Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 02:16
Static task
static1
URLScan task
urlscan1
General
Malware Config
Extracted
quasar
1.3.0.0
Office04
192.168.1.11:4782
QSR_MUTEX_f39lWqYnYtP5YngtM5
-
encryption_key
c5q7P5jsfrwN6nB5c3mG
-
install_name
SystemUpdate.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
WindowsUpdate
-
subdirectory
SubDir
Signatures
-
description flow ioc Process 128 icanhazip.com Process not Found Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection msedge.exe 117 ip-api.com Process not Found -
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral1/files/0x0003000000000745-308.dat family_quasar behavioral1/memory/5248-327-0x00000000001E0000-0x000000000023E000-memory.dmp family_quasar -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation AlphaFS.bin Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation Dox Tool V3 Cracked.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation svchost.exe -
Executes dropped EXE 12 IoCs
pid Process 5796 Dox Tool V3 Cracked.exe.exe 5984 vshost.exe 6000 AlphaFS.bin 6040 winst.exe 5212 svchost.exe 2376 Dox Tool V3 Cracked.exe 5248 WindowsUpdate.exe 2944 DOX.exe 5540 HQUHlwGxWA.exe 5692 SystemUpdate.exe 6064 svchost.exe 5156 HQUHlwGxWA.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows 10 Update = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" svchost.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 117 ip-api.com 128 icanhazip.com -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\SubDir\SystemUpdate.exe WindowsUpdate.exe File opened for modification C:\Windows\SysWOW64\SubDir\SystemUpdate.exe WindowsUpdate.exe File opened for modification C:\Windows\SysWOW64\SubDir\SystemUpdate.exe SystemUpdate.exe File opened for modification C:\Windows\SysWOW64\SubDir SystemUpdate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AlphaFS.bin Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dox Tool V3 Cracked.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WindowsUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dox Tool V3 Cracked.exe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vshost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DOX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SystemUpdate.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1684 schtasks.exe 5704 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2012 msedge.exe 2012 msedge.exe 4992 msedge.exe 4992 msedge.exe 1844 identity_helper.exe 1844 identity_helper.exe 3252 msedge.exe 3252 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeRestorePrivilege 5556 7zG.exe Token: 35 5556 7zG.exe Token: SeSecurityPrivilege 5556 7zG.exe Token: SeSecurityPrivilege 5556 7zG.exe Token: SeDebugPrivilege 5212 svchost.exe Token: SeDebugPrivilege 5248 WindowsUpdate.exe Token: SeDebugPrivilege 5692 SystemUpdate.exe Token: SeDebugPrivilege 2944 DOX.exe Token: SeDebugPrivilege 6064 svchost.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
pid Process 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 5556 7zG.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe 4992 msedge.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 5692 SystemUpdate.exe 6064 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4992 wrote to memory of 2176 4992 msedge.exe 83 PID 4992 wrote to memory of 2176 4992 msedge.exe 83 PID 4992 wrote to memory of 3016 4992 msedge.exe 84 PID 4992 wrote to memory of 3016 4992 msedge.exe 84 PID 4992 wrote to memory of 3016 4992 msedge.exe 84 PID 4992 wrote to memory of 3016 4992 msedge.exe 84 PID 4992 wrote to memory of 3016 4992 msedge.exe 84 PID 4992 wrote to memory of 3016 4992 msedge.exe 84 PID 4992 wrote to memory of 3016 4992 msedge.exe 84 PID 4992 wrote to memory of 3016 4992 msedge.exe 84 PID 4992 wrote to memory of 3016 4992 msedge.exe 84 PID 4992 wrote to memory of 3016 4992 msedge.exe 84 PID 4992 wrote to memory of 3016 4992 msedge.exe 84 PID 4992 wrote to memory of 3016 4992 msedge.exe 84 PID 4992 wrote to memory of 3016 4992 msedge.exe 84 PID 4992 wrote to memory of 3016 4992 msedge.exe 84 PID 4992 wrote to memory of 3016 4992 msedge.exe 84 PID 4992 wrote to memory of 3016 4992 msedge.exe 84 PID 4992 wrote to memory of 3016 4992 msedge.exe 84 PID 4992 wrote to memory of 3016 4992 msedge.exe 84 PID 4992 wrote to memory of 3016 4992 msedge.exe 84 PID 4992 wrote to memory of 3016 4992 msedge.exe 84 PID 4992 wrote to memory of 3016 4992 msedge.exe 84 PID 4992 wrote to memory of 3016 4992 msedge.exe 84 PID 4992 wrote to memory of 3016 4992 msedge.exe 84 PID 4992 wrote to memory of 3016 4992 msedge.exe 84 PID 4992 wrote to memory of 3016 4992 msedge.exe 84 PID 4992 wrote to memory of 3016 4992 msedge.exe 84 PID 4992 wrote to memory of 3016 4992 msedge.exe 84 PID 4992 wrote to memory of 3016 4992 msedge.exe 84 PID 4992 wrote to memory of 3016 4992 msedge.exe 84 PID 4992 wrote to memory of 3016 4992 msedge.exe 84 PID 4992 wrote to memory of 3016 4992 msedge.exe 84 PID 4992 wrote to memory of 3016 4992 msedge.exe 84 PID 4992 wrote to memory of 3016 4992 msedge.exe 84 PID 4992 wrote to memory of 3016 4992 msedge.exe 84 PID 4992 wrote to memory of 3016 4992 msedge.exe 84 PID 4992 wrote to memory of 3016 4992 msedge.exe 84 PID 4992 wrote to memory of 3016 4992 msedge.exe 84 PID 4992 wrote to memory of 3016 4992 msedge.exe 84 PID 4992 wrote to memory of 3016 4992 msedge.exe 84 PID 4992 wrote to memory of 3016 4992 msedge.exe 84 PID 4992 wrote to memory of 2012 4992 msedge.exe 85 PID 4992 wrote to memory of 2012 4992 msedge.exe 85 PID 4992 wrote to memory of 4376 4992 msedge.exe 86 PID 4992 wrote to memory of 4376 4992 msedge.exe 86 PID 4992 wrote to memory of 4376 4992 msedge.exe 86 PID 4992 wrote to memory of 4376 4992 msedge.exe 86 PID 4992 wrote to memory of 4376 4992 msedge.exe 86 PID 4992 wrote to memory of 4376 4992 msedge.exe 86 PID 4992 wrote to memory of 4376 4992 msedge.exe 86 PID 4992 wrote to memory of 4376 4992 msedge.exe 86 PID 4992 wrote to memory of 4376 4992 msedge.exe 86 PID 4992 wrote to memory of 4376 4992 msedge.exe 86 PID 4992 wrote to memory of 4376 4992 msedge.exe 86 PID 4992 wrote to memory of 4376 4992 msedge.exe 86 PID 4992 wrote to memory of 4376 4992 msedge.exe 86 PID 4992 wrote to memory of 4376 4992 msedge.exe 86 PID 4992 wrote to memory of 4376 4992 msedge.exe 86 PID 4992 wrote to memory of 4376 4992 msedge.exe 86 PID 4992 wrote to memory of 4376 4992 msedge.exe 86 PID 4992 wrote to memory of 4376 4992 msedge.exe 86 PID 4992 wrote to memory of 4376 4992 msedge.exe 86 PID 4992 wrote to memory of 4376 4992 msedge.exe 86
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/folder/NNhizKIY#_598We3JUoSu2eXAdjgzhg1⤵
- Quasar RAT
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff83d6046f8,0x7ff83d604708,0x7ff83d6047182⤵PID:2176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,8571221797179357021,8019639868197143465,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:22⤵PID:3016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,8571221797179357021,8019639868197143465,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,8571221797179357021,8019639868197143465,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:82⤵PID:4376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8571221797179357021,8019639868197143465,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:12⤵PID:1520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8571221797179357021,8019639868197143465,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:12⤵PID:2208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2056,8571221797179357021,8019639868197143465,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5184 /prefetch:82⤵PID:1468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,8571221797179357021,8019639868197143465,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5740 /prefetch:82⤵PID:1136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,8571221797179357021,8019639868197143465,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5740 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8571221797179357021,8019639868197143465,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:12⤵PID:1240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8571221797179357021,8019639868197143465,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:12⤵PID:4588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8571221797179357021,8019639868197143465,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:12⤵PID:972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8571221797179357021,8019639868197143465,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:12⤵PID:2608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2056,8571221797179357021,8019639868197143465,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5360 /prefetch:82⤵PID:4284
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8571221797179357021,8019639868197143465,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:12⤵PID:408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,8571221797179357021,8019639868197143465,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5936 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3252
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,8571221797179357021,8019639868197143465,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4908 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2376
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:764
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4040
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4e8 0x2f41⤵PID:3836
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5292
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Dox Tool V3 Cracked\" -ad -an -ai#7zMap11163:100:7zEvent322561⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5556
-
C:\Users\Admin\Downloads\Dox Tool V3 Cracked\Dox Tool V3 Cracked\Dox Tool V3 Cracked.exe.exe"C:\Users\Admin\Downloads\Dox Tool V3 Cracked\Dox Tool V3 Cracked\Dox Tool V3 Cracked.exe.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5796 -
C:\ProgramData\vshost\vshost.exeC:\ProgramData\\vshost\\vshost.exe ,.2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5984
-
-
C:\Users\Admin\Downloads\Dox Tool V3 Cracked\Dox Tool V3 Cracked\AlphaFS.binAlphaFS.bin2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6000 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5212 -
C:\Users\Admin\AppData\Local\Temp\HQUHlwGxWA.exe"C:\Users\Admin\AppData\Local\Temp\HQUHlwGxWA.exe"4⤵
- Executes dropped EXE
PID:5540
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe" C:\Users\Admin\AppData\Local\Temp\svchost.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:6064 -
C:\Users\Admin\AppData\Local\Temp\HQUHlwGxWA.exe"C:\Users\Admin\AppData\Local\Temp\HQUHlwGxWA.exe"5⤵
- Executes dropped EXE
PID:5156
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Dox Tool V3 Cracked.exe"C:\Users\Admin\AppData\Local\Temp\Dox Tool V3 Cracked.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2376 -
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5248 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe" /rl HIGHEST /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1684
-
-
C:\Windows\SysWOW64\SubDir\SystemUpdate.exe"C:\Windows\SysWOW64\SubDir\SystemUpdate.exe"5⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5692 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\SystemUpdate.exe" /rl HIGHEST /f6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:5704
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\DOX.exe"C:\Users\Admin\AppData\Local\Temp\DOX.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2944
-
-
-
-
C:\ProgramData\winst\winst.exeC:\ProgramData\\winst\\winst.exe gjM27i1oMlvtyvQKlBIJF4qxeqSA5NaIvOGkgIak9A6C2YQM8qSJir9FO0mIhtet2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6040
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD585ba073d7015b6ce7da19235a275f6da
SHA1a23c8c2125e45a0788bac14423ae1f3eab92cf00
SHA2565ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617
SHA512eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3
-
Filesize
152B
MD57de1bbdc1f9cf1a58ae1de4951ce8cb9
SHA1010da169e15457c25bd80ef02d76a940c1210301
SHA2566e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e
SHA512e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\8384544c-9db9-4026-ba18-c09fc8f29e8a.tmp
Filesize6KB
MD5ce605fad313f3dff835e59a46d3f7942
SHA13fdbcdb9e048ce4f8481ccc8b01032e7814dc3db
SHA256867279774a58f0acdacf80fc816ebf133ba3ca8ba881e24726e11b138e8d74a7
SHA51219626d11d6f5d537f16c86d5a1796ba3f40654217e689efb2dcc0e329846c15f2eb95523963d472ce1cc636ab8c04c8be04154152d355d3ff3120bf1962e9697
-
Filesize
36KB
MD5f90ac636cd679507433ab8e543c25de5
SHA13a8fe361c68f13c01b09453b8b359722df659b84
SHA2565b4c63b2790a8f63c12368f11215a4ffec30c142371a819a81180a32baeb2bce
SHA5127641a3610ad6516c9ecd0d5f4e5fa1893c7c60ca3ba8ae2e1b3b0cc3a72f7f9bef4c776a1f2fc52f366bd28a419ae3594a6576e886e79a20ebd98b55b2acc967
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize72B
MD56dd28d1ef8c2e869be0bb1c79dc076c4
SHA157c3e809db473933149d69f02975ba6948879567
SHA256ff5f34ceeefdaec43c4cb38942c84f62eeecda87a5fb43451588ba1697a1baf1
SHA51295532e756af2767de38978059897fef1254305093f1a5761cd7ea5c26f73f6597ad5a1609b3393cdad1a2e3557da80b20d44ee30eec891eabb1b0bdccbb171f3
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
188B
MD5008114e1a1a614b35e8a7515da0f3783
SHA13c390d38126c7328a8d7e4a72d5848ac9f96549b
SHA2567301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18
SHA512a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b
-
Filesize
5KB
MD500b2d67602697307175caa2da4541e55
SHA14b94adb2540a42b57475cbf435b406d028824625
SHA256af5633854f2bcf8668bfb39e5c59c477752d840df8db1d7fe2e87070eff4ffd6
SHA512da90e94e3dbded4efda7127c8dfa3a854cbe211564b026cd47239dd17795844a50b3cac93158bb011d3841e0d459604a511a50b30b26c51b2617695a68a4283b
-
Filesize
6KB
MD53f3c30e4ba92b1b09454e62167bb69f6
SHA170de992f7303d60c4690c1d2ca81821106dfdd63
SHA2569bf12e004c83aa5eefa63011cbcdd038a9f3b87bfbacc7a0f855b3f70f2dad4c
SHA512fc76d119cc3476f1b407a80e363ca7396aa30b12a505183e71df2f6ddd05b4b368c14b246ebcd717baeeee928f3e60a2c516fd334a5ff57ecc34e77294e21faa
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD5ef01dbb30aaf381eef26def24f99ecb8
SHA175b8fb176e278bd70606321e6cd59faffe2add61
SHA25637d9a7ee116a6a20518ae52e6c81477a5c5f71ead11c47000cddf8b844768263
SHA51271fd4df4b8c17b5fefb0de1a222c4717df14b10530fb29d4a88d99e0f9853c109914e9f390a6ddf3642ff449716018deebeb8f73bfeb902636a227cf899d687d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe580105.TMP
Filesize48B
MD57bba8d0cf5c78417c72f5c71af40d5f6
SHA18937421e7de2d774842124244d79ddb74c161a04
SHA25602ff0a518334fed3670288f00e9645eebd122df9accd1028e10b87506838d9f2
SHA512c8514f888079daa1455d2986fa157656eba60dec84e02f0f278890704688f1727e02779ea59325860fb1beb77395a8ed0f8294480925f86db7aaa7e18ffff009
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD537019fcbe7bb81c7132195c84ba62a5e
SHA1215fa1715f4ce21025af03f1f1f66d5bc437ba60
SHA2564195ad40e9f30efe431c4b65fe545dec8d4fca53537eddc727c4930915aed087
SHA512fa264eb95db8ec71d346c8053b4e8be460d6d4cc44ae3a365c499df57061074a8202a7353d7bcbf59df001cedea1f7ccdb2d269f7f51324a21578325224e4b48
-
Filesize
10KB
MD59a082a1d2821ee76a7b27bcd09b65fb9
SHA1b691f3056c311ba0ce63a864b32a155617282d84
SHA256429b89207b7840643b6b036d582eeb24890193065c59693ab69abb394f1ac168
SHA51282ba50e13298b5382dccd11248a59a5eccc2d30513ab019ffb2a6edba45f82c899453e475c6ce78467d83d4c7b12ac9d8b68cdad16b8ad7ea5f634bc5c3179c4
-
Filesize
154KB
MD5670f75850165e3c3ef0df41e1565ff58
SHA1784ae13c951ac390d7dea0071c97aded6800b708
SHA256fb128eba50fac8bc22faac39de602c306809cb37167b950bd194eb0bd9832812
SHA512c0355235fbce7829dbcd3fac26ec5663b09c880826a014599127f330ddd3c16a95a0ab973fa75ddbb4ce0f8756ab2494739b04d1fda0bb799d577e493c9ca9b9
-
Filesize
688KB
MD519d55f26a6237985cb72c59c08d4828f
SHA18bc51ad39e35f9be7d46e9e90e754e07d9c88b80
SHA256317f9d304aea7c5a4b3516f5379a63e2a4fec91578f3c3f69507c8167798062e
SHA5127a9de012783f9323264fb59739b76195acedd846ea15382d67e5ab19325269a37647865aaa44da9a97fb8eacdf365c1b6c55c0920c46a6cdca6a7c73b09e19d1
-
Filesize
20KB
MD50d282d4eb8db6d5152b4e5fd3e2064b5
SHA172cec747647d5d0f6ef2e5ddb34f1db68fc183e5
SHA2568663bef0304a937fe47af465c03b8930a5db2dad39bf4dd1cc6baa64cc272061
SHA51216b2551711afa27baf9aa95d37c2d1b0689c32930ca5a4c7fabe66ea05513f460c58b36fdb96efb26963f10cdc518934dd3f5b623d424a2f299cc47d150f1e72
-
Filesize
20KB
MD594306f6cf69f7e7c0b4f10ea499f73dd
SHA13228b4c2ca9109aa86f2810afc3d528947501c92
SHA256ed937977d846c19ea5a721c8f720dafc4c697c2b136c17d66d7b6a4200090a7e
SHA512d6c19775a96dedbd40be96d5b3aa3fb0db3d52749e0d54667b38a2f677c94b630ab543457708a1c123776ec473e9f40f18eb4080703ee9adf08110c417dea136
-
Filesize
348KB
MD5a59f7fb8ac2dc166432a86eb8e2179ff
SHA19c8b24bda935e397e1c0cb33752331fe1f773b45
SHA25682d315a2102a1bbd8c1533ea70f93982d2ad0fbbad3d48e9a4265c45353ceacc
SHA512ff05149ca95d982ee44c820d8bc03e48d6230a7085291f0653398a410a16610038fbc336ec843db7020458fbe982762439990b348de050248758450b3ea263be
-
Filesize
76KB
MD5a57d275fcac1be0b9aad189223a313df
SHA10762b222741fa30751dce16e7dae2bcd191adaea
SHA2561c6d4e2a60849385c9b4cfbb1fc92032cb503497099208f62d7908e52b9b487b
SHA51241d90ec2548654b86bba21d178bae55b538bc7acf7811b9615095e4719e52075096053427ff85428a51047f405e8d1e6a633b999655e296c9ac396fb2bba36a8
-
Filesize
1.1MB
MD5149c03573d781dccd10542212a439f02
SHA1b70b800fd6884217c466cd913bb75b703e8a2a56
SHA256e38e7376cbdbfefb2cf083511f3245ec9806ea1b27a07119d2c4ab56517f6b62
SHA5129a1084e5d2e6427de7d5534f2ec802c7b3ef3ec8668e5626a0cfa60438f8ec01eefe33594855cafebf00d9d4eec71c2ab003303e42a02ff765c1de0b5af2e69c
-
Filesize
1.0MB
MD58f36caf603f3f2b192c5fd06a8e3c699
SHA144f387152ee1fb02a83ed0be5e942fd4a733e235
SHA2560ca828c630091173cafd2663393888849459fbc9581d1fd062567d0afdf79a38
SHA5129df012c7420a4f6224907a8ac1e3293985b30c9ff829ecc9cdeea56fdcaa1c46d8e131fdd9b525e6af092065a29401c11f24390ba30969e9f3ab7e60e094dcba
-
Filesize
329KB
MD5a7ae7bfe54f48516f9012048dc630ffc
SHA10374afa512283c4a590ae7a5c24935bef3c8ffd2
SHA256f6339244d3af530e3ef3a604f088d59e8d0291334c2b0892cc5663337ad63c9e
SHA512cb3216b5c21832634abfd55cfd2cdd81a0907fd45a5a1f3b58bc89eab888fb16d0d2c2a8383964dadc1583850b712ba84f796bb0073e37ed3e4c5911d39ea7ac
-
Filesize
211KB
MD559238144771807b1cbc407b250d6b2c3
SHA16c9f87cca7e857e888cb19ea45cf82d2e2d29695
SHA2568baa5811836c0b4a64810f6a7d6e1d31d7f80350c69643dc9594f58fd0233a7b
SHA512cf2f8b84526ae8a1445a2d8a2b9099b164f80a7b7290f68058583b0b235395d749ad0b726c4e36d5e901c18d6946fd9b0dd76c20016b65dc7a3977f68ee4a220
-
Filesize
238KB
MD54e6a7ee0e286ab61d36c26bd38996821
SHA1820674b4c75290f8f667764bfb474ca8c1242732
SHA256f67daf4bf2ad0e774bbd53f243e66806397036e5fde694f3856b27bc0463c0a3
SHA512f9d99d960afce980421e654d1d541c1fdb81252615c48eed5c4a5c962cb20123d06dbdf383a37a476aa41e4ffabca30e95a8735739c35f66efbaa1dee8a9ba8a