quasar | hxxps://gofile[.]io/d/1O5ABk

Analysis

max time kernel
208s
max time network
203s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2024 05:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/1O5ABk

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.20.5:4782

Mutex

cd5c1121-523a-481c-bbf0-684c5522dd85

Attributes

encryption_key
D49DA0049C9A948B065557C5F7F0C812465A95EA
install_name
argonui.exe
log_directory
Logs
reconnect_delay
3000
startup_key
ArgonUpdater
subdirectory
Argon

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023c44-77.dat	family_quasar
behavioral1/memory/4912-96-0x0000000000B30000-0x0000000000E54000-memory.dmp	family_quasar

Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
4912	disableDefender.exe
1940	argonui.exe
5060	disableDefender.exe
1676	argonui.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 5753.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\Argon\argonui.exe\:SmartScreen:$DATA	disableDefender.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4376	schtasks.exe
3016	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4236	msedge.exe
4236	msedge.exe
744	msedge.exe
744	msedge.exe
3732	identity_helper.exe
3732	identity_helper.exe
2548	msedge.exe
2548	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1940	argonui.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4912	disableDefender.exe
Token: SeDebugPrivilege	1940	argonui.exe
Token: SeDebugPrivilege	5060	disableDefender.exe
Token: SeDebugPrivilege	1676	argonui.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1940	argonui.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 744 wrote to memory of 4440	744	msedge.exe	83
PID 744 wrote to memory of 4440	744	msedge.exe	83
PID 744 wrote to memory of 4504	744	msedge.exe	84
PID 744 wrote to memory of 4504	744	msedge.exe	84
PID 744 wrote to memory of 4504	744	msedge.exe	84
PID 744 wrote to memory of 4504	744	msedge.exe	84
PID 744 wrote to memory of 4504	744	msedge.exe	84
PID 744 wrote to memory of 4504	744	msedge.exe	84
PID 744 wrote to memory of 4504	744	msedge.exe	84
PID 744 wrote to memory of 4504	744	msedge.exe	84
PID 744 wrote to memory of 4504	744	msedge.exe	84
PID 744 wrote to memory of 4504	744	msedge.exe	84
PID 744 wrote to memory of 4504	744	msedge.exe	84
PID 744 wrote to memory of 4504	744	msedge.exe	84
PID 744 wrote to memory of 4504	744	msedge.exe	84
PID 744 wrote to memory of 4504	744	msedge.exe	84
PID 744 wrote to memory of 4504	744	msedge.exe	84
PID 744 wrote to memory of 4504	744	msedge.exe	84
PID 744 wrote to memory of 4504	744	msedge.exe	84
PID 744 wrote to memory of 4504	744	msedge.exe	84
PID 744 wrote to memory of 4504	744	msedge.exe	84
PID 744 wrote to memory of 4504	744	msedge.exe	84
PID 744 wrote to memory of 4504	744	msedge.exe	84
PID 744 wrote to memory of 4504	744	msedge.exe	84
PID 744 wrote to memory of 4504	744	msedge.exe	84
PID 744 wrote to memory of 4504	744	msedge.exe	84
PID 744 wrote to memory of 4504	744	msedge.exe	84
PID 744 wrote to memory of 4504	744	msedge.exe	84
PID 744 wrote to memory of 4504	744	msedge.exe	84
PID 744 wrote to memory of 4504	744	msedge.exe	84
PID 744 wrote to memory of 4504	744	msedge.exe	84
PID 744 wrote to memory of 4504	744	msedge.exe	84
PID 744 wrote to memory of 4504	744	msedge.exe	84
PID 744 wrote to memory of 4504	744	msedge.exe	84
PID 744 wrote to memory of 4504	744	msedge.exe	84
PID 744 wrote to memory of 4504	744	msedge.exe	84
PID 744 wrote to memory of 4504	744	msedge.exe	84
PID 744 wrote to memory of 4504	744	msedge.exe	84
PID 744 wrote to memory of 4504	744	msedge.exe	84
PID 744 wrote to memory of 4504	744	msedge.exe	84
PID 744 wrote to memory of 4504	744	msedge.exe	84
PID 744 wrote to memory of 4504	744	msedge.exe	84
PID 744 wrote to memory of 4236	744	msedge.exe	85
PID 744 wrote to memory of 4236	744	msedge.exe	85
PID 744 wrote to memory of 2044	744	msedge.exe	86
PID 744 wrote to memory of 2044	744	msedge.exe	86
PID 744 wrote to memory of 2044	744	msedge.exe	86
PID 744 wrote to memory of 2044	744	msedge.exe	86
PID 744 wrote to memory of 2044	744	msedge.exe	86
PID 744 wrote to memory of 2044	744	msedge.exe	86
PID 744 wrote to memory of 2044	744	msedge.exe	86
PID 744 wrote to memory of 2044	744	msedge.exe	86
PID 744 wrote to memory of 2044	744	msedge.exe	86
PID 744 wrote to memory of 2044	744	msedge.exe	86
PID 744 wrote to memory of 2044	744	msedge.exe	86
PID 744 wrote to memory of 2044	744	msedge.exe	86
PID 744 wrote to memory of 2044	744	msedge.exe	86
PID 744 wrote to memory of 2044	744	msedge.exe	86
PID 744 wrote to memory of 2044	744	msedge.exe	86
PID 744 wrote to memory of 2044	744	msedge.exe	86
PID 744 wrote to memory of 2044	744	msedge.exe	86
PID 744 wrote to memory of 2044	744	msedge.exe	86
PID 744 wrote to memory of 2044	744	msedge.exe	86
PID 744 wrote to memory of 2044	744	msedge.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/1O5ABk
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8b7e846f8,0x7ff8b7e84708,0x7ff8b7e84718
  2⤵
  PID:4440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,12058986960469436589,9755843418806339924,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
  2⤵
  PID:4504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,12058986960469436589,9755843418806339924,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,12058986960469436589,9755843418806339924,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:8
  2⤵
  PID:2044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12058986960469436589,9755843418806339924,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:3872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12058986960469436589,9755843418806339924,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12058986960469436589,9755843418806339924,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4608 /prefetch:1
  2⤵
  PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,12058986960469436589,9755843418806339924,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4984 /prefetch:8
  2⤵
  PID:2872
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,12058986960469436589,9755843418806339924,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4984 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12058986960469436589,9755843418806339924,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
  2⤵
  PID:1444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12058986960469436589,9755843418806339924,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
  2⤵
  PID:3736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12058986960469436589,9755843418806339924,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
  2⤵
  PID:3020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12058986960469436589,9755843418806339924,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
  2⤵
  PID:4400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12058986960469436589,9755843418806339924,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
  2⤵
  PID:1544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2144,12058986960469436589,9755843418806339924,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5152 /prefetch:8
  2⤵
  PID:912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12058986960469436589,9755843418806339924,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
  2⤵
  PID:1408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2144,12058986960469436589,9755843418806339924,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6156 /prefetch:8
  2⤵
  PID:3292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,12058986960469436589,9755843418806339924,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5972 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2548
- C:\Users\Admin\Downloads\disableDefender.exe
  "C:\Users\Admin\Downloads\disableDefender.exe"
  2⤵
  - Executes dropped EXE
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  PID:4912
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "ArgonUpdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Argon\argonui.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4376
- - C:\Users\Admin\AppData\Roaming\Argon\argonui.exe
    "C:\Users\Admin\AppData\Roaming\Argon\argonui.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1940
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "ArgonUpdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Argon\argonui.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12058986960469436589,9755843418806339924,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
  2⤵
  PID:2432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12058986960469436589,9755843418806339924,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:1
  2⤵
  PID:4644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12058986960469436589,9755843418806339924,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6300 /prefetch:1
  2⤵
  PID:2572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,12058986960469436589,9755843418806339924,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4676 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2144,12058986960469436589,9755843418806339924,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5464 /prefetch:8
  2⤵
  PID:1492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12058986960469436589,9755843418806339924,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
  2⤵
  PID:4656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12058986960469436589,9755843418806339924,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1704 /prefetch:1
  2⤵
  PID:1600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12058986960469436589,9755843418806339924,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
  2⤵
  PID:4200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12058986960469436589,9755843418806339924,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:1
  2⤵
  PID:180

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1908

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4208

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3468

C:\Users\Admin\Downloads\disableDefender.exe
"C:\Users\Admin\Downloads\disableDefender.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5060

C:\Users\Admin\AppData\Roaming\Argon\argonui.exe
"C:\Users\Admin\AppData\Roaming\Argon\argonui.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\disableDefender.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bffcefacce25cd03f3d5c9446ddb903d

SHA1
8923f84aa86db316d2f5c122fe3874bbe26f3bab

SHA256
23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405

SHA512
761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d22073dea53e79d9b824f27ac5e9813e

SHA1
6d8a7281241248431a1571e6ddc55798b01fa961

SHA256
86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6

SHA512
97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
10f14abc82c8260a89dde45fb044117f

SHA1
0b8bb6b26fb6dc167308e23fac6f0bbb800192e3

SHA256
d3cc2ce88fafc09f7276938ba1e65afa528ad757bb144ee4e4751d2f242421e6

SHA512
a071b6cb5b33731b886e0de7e15a19794564d95d485bdf3c5e8dfe0bba0c8f4df20264f8cfab30e4cf5e392e7aeaac55cec3109f97cdee4d9871d84dd3ec2670

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
391B

MD5
7db3dfbd3824847e38299e19ed495db8

SHA1
fbb346a0b070d472e259af72e5e8452bcb8b5cf7

SHA256
0e7ef01600508d4133a35436c94acac7aca6b400da7e200cd857f4c7cf1d4aba

SHA512
748a46889be2bcac7080c21c63c954df22d8bac7cc40c5e69f1d017d9bb6b27900843853f51f4d18465cef196187e969406c89d11820cd80edb515ad6a1cadf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
461B

MD5
6354060af0a1025a8207478a2b8d119f

SHA1
91db82ce55b9aa40f7b84859f74c72d51f015003

SHA256
040b43083ed411ff9ee36eaa489a0ec889b865de9055a4f1a363783707ef6970

SHA512
64529a930543ebd98ba33eb0ee91bfde32e96124239f911f7faa8119eb5c0afc5f6ec9e481c0efad4e5ecd199f246fda4cba16972a00e84daadc476414cfd044

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
65a987d7ed1b975478926f146fdd789e

SHA1
3e892c6ba3e4ff43d7305c8e7dd1bbbb4fb76032

SHA256
9c011c27572bbf92ec5b3b5bad7b017cc06543a0ff25499bea47b406300eef36

SHA512
a3a48677ba619471e527e07c5081cf62feeafdd00e20dc837ed54b944315f638b3202c991200dee9ae7e840fd769c78d0aefd6a106a752690d6947673bec2f07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a0acf749ccf7ba50b8cfa7b47e570809

SHA1
22cc760d976b111ee1239b2ae38a7b82dc6709a3

SHA256
516146d6e0d9f58fd7b981ab1b5e485f398cc144471120f25c1e9ed66e3af571

SHA512
1bd6ddb37635c56de0633afde960dea2834dd190e953af669840c6cdfc130af19f9e90882aee3051e33e2cbe9ad24723d001f708bb18bf9e15b0ccec1ab08da7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e3e515c72a18a9977419744cf0876438

SHA1
72158eee864da75131c061e6db7c43bb6a762093

SHA256
375d7285e4b35035a84c06a38a2c3464570f9acbee3dfcd109746a8f204d05c9

SHA512
80ec992c81e08632a545905afbb7d48060f9917d1564fb26a9950deb2ecbec0427cb08feb8e16c40584d5e54f0e682a0e752e25b978048bf639407fd8d90f3b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f2a919cabb5a9792722ff74094a65e94

SHA1
195a433d2c09766dff6a56f3d41d5b2e269af4da

SHA256
4a0642b5cd907917c7fe80c2ecd2ecda2969cfd0a0990dab7c54fce7978fbd7d

SHA512
94cd5c7d10e1e74622e41fcb2f695d2a66a7b34f69d04bf4e0733eb3522d370a59b089b9b840a7d6dea615d3639243b05bb1b659f51c5fa9ba4c83952e7c3b7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a093a881bf6d60973fffe4ca345ad3b5

SHA1
dcb5a43b8b48391b48d7e1908c4d65c5b3c8f99f

SHA256
4d7f0735509354a8f5c27ebf18af0a4658cac732581a8b20db154d0fc88bb8cc

SHA512
a0f4e35f0f32d335a79ad9e40fd4c53938256b85dc333ba8cafa64086760663c7d80773830920bf40b0c309462057093182c5b1631e40a6102585d5be6d223fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
369cc866f74e34fc25834cdacffcb3bb

SHA1
fdb3e18275142fdcda51f97899880dd431491129

SHA256
3b75d7932c403b095e0cc75084e930a8b41ac87381b1f49611f4c2f35bf0f66e

SHA512
50b5bdf226140cffb6bdddb985b382728b2f3f7ee35343004524ce6db037231464725c7d9a379913409df15fc93ab98918e7effb2ad120acff736c1bf8f9b54e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
56614716908fb90eba5fdc7ec5a8a839

SHA1
61b8d331f77bc92305f8918f8e0a35719195e788

SHA256
d700b8b79fe9e2a5c93ee726aa38d2e281385af1515bb89b70b0feda70857f05

SHA512
58d3b9109cc30f4d954be274ee9759eceb69a46850a1b00d146ac5cce93a59e4f8b3b90bf6b02a1ffac733c3a547c8948354c71ce0cb93fe284ab056597ce5b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5c2d69b5515fdcbd702b77c3b2294b21

SHA1
c62e552f78460354f6267a319e62ca9077d0f408

SHA256
855266afd7f6d5285ca9743262060a8712c445a1d776ae86afb962cff943789c

SHA512
08dd3140f043c765c11aad1fc9be3728ae5eb52feed1cf0850b0cd38a916cd5c23aabe409069b73b87717f80d726052a4b692d0e6dd1d82aad300c2316fe8d38

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 5753.crdownload

Filesize
3.1MB

MD5
0213a1dc625eaf82e4d4a94ef9155eeb

SHA1
af3df68c68a7070079b123ce2f22389a5aa768df

SHA256
532a988eeae201a337f328d2120f8af790042da93735c0fc0c17a1063fdf7f60

SHA512
67277e020c3776695b2fb854e834a2850dcfd378fed62b84414ead8c1dce7d1859b2799c973f599a4661124912a49c685c8438b3df7e4012ee7777b1ce489f26

Download Submit
memory/1940-129-0x000000001C520000-0x000000001CA48000-memory.dmp

Filesize
5.2MB

Download
memory/1940-110-0x000000001BE30000-0x000000001BEE2000-memory.dmp

Filesize
712KB

Download
memory/1940-109-0x000000001BD20000-0x000000001BD70000-memory.dmp

Filesize
320KB

Download
memory/4912-96-0x0000000000B30000-0x0000000000E54000-memory.dmp

Filesize
3.1MB

Download