e300b572fb7603b6f0

SHA1
7b2f1bee72c80326c4f168dcd797a3fb27258650

SHA256
bb01972fc7d32056f7f1ed52ea8ae64bdc645de639554c788dd1dda2b029c9cd

SHA512
d0e40bc7abb3fa31baa5c3e3300cbdeb21619c9dd19f57a96c4646db76ed2597537c81df0f2d05af3e58af80702220a2483ef36cea06a2d29495f8360e2b9ba9

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\306b12bb-c179-4434-acf2-0e28b95a69b7.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
069c37bf9e39b121efb7a28ece933aee

SHA1
eaef2e55b66e543a14a6780c23bb83fe60f2f04d

SHA256
485db8db6b497d31d428aceea416da20d88f7bde88dbfd6d59e3e7eee0a75ae8

SHA512
f4562071143c2ebc259a20cbb45b133c863f127a5750672b7a2af47783c7cdc56dcf1064ae83f54e5fc0bb4e93826bf2ab4ef6e604f955bf594f2cbd641db796

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\ml.xspf

Filesize
304B

MD5
781602441469750c3219c8c38b515ed4

SHA1
e885acd1cbd0b897ebcedbb145bef1c330f80595

SHA256
81970dbe581373d14fbd451ac4b3f96e5f69b79645f1ee1ca715cff3af0bf20d

SHA512
2b0a1717d96edb47bdf0ffeb250a5ec11f7d0638d3e0a62fbe48c064379b473ca88ffbececb32a72129d06c040b107834f1004ccda5f0f35b8c3588034786461

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

Filesize
521B

MD5
a61e8ed96183a66a64951bc5bd298835

SHA1
ff413cb2aa8dc260f26a1a76c971175d486908b4

SHA256
d770245792cbe587e4ea529d3f2d96f00cd5813e5f9b0b3e069b8715c020c41e

SHA512
92fc730f40c1bc8e881cf6ba1f63e2fc5d443b68d70fb05614534b5040e99e1933303e4a84c6e148f9be11918d9528638c3f0a8a4a7684d96abbc8c3bb934489

Download Submit
C:\Users\Admin\Downloads\RealtekRdrivers.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 293922.crdownload

Filesize
3.1MB

MD5
ae6a71aba5e7ce0ca5329c8dd1689b12

SHA1
87880eb58a233f3f483532ea8a5dc54bf56d2f27

SHA256
cf29a26ab495fccca2aaab35efc1b894605274b306b9655d408123af32bd0896

SHA512
74837c8c0e92c7ca23a5890447a9bf92c6369eba920870766f4f9e72f964d609bfa85adc7163ff8409c3461a32351c86d8b2108a65973acf9327bf9177c8969f

Download Submit
memory/1136-106-0x0000000000CE0000-0x0000000001004000-memory.dmp

Filesize
3.1MB

Download
memory/1780-114-0x000000001C450000-0x000000001C4A0000-memory.dmp

Filesize
320KB

Download
memory/1780-252-0x000000001CEA0000-0x000000001D3C8000-memory.dmp

Filesize
5.2MB

Download
memory/1780-115-0x000000001C560000-0x000000001C612000-memory.dmp

Filesize
712KB

Download
memory/3404-244-0x00007FFA36D10000-0x00007FFA36E1E000-memory.dmp

Filesize
1.1MB

Download
memory/3404-241-0x00007FF62B890000-0x00007FF62B988000-memory.dmp

Filesize
992KB

Download
memory/3404-242-0x00007FFA3BF10000-0x00007FFA3BF44000-memory.dmp

Filesize
208KB

Download
memory/3404-243-0x00007FFA2A3A0000-0x00007FFA2A656000-memory.dmp

Filesize
2.7MB

Download
memory/3736-230-0x00007FFA1DEC0000-0x00007FFA1EF70000-memory.dmp

Filesize
16.7MB

Download
memory/3736-229-0x00007FFA3B990000-0x00007FFA3BC46000-memory.dmp

Filesize
2.7MB

Download
memory/3736-227-0x00007FF62B890000-0x00007FF62B988000-memory.dmp

Filesize
992KB

Download
memory/3736-228-0x00007FFA401A0000-0x00007FFA401D4000-memory.dmp

Filesize
208KB

Download
memory/4072-263-0x000001FAFBBC0000-0x000001FAFBBC1000-memory.dmp

Filesize
4KB

Download
memory/4072-253-0x000001FAFBBC0000-0x000001FAFBBC1000-memory.dmp

Filesize
4KB

Download
memory/4072-262-0x000001FAFBBC0000-0x000001FAFBBC1000-memory.dmp

Filesize
4KB

Download
memory/4072-255-0x000001FAFBBC0000-0x000001FAFBBC1000-memory.dmp

Filesize
4KB

Download
memory/4072-259-0x000001FAFBBC0000-0x000001FAFBBC1000-memory.dmp

Filesize
4KB

Download
memory/4072-264-0x000001FAFBBC0000-0x000001FAFBBC1000-memory.dmp

Filesize
4KB

Download
memory/4072-260-0x000001FAFBBC0000-0x000001FAFBBC1000-memory.dmp

Filesize
4KB

Download
memory/4072-261-0x000001FAFBBC0000-0x000001FAFBBC1000-memory.dmp

Filesize
4KB

Download
memory/4072-265-0x000001FAFBBC0000-0x000001FAFBBC1000-memory.dmp

Filesize
4KB

Download
memory/4072-254-0x000001FAFBBC0000-0x000001FAFBBC1000-memory.dmp

Filesize
4KB

Download