quasar | hxxps://gofile[.]io/d/HQdVvH

Analysis

max time kernel
21s
max time network
23s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
14-12-2024 14:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/HQdVvH

Score

10^/10

quasar ratt defense_evasion discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

RATT

REATTY-39697.portmap.host:39697

Mutex

c495778e-b39b-4a41-a334-92a92e0045f6

Attributes

encryption_key
DFF3B9FA24D9D7DB4D5E0215CD03FD70D0300D2D
install_name
Skibidi.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
RAT TEST

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001e00000002aabf-48.dat	family_quasar
behavioral1/memory/4164-147-0x0000000000C60000-0x0000000000F84000-memory.dmp	family_quasar

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
4164	AIMMY AI (1).exe
1676	Skibidi.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\AIMMY AI (1).exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3752	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 944474.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 909290.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 894703.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 85210.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 126197.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\AIMMY AI (1).exe:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\RAT TEST\Skibidi.exe\:SmartScreen:$DATA	AIMMY AI (1).exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3752	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2588	msedge.exe
2588	msedge.exe
4772	msedge.exe
4772	msedge.exe
4200	identity_helper.exe
4200	identity_helper.exe
3444	msedge.exe
3444	msedge.exe
1952	msedge.exe
1952	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4164	AIMMY AI (1).exe
Token: SeDebugPrivilege	1676	Skibidi.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe

Suspicious use of SendNotifyMessage 13 IoCs

pid	Process
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
1676	Skibidi.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4772 wrote to memory of 1292	4772	msedge.exe	77
PID 4772 wrote to memory of 1292	4772	msedge.exe	77
PID 4772 wrote to memory of 4608	4772	msedge.exe	78
PID 4772 wrote to memory of 4608	4772	msedge.exe	78
PID 4772 wrote to memory of 4608	4772	msedge.exe	78
PID 4772 wrote to memory of 4608	4772	msedge.exe	78
PID 4772 wrote to memory of 4608	4772	msedge.exe	78
PID 4772 wrote to memory of 4608	4772	msedge.exe	78
PID 4772 wrote to memory of 4608	4772	msedge.exe	78
PID 4772 wrote to memory of 4608	4772	msedge.exe	78
PID 4772 wrote to memory of 4608	4772	msedge.exe	78
PID 4772 wrote to memory of 4608	4772	msedge.exe	78
PID 4772 wrote to memory of 4608	4772	msedge.exe	78
PID 4772 wrote to memory of 4608	4772	msedge.exe	78
PID 4772 wrote to memory of 4608	4772	msedge.exe	78
PID 4772 wrote to memory of 4608	4772	msedge.exe	78
PID 4772 wrote to memory of 4608	4772	msedge.exe	78
PID 4772 wrote to memory of 4608	4772	msedge.exe	78
PID 4772 wrote to memory of 4608	4772	msedge.exe	78
PID 4772 wrote to memory of 4608	4772	msedge.exe	78
PID 4772 wrote to memory of 4608	4772	msedge.exe	78
PID 4772 wrote to memory of 4608	4772	msedge.exe	78
PID 4772 wrote to memory of 4608	4772	msedge.exe	78
PID 4772 wrote to memory of 4608	4772	msedge.exe	78
PID 4772 wrote to memory of 4608	4772	msedge.exe	78
PID 4772 wrote to memory of 4608	4772	msedge.exe	78
PID 4772 wrote to memory of 4608	4772	msedge.exe	78
PID 4772 wrote to memory of 4608	4772	msedge.exe	78
PID 4772 wrote to memory of 4608	4772	msedge.exe	78
PID 4772 wrote to memory of 4608	4772	msedge.exe	78
PID 4772 wrote to memory of 4608	4772	msedge.exe	78
PID 4772 wrote to memory of 4608	4772	msedge.exe	78
PID 4772 wrote to memory of 4608	4772	msedge.exe	78
PID 4772 wrote to memory of 4608	4772	msedge.exe	78
PID 4772 wrote to memory of 4608	4772	msedge.exe	78
PID 4772 wrote to memory of 4608	4772	msedge.exe	78
PID 4772 wrote to memory of 4608	4772	msedge.exe	78
PID 4772 wrote to memory of 4608	4772	msedge.exe	78
PID 4772 wrote to memory of 4608	4772	msedge.exe	78
PID 4772 wrote to memory of 4608	4772	msedge.exe	78
PID 4772 wrote to memory of 4608	4772	msedge.exe	78
PID 4772 wrote to memory of 4608	4772	msedge.exe	78
PID 4772 wrote to memory of 2588	4772	msedge.exe	79
PID 4772 wrote to memory of 2588	4772	msedge.exe	79
PID 4772 wrote to memory of 2888	4772	msedge.exe	80
PID 4772 wrote to memory of 2888	4772	msedge.exe	80
PID 4772 wrote to memory of 2888	4772	msedge.exe	80
PID 4772 wrote to memory of 2888	4772	msedge.exe	80
PID 4772 wrote to memory of 2888	4772	msedge.exe	80
PID 4772 wrote to memory of 2888	4772	msedge.exe	80
PID 4772 wrote to memory of 2888	4772	msedge.exe	80
PID 4772 wrote to memory of 2888	4772	msedge.exe	80
PID 4772 wrote to memory of 2888	4772	msedge.exe	80
PID 4772 wrote to memory of 2888	4772	msedge.exe	80
PID 4772 wrote to memory of 2888	4772	msedge.exe	80
PID 4772 wrote to memory of 2888	4772	msedge.exe	80
PID 4772 wrote to memory of 2888	4772	msedge.exe	80
PID 4772 wrote to memory of 2888	4772	msedge.exe	80
PID 4772 wrote to memory of 2888	4772	msedge.exe	80
PID 4772 wrote to memory of 2888	4772	msedge.exe	80
PID 4772 wrote to memory of 2888	4772	msedge.exe	80
PID 4772 wrote to memory of 2888	4772	msedge.exe	80
PID 4772 wrote to memory of 2888	4772	msedge.exe	80
PID 4772 wrote to memory of 2888	4772	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/HQdVvH
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff1e013cb8,0x7fff1e013cc8,0x7fff1e013cd8
  2⤵
  PID:1292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,14915317746153371950,10593244031316291637,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:4608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,14915317746153371950,10593244031316291637,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,14915317746153371950,10593244031316291637,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2640 /prefetch:8
  2⤵
  PID:2888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,14915317746153371950,10593244031316291637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:3200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,14915317746153371950,10593244031316291637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:3844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,14915317746153371950,10593244031316291637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4572 /prefetch:1
  2⤵
  PID:3628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,14915317746153371950,10593244031316291637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:1
  2⤵
  PID:1580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,14915317746153371950,10593244031316291637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1
  2⤵
  PID:660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,14915317746153371950,10593244031316291637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:1
  2⤵
  PID:4156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,14915317746153371950,10593244031316291637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
  2⤵
  PID:3768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,14915317746153371950,10593244031316291637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
  2⤵
  PID:2600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,14915317746153371950,10593244031316291637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
  2⤵
  PID:488
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1924,14915317746153371950,10593244031316291637,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5912 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1924,14915317746153371950,10593244031316291637,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5900 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,14915317746153371950,10593244031316291637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
  2⤵
  PID:2840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1924,14915317746153371950,10593244031316291637,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5352 /prefetch:8
  2⤵
  PID:960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1924,14915317746153371950,10593244031316291637,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5308 /prefetch:8
  2⤵
  PID:3272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,14915317746153371950,10593244031316291637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:1
  2⤵
  PID:1240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1924,14915317746153371950,10593244031316291637,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5908 /prefetch:8
  2⤵
  PID:1648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1924,14915317746153371950,10593244031316291637,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6232 /prefetch:8
  2⤵
  PID:3308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1924,14915317746153371950,10593244031316291637,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6364 /prefetch:8
  2⤵
  PID:2676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,14915317746153371950,10593244031316291637,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4612 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1952
- C:\Users\Admin\Downloads\AIMMY AI (1).exe
  "C:\Users\Admin\Downloads\AIMMY AI (1).exe"
  2⤵
  - Executes dropped EXE
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  PID:4164
- - C:\Users\Admin\AppData\Roaming\RAT TEST\Skibidi.exe
    "C:\Users\Admin\AppData\Roaming\RAT TEST\Skibidi.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SendNotifyMessage
    PID:1676
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8iyFhUqipkqY.bat" "
      4⤵
      PID:244
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2600
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,14915317746153371950,10593244031316291637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
  2⤵
  PID:1144

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3280

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c0a1774f8079fe496e694f35dfdcf8bc

SHA1
da3b4b9fca9a3f81b6be5b0cd6dd700603d448d3

SHA256
c041da0b90a5343ede7364ccf0428852103832c4efa8065a0cd1e8ce1ff181cb

SHA512
60d9e87f8383fe3afa2c8935f0e5a842624bb24b03b2d8057e0da342b08df18cf70bf55e41fa3ae54f73bc40a274cf6393d79ae01f6a1784273a25fa2761728b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e11c77d0fa99af6b1b282a22dcb1cf4a

SHA1
2593a41a6a63143d837700d01aa27b1817d17a4d

SHA256
d96f9bfcc81ba66db49a3385266a631899a919ed802835e6fb6b9f7759476ea0

SHA512
c8f69f503ab070a758e8e3ae57945c0172ead1894fdbfa2d853e5bb976ed3817ecc8f188eefd5092481effd4ef650788c8ff9a8d9a5ee4526f090952d7c859f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
3.1MB

MD5
07feba62b19fa1437ff17074de523fb1

SHA1
73941a08b1832e4d4daccb62c3e688984695a858

SHA256
0cfae6c2532a5cfcf687af7bb26ced24ab932c327e87e3ad778799d3d2b82a68

SHA512
ea1c4ecf31e1a18dfca93c6ea0fa3465436c9ee0e295307d56b8566849fc9d6ff83e2768dd9cf90cf85b91292adc9d29f2c4a399f0140e9f9fad70d68f68e304

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
9fd9cd08990d13e45bec80d9e04660fa

SHA1
055642a162be594037b5b61560c636546b98f761

SHA256
731d3c4aafe449e1b23a122300928e75e9be358ca1d17d9537004521f93f0817

SHA512
c68936c6fe2df8cb7fbd8d85c636301573afbf11b9c9877f48a9cec09be53dde962baf5415d1bdc009910df50cce38abbd442d662942c76fedbc880106ecb9a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
398B

MD5
054568993cd4c4fcedbf559589abc4db

SHA1
82366ba4a4c8c3c16a3c50ad6686fbcbb4b2df63

SHA256
c042126132833156891ef94b0fc5f9ae53fab59f6a91caccab8d0df5ab4185df

SHA512
5bdfb9f85ee4d6157c6d5531197b404b2e15d0a7a005b9eacc914ab61326ea0d385b65a26117c6738cbb5b9bbaf63521e78eec9d07ec36b1b2fe6f19a5a135a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4932de0d4fc39657f08c8b6c82814e73

SHA1
489d0267d8d8c9864bb79e3290d38d6789acd69e

SHA256
aca16f46c754d9dbe4162f9d0d7d3370f9ce9299ed2add784175d0c6184ef2d6

SHA512
dca34987682d31b9a8e715d742c9e64f84e70def4aa71e10a62bb22e7c31032b3521b3da3cbaec92f21648603598cea346c63e695ce7ff4cb03ad646dde07dc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
74fbc2d0c33e1258fee4a5d8850b5ea1

SHA1
4142ce23bc84579f446a116a2bd4ea2f1fc2c614

SHA256
a99d26ef6cb1483fd47a866fe8804fa3e9eb81b98efb376b8a75ccaf0cc5e93b

SHA512
324de6ae8b1c90f4132bd5cd03730c1f35e2a08419fe87b6c1a9773a41fa155552c8e04e8654484c9dcbbffee4a6cf486940f1b93a52bb5c9cc4ba9f2c87e55d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
eb61ebde780c56d658f6ddeea9c24b3a

SHA1
eedce7e322db2af4a16c257802b898d2b1b0aa7c

SHA256
fff361b3df1806b4f2485a82da0a0a3ca9392afd60b17e50acf49dd9f24ee1ed

SHA512
7a59cef9b744ebfaa90a01d7d7b1190c0a018b6ea64053ee3844d3b29605d33c36d40aeb15f53fa6f258fd6c881022584806213cf880f69ef7721393c147cdc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
12c37af224607d457057fcafd77e0b3a

SHA1
d942d02fe6a0875e14e896d8169737de94964a80

SHA256
598d40fa230941dfd2c1fc4f2024c4bc03e935905795a6683f51fcc465670af2

SHA512
b29814fd74bdae39482ff51f63d769534f9f5f43eac2bc527de174811da71c30bd27107866bad7a55670983caa89c6c8dcd4e700237e6fb02e3d9c575b268373

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
700825d1e3a68ec36e1861dcc3eace33

SHA1
79c78a83448dc9ea88c713aeaac984abdcfa33c7

SHA256
cecef8a453b4c3417d2ab3735ae2822b9c172bc667261d51235765f2a3489dbe

SHA512
b3c49ee5b8c1b3fd81da91cd9798210458c750de10878f3f318c85412e972fbc2af2ed737cd0eed434289aac7c6c665625dd295c9ac74aa3d2f3eb8c950cfb64

Download Submit
C:\Users\Admin\AppData\Local\Temp\8iyFhUqipkqY.bat

Filesize
211B

MD5
74613b42018acfb93fe6a960ad00777d

SHA1
c0d8e3b45dd4877482f44d705555b1822ccf9bc9

SHA256
0fe06c75d976d321deed34883f2084bd5c600f378770fbbd3f904f169f344104

SHA512
8d96a29f48b264c5ee108c4a83773c0fc1168a95023624bbb492faab0fe2714cbb9946ab179198873929b8d10f7b75b6b94ff83af13f14fb52b2dc0d017087ae

Download Submit
C:\Users\Admin\Downloads\AIMMY AI (1).exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 126197.crdownload:SmartScreen

Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
memory/1676-157-0x000000001CAC0000-0x000000001CB10000-memory.dmp

Filesize
320KB

Download
memory/1676-158-0x000000001CBD0000-0x000000001CC82000-memory.dmp

Filesize
712KB

Download
memory/4164-147-0x0000000000C60000-0x0000000000F84000-memory.dmp

Filesize
3.1MB

Download