quasar | 43b71df5e82088360ef5c989dc4d64e73cfc914ce5242227cacd738385920bef

Analysis

max time kernel
1030s
max time network
1048s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2024 21:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Geode.exe
Size

3.1MB
MD5

1d0f632c36b11f0c97f0b9edc9ea3b5b
SHA1

4de1d02026467739101b1ff56040dfcac0c32907
SHA256

43b71df5e82088360ef5c989dc4d64e73cfc914ce5242227cacd738385920bef
SHA512

9c31115c2e8cb640adcd36d2576d68578a521596526beaa6b3f68edfc58035f27088c01bfc2d3efae2a950fd44d136d718ece604c506f5a49d49e6610e31fc46
SSDEEP

49152:ivkt62XlaSFNWPjljiFa2RoUYIaTY+5DpCL/oGdfrTHHB72eh2NT:iv462XlaSFNWPjljiFXRoUYIa8+W

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.1.182:4782

Mutex

3ac0c00d-09c5-4e2f-b311-74219d53d39b

Attributes

encryption_key
3EDD78F514CCF273FBBB32742C07F192C4532416
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Geode
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/544-1-0x0000000000400000-0x0000000000724000-memory.dmp	family_quasar
behavioral2/files/0x0007000000023c95-6.dat	family_quasar

Executes dropped EXE 5 IoCs

pid	Process
2948	Client.exe
2296	Geode.exe
2284	Geode.exe
1032	Geode.exe
3036	Geode.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 659472.crdownload:SmartScreen	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3092	schtasks.exe
844	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3460	msedge.exe
3460	msedge.exe
4428	msedge.exe
4428	msedge.exe
2384	identity_helper.exe
2384	identity_helper.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
2108	msedge.exe
2108	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2948	Client.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	544	Geode.exe
Token: SeDebugPrivilege	2948	Client.exe
Token: SeDebugPrivilege	2296	Geode.exe
Token: SeDebugPrivilege	2284	Geode.exe
Token: SeDebugPrivilege	1032	Geode.exe
Token: SeDebugPrivilege	3036	Geode.exe

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2948	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 544 wrote to memory of 3092	544	Geode.exe	83
PID 544 wrote to memory of 3092	544	Geode.exe	83
PID 544 wrote to memory of 2948	544	Geode.exe	85
PID 544 wrote to memory of 2948	544	Geode.exe	85
PID 2948 wrote to memory of 844	2948	Client.exe	86
PID 2948 wrote to memory of 844	2948	Client.exe	86
PID 4428 wrote to memory of 4144	4428	msedge.exe	99
PID 4428 wrote to memory of 4144	4428	msedge.exe	99
PID 4428 wrote to memory of 3360	4428	msedge.exe	100
PID 4428 wrote to memory of 3360	4428	msedge.exe	100
PID 4428 wrote to memory of 3360	4428	msedge.exe	100
PID 4428 wrote to memory of 3360	4428	msedge.exe	100
PID 4428 wrote to memory of 3360	4428	msedge.exe	100
PID 4428 wrote to memory of 3360	4428	msedge.exe	100
PID 4428 wrote to memory of 3360	4428	msedge.exe	100
PID 4428 wrote to memory of 3360	4428	msedge.exe	100
PID 4428 wrote to memory of 3360	4428	msedge.exe	100
PID 4428 wrote to memory of 3360	4428	msedge.exe	100
PID 4428 wrote to memory of 3360	4428	msedge.exe	100
PID 4428 wrote to memory of 3360	4428	msedge.exe	100
PID 4428 wrote to memory of 3360	4428	msedge.exe	100
PID 4428 wrote to memory of 3360	4428	msedge.exe	100
PID 4428 wrote to memory of 3360	4428	msedge.exe	100
PID 4428 wrote to memory of 3360	4428	msedge.exe	100
PID 4428 wrote to memory of 3360	4428	msedge.exe	100
PID 4428 wrote to memory of 3360	4428	msedge.exe	100
PID 4428 wrote to memory of 3360	4428	msedge.exe	100
PID 4428 wrote to memory of 3360	4428	msedge.exe	100
PID 4428 wrote to memory of 3360	4428	msedge.exe	100
PID 4428 wrote to memory of 3360	4428	msedge.exe	100
PID 4428 wrote to memory of 3360	4428	msedge.exe	100
PID 4428 wrote to memory of 3360	4428	msedge.exe	100
PID 4428 wrote to memory of 3360	4428	msedge.exe	100
PID 4428 wrote to memory of 3360	4428	msedge.exe	100
PID 4428 wrote to memory of 3360	4428	msedge.exe	100
PID 4428 wrote to memory of 3360	4428	msedge.exe	100
PID 4428 wrote to memory of 3360	4428	msedge.exe	100
PID 4428 wrote to memory of 3360	4428	msedge.exe	100
PID 4428 wrote to memory of 3360	4428	msedge.exe	100
PID 4428 wrote to memory of 3360	4428	msedge.exe	100
PID 4428 wrote to memory of 3360	4428	msedge.exe	100
PID 4428 wrote to memory of 3360	4428	msedge.exe	100
PID 4428 wrote to memory of 3360	4428	msedge.exe	100
PID 4428 wrote to memory of 3360	4428	msedge.exe	100
PID 4428 wrote to memory of 3360	4428	msedge.exe	100
PID 4428 wrote to memory of 3360	4428	msedge.exe	100
PID 4428 wrote to memory of 3360	4428	msedge.exe	100
PID 4428 wrote to memory of 3360	4428	msedge.exe	100
PID 4428 wrote to memory of 3460	4428	msedge.exe	101
PID 4428 wrote to memory of 3460	4428	msedge.exe	101
PID 4428 wrote to memory of 3856	4428	msedge.exe	102
PID 4428 wrote to memory of 3856	4428	msedge.exe	102
PID 4428 wrote to memory of 3856	4428	msedge.exe	102
PID 4428 wrote to memory of 3856	4428	msedge.exe	102
PID 4428 wrote to memory of 3856	4428	msedge.exe	102
PID 4428 wrote to memory of 3856	4428	msedge.exe	102
PID 4428 wrote to memory of 3856	4428	msedge.exe	102
PID 4428 wrote to memory of 3856	4428	msedge.exe	102
PID 4428 wrote to memory of 3856	4428	msedge.exe	102
PID 4428 wrote to memory of 3856	4428	msedge.exe	102
PID 4428 wrote to memory of 3856	4428	msedge.exe	102
PID 4428 wrote to memory of 3856	4428	msedge.exe	102
PID 4428 wrote to memory of 3856	4428	msedge.exe	102
PID 4428 wrote to memory of 3856	4428	msedge.exe	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Geode.exe
"C:\Users\Admin\AppData\Local\Temp\Geode.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:544
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Geode" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3092
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Geode" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb60c046f8,0x7ffb60c04708,0x7ffb60c04718
  2⤵
  PID:4144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,15192454025664570323,4071912817290127368,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2016 /prefetch:2
  2⤵
  PID:3360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,15192454025664570323,4071912817290127368,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2404 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,15192454025664570323,4071912817290127368,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2912 /prefetch:8
  2⤵
  PID:3856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,15192454025664570323,4071912817290127368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
  2⤵
  PID:2612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,15192454025664570323,4071912817290127368,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
  2⤵
  PID:2348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,15192454025664570323,4071912817290127368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4220 /prefetch:1
  2⤵
  PID:3252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,15192454025664570323,4071912817290127368,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3916 /prefetch:1
  2⤵
  PID:5056
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,15192454025664570323,4071912817290127368,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3720 /prefetch:8
  2⤵
  PID:4224
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,15192454025664570323,4071912817290127368,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3720 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,15192454025664570323,4071912817290127368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3628 /prefetch:1
  2⤵
  PID:2696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,15192454025664570323,4071912817290127368,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3584 /prefetch:1
  2⤵
  PID:3592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,15192454025664570323,4071912817290127368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4216 /prefetch:1
  2⤵
  PID:4524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,15192454025664570323,4071912817290127368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2716 /prefetch:1
  2⤵
  PID:4340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,15192454025664570323,4071912817290127368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
  2⤵
  PID:4060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,15192454025664570323,4071912817290127368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
  2⤵
  PID:3716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,15192454025664570323,4071912817290127368,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3176 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,15192454025664570323,4071912817290127368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3584 /prefetch:1
  2⤵
  PID:3160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1916,15192454025664570323,4071912817290127368,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5796 /prefetch:8
  2⤵
  PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,15192454025664570323,4071912817290127368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
  2⤵
  PID:4636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1916,15192454025664570323,4071912817290127368,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6264 /prefetch:8
  2⤵
  PID:3284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,15192454025664570323,4071912817290127368,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6332 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2108
- C:\Users\Admin\Downloads\Geode.exe
  "C:\Users\Admin\Downloads\Geode.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2296
- C:\Users\Admin\Downloads\Geode.exe
  "C:\Users\Admin\Downloads\Geode.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2284

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1368

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3284

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3004

C:\Users\Admin\Downloads\Geode.exe
"C:\Users\Admin\Downloads\Geode.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1032

C:\Users\Admin\Downloads\Geode.exe
"C:\Users\Admin\Downloads\Geode.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Geode.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d22073dea53e79d9b824f27ac5e9813e

SHA1
6d8a7281241248431a1571e6ddc55798b01fa961

SHA256
86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6

SHA512
97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
193e09ed4c672c0973cd716de292274e

SHA1
c57a31b2cb131e4b06165bcfae7f267e3d5fe2f6

SHA256
19d75c47b233fc8831769b94cda06bce7fb8b8a1648c60bafb7d0b7ade30ee95

SHA512
f37e1a5162687cb15940cd7cecd10508c95eff83c898a028587a219caeef65d3d366ae317bda9724bf150f21a27be02fed85a759eca79b349925c5826ccf4e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
dd7ede720bb2ef9e693917200ed5e8d3

SHA1
fa08b5fbab98dfb3387e72f97fd3ee7e384af9d7

SHA256
254d425320f0555e7b32450b767c82a007e304e68d67da2fedb8a5613e301759

SHA512
30af985b468cc28c74a77c6af375f3543639f1c489870ff3ff8e0bcfa0b7edbc61040fbbb2c685ba2d8471e012b1b09ed1ed21f94fb23af9df88ec69ee242453

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
5dafce9ffe4fb5f7a54256240e2affce

SHA1
7e7eceb221889b790f6a5db6f4552d2c9b831f7d

SHA256
c3c554f5bd82d002d86107630ef788899ad29c8442c6882ea2eed08023f6cd50

SHA512
87eb6f9685b28d96c5c26652aba359524edbfab067fd177b342e320fed8366969430f97f419a04349ae3738fe20e4cbccf7b95be1072bc259ebce4992b21e2f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
499784afe6c1ed78dd433b04efa6cc77

SHA1
6101676ce3e55d8e84e4a1a77cd24bb458445c52

SHA256
fe5aa379bd3d6f97f7e6df02d3d51abe8d1e5a56b2a0a0c1587653b3c63d1148

SHA512
994d479643c13436c1c5605247e320fc49ec8fa31ed84cfc96814e0b7a012660203a23998940de312621bf70db5254b7bfbe11b99611432465404eb0f7b940ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
a3f3d45d4e71d143825238c64c394dac

SHA1
042fee1b8fd98203a993302475637de2f549a5aa

SHA256
3c62b1378bc25fe099eb543391ccab53da6340456d5227fa0057f49fee8b19ec

SHA512
9e200fab8721a8238b94a9b5cdc06c9fca5c4c3ddee1f5684cc6db13a1d8a3fd70bbc896d7246ff542b2e67dd340dee9c16f87b3300752a16acf36b5fcc073c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
59492db8645936257ee31c31de68d84a

SHA1
fc0d143dc144d4543e6e4f2cb77754a2a099620f

SHA256
ba42b80a8dc0e1979f773dcea0f411c271f8c941d483c882cc66dceabbe53f8c

SHA512
cde64d7e251bba764684dd375b70c6cd69105a0e2089107efdc16d3b35cb1be8c4ea4858d79ffb2a8adf96ad62e63f8c32b3dc8b05d04c0252314ba0468596f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1ffd860ef1b123b50f674d42b7f19ff5

SHA1
0284e69c44de21ac6a6b31da0ae1e4d153caabf7

SHA256
29b709b9dd7118fc70c281aaf52fd8ed5ffa8c414b1cd58b64daeb14aec267ec

SHA512
6b989fb5642e8539d3cede9c50b4eb335404d8c6f84b3d9b8b11d9ae27cd6cf4793aa5952e72797f51e8683b1a11f83c7ea6f4cad1cbf92ebc26aaea56a20192

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
c6a1972548477be02f62e20a7e5d4cc2

SHA1
0f52cdc74f3181b4485a7c5bd3efc85b2ea768b4

SHA256
638b2c9b3f69163974eb1e5297d55ffa2e6f7fd5995c597a2ea2ffae07dd0f30

SHA512
cbc9f72b3995855c02062d7fb029b282c7fc666ff0c032684cb63d7567c96e8edc42665095aa4a758ad4ef3937faa43194ac6b954f0caf182d52018419120b3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5341863ac306847c1dbe99919d530e57

SHA1
bfdac18ee0730c9b535dd17402c815a70322ed74

SHA256
9ff4342d6af65efbf938ab87c043d38053c5930deb552d86105373d248c723bf

SHA512
b880445d4695e800ede9257aa9a945df5cc328e8ca624d7974c6a67d7545ec86c8efaf5beb228c909f64bf01370e83848132954f1171bc9d901bc917bfa883b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
3daa1c5c87c5bdcf57a9167fc321da89

SHA1
bd6f338c40abac49ecc46737475cc5c64f8c1e9f

SHA256
45d4b1ae6cd93c4fd14901e3d3ed3b3b73e62205a459773e3ea8bf2923080395

SHA512
0993f2100de4e49b52f7d6b3178b8ba519a2a8a40c4e43f1c912da7cc4f8ed1822df9f1ec241db32e7da26697b5d59fafc83c8e57a7a6c3dbf6d6464761ceaaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
2202f80f0ec4a14849e8ca253ed5cc27

SHA1
2b04327fc9856885b690982499c212d74d5d4de8

SHA256
27a156dbd48217e6473174c67d8770849435da642166154415106b282cde78d3

SHA512
2e511dc2c94f943ea7e5dd988aedb4457fa4267b2c764b61a6b80fe26b2d4e9cc7563c5a49ef0b7515eccfa49446aaa89cfba052204bd80251e0573404a05fdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58ee43.TMP

Filesize
1KB

MD5
223b44611836f79c3db6edd62b91604d

SHA1
781f3c1f8f3e01fbf2d008d201b826b81797aed8

SHA256
173c87e62f38317ed7f22cd07a32179235d1d6de1c684e431f02efb0099dafc2

SHA512
7544d3e4fef94d2eff05524c9d01eda67a862aae26c76243beba14396b35eb50e1effb42be39e22b888ca39789ab775405bdb9d7f1625c293475d89ba52c9463

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0258359f8e44b7ffe2efc0dbf3116654

SHA1
503010d1a6c10429a9b6b119767494395903b5ba

SHA256
01d2ca0b0306016d7d8751d7f27dc8774c77d4d8ae10c107f7cd37cd664406f6

SHA512
bd7416484d39427d8bb8dcc2d05ba2a19485d9e327d65db780c44a80c054b3fcfa181cc36c15459dcf7a56ee3dbcbb024ddb49c076ed6a2b087be8a7eb8fe52b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b7eb3c56da9b2442c15d4eaa68be9109

SHA1
8671ac42e45fc6e45dc20ab1e6fd68929273ed45

SHA256
c619f3619fc8d252e8b49ca436f64c243f6faa0dae9a95f2b3465bb000154839

SHA512
17edaf235b54d089fe9fb8c52b18d1627fd0ab93816a6327d7f94adb2c0560a5548bc62d7b0b6a169de502df7abb59dfed527b2005f27f957a9d624c1f14c791

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
1d0f632c36b11f0c97f0b9edc9ea3b5b

SHA1
4de1d02026467739101b1ff56040dfcac0c32907

SHA256
43b71df5e82088360ef5c989dc4d64e73cfc914ce5242227cacd738385920bef

SHA512
9c31115c2e8cb640adcd36d2576d68578a521596526beaa6b3f68edfc58035f27088c01bfc2d3efae2a950fd44d136d718ece604c506f5a49d49e6610e31fc46

Download Submit
memory/544-0-0x00007FFB66543000-0x00007FFB66545000-memory.dmp

Filesize
8KB

Download
memory/544-10-0x00007FFB66540000-0x00007FFB67001000-memory.dmp

Filesize
10.8MB

Download
memory/544-2-0x00007FFB66540000-0x00007FFB67001000-memory.dmp

Filesize
10.8MB

Download
memory/544-1-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/2948-77-0x000000001C770000-0x000000001CC98000-memory.dmp

Filesize
5.2MB

Download
memory/2948-14-0x00007FFB66540000-0x00007FFB67001000-memory.dmp

Filesize
10.8MB

Download
memory/2948-13-0x000000001BE40000-0x000000001BEF2000-memory.dmp

Filesize
712KB

Download
memory/2948-12-0x000000001BD30000-0x000000001BD80000-memory.dmp

Filesize
320KB

Download
memory/2948-11-0x00007FFB66540000-0x00007FFB67001000-memory.dmp

Filesize
10.8MB

Download
memory/2948-9-0x00007FFB66540000-0x00007FFB67001000-memory.dmp

Filesize
10.8MB

Download