quasar | hxxps://websim[.]ai/c/DMS6kaXikjws89FWQ

Analysis

max time kernel
71s
max time network
76s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
28-12-2024 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://websim.ai/c/DMS6kaXikjws89FWQ

Score

10^/10

quasar office04 discovery phishing spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

azxq0ap.localto.net:3425

Mutex

e51e2b65-e963-4051-9736-67d57ed46798

Attributes

encryption_key
AEA258EF65BF1786F0F767C0BE2497ECC304C46F
install_name
WindowsUpdate.exe
log_directory
Logs
reconnect_delay
3000
startup_key
WindowsUpdate
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x002a000000046286-473.dat	family_quasar
behavioral1/memory/5600-475-0x0000000000090000-0x00000000003E6000-memory.dmp	family_quasar

A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing

Executes dropped EXE 2 IoCs

pid	Process
5600	Panel Ejecutador MTA 3.14.exe
5664	WindowsUpdate.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\36d72ada-1b7f-4b31-80fd-9f14dc4544fc.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241228223736.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1372	schtasks.exe
5652	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2644	msedge.exe
2644	msedge.exe
4248	msedge.exe
4248	msedge.exe
1344	identity_helper.exe
1344	identity_helper.exe
5640	msedge.exe
5640	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	6004	7zG.exe
Token: 35	6004	7zG.exe
Token: SeSecurityPrivilege	6004	7zG.exe
Token: SeSecurityPrivilege	6004	7zG.exe
Token: SeDebugPrivilege	5600	Panel Ejecutador MTA 3.14.exe
Token: SeDebugPrivilege	5664	WindowsUpdate.exe

Suspicious use of FindShellTrayWindow 44 IoCs

pid	Process
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
6004	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5664	WindowsUpdate.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4248 wrote to memory of 2376	4248	msedge.exe	84
PID 4248 wrote to memory of 2376	4248	msedge.exe	84
PID 4248 wrote to memory of 2152	4248	msedge.exe	85
PID 4248 wrote to memory of 2152	4248	msedge.exe	85
PID 4248 wrote to memory of 2152	4248	msedge.exe	85
PID 4248 wrote to memory of 2152	4248	msedge.exe	85
PID 4248 wrote to memory of 2152	4248	msedge.exe	85
PID 4248 wrote to memory of 2152	4248	msedge.exe	85
PID 4248 wrote to memory of 2152	4248	msedge.exe	85
PID 4248 wrote to memory of 2152	4248	msedge.exe	85
PID 4248 wrote to memory of 2152	4248	msedge.exe	85
PID 4248 wrote to memory of 2152	4248	msedge.exe	85
PID 4248 wrote to memory of 2152	4248	msedge.exe	85
PID 4248 wrote to memory of 2152	4248	msedge.exe	85
PID 4248 wrote to memory of 2152	4248	msedge.exe	85
PID 4248 wrote to memory of 2152	4248	msedge.exe	85
PID 4248 wrote to memory of 2152	4248	msedge.exe	85
PID 4248 wrote to memory of 2152	4248	msedge.exe	85
PID 4248 wrote to memory of 2152	4248	msedge.exe	85
PID 4248 wrote to memory of 2152	4248	msedge.exe	85
PID 4248 wrote to memory of 2152	4248	msedge.exe	85
PID 4248 wrote to memory of 2152	4248	msedge.exe	85
PID 4248 wrote to memory of 2152	4248	msedge.exe	85
PID 4248 wrote to memory of 2152	4248	msedge.exe	85
PID 4248 wrote to memory of 2152	4248	msedge.exe	85
PID 4248 wrote to memory of 2152	4248	msedge.exe	85
PID 4248 wrote to memory of 2152	4248	msedge.exe	85
PID 4248 wrote to memory of 2152	4248	msedge.exe	85
PID 4248 wrote to memory of 2152	4248	msedge.exe	85
PID 4248 wrote to memory of 2152	4248	msedge.exe	85
PID 4248 wrote to memory of 2152	4248	msedge.exe	85
PID 4248 wrote to memory of 2152	4248	msedge.exe	85
PID 4248 wrote to memory of 2152	4248	msedge.exe	85
PID 4248 wrote to memory of 2152	4248	msedge.exe	85
PID 4248 wrote to memory of 2152	4248	msedge.exe	85
PID 4248 wrote to memory of 2152	4248	msedge.exe	85
PID 4248 wrote to memory of 2152	4248	msedge.exe	85
PID 4248 wrote to memory of 2152	4248	msedge.exe	85
PID 4248 wrote to memory of 2152	4248	msedge.exe	85
PID 4248 wrote to memory of 2152	4248	msedge.exe	85
PID 4248 wrote to memory of 2152	4248	msedge.exe	85
PID 4248 wrote to memory of 2152	4248	msedge.exe	85
PID 4248 wrote to memory of 2644	4248	msedge.exe	86
PID 4248 wrote to memory of 2644	4248	msedge.exe	86
PID 4248 wrote to memory of 4884	4248	msedge.exe	87
PID 4248 wrote to memory of 4884	4248	msedge.exe	87
PID 4248 wrote to memory of 4884	4248	msedge.exe	87
PID 4248 wrote to memory of 4884	4248	msedge.exe	87
PID 4248 wrote to memory of 4884	4248	msedge.exe	87
PID 4248 wrote to memory of 4884	4248	msedge.exe	87
PID 4248 wrote to memory of 4884	4248	msedge.exe	87
PID 4248 wrote to memory of 4884	4248	msedge.exe	87
PID 4248 wrote to memory of 4884	4248	msedge.exe	87
PID 4248 wrote to memory of 4884	4248	msedge.exe	87
PID 4248 wrote to memory of 4884	4248	msedge.exe	87
PID 4248 wrote to memory of 4884	4248	msedge.exe	87
PID 4248 wrote to memory of 4884	4248	msedge.exe	87
PID 4248 wrote to memory of 4884	4248	msedge.exe	87
PID 4248 wrote to memory of 4884	4248	msedge.exe	87
PID 4248 wrote to memory of 4884	4248	msedge.exe	87
PID 4248 wrote to memory of 4884	4248	msedge.exe	87
PID 4248 wrote to memory of 4884	4248	msedge.exe	87
PID 4248 wrote to memory of 4884	4248	msedge.exe	87
PID 4248 wrote to memory of 4884	4248	msedge.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://websim.ai/c/DMS6kaXikjws89FWQ
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffbf99146f8,0x7ffbf9914708,0x7ffbf9914718
  2⤵
  PID:2376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,6984721838242684353,9028363235964165140,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2232 /prefetch:2
  2⤵
  PID:2152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2236,6984721838242684353,9028363235964165140,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2236,6984721838242684353,9028363235964165140,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
  2⤵
  PID:4884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,6984721838242684353,9028363235964165140,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:2096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,6984721838242684353,9028363235964165140,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:4136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,6984721838242684353,9028363235964165140,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
  2⤵
  PID:836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,6984721838242684353,9028363235964165140,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:1
  2⤵
  PID:3192
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,6984721838242684353,9028363235964165140,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6656 /prefetch:8
  2⤵
  PID:2796
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,6984721838242684353,9028363235964165140,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6656 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,6984721838242684353,9028363235964165140,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6672 /prefetch:1
  2⤵
  PID:4060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,6984721838242684353,9028363235964165140,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6680 /prefetch:1
  2⤵
  PID:2544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,6984721838242684353,9028363235964165140,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7004 /prefetch:1
  2⤵
  PID:1592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,6984721838242684353,9028363235964165140,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
  2⤵
  PID:3988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,6984721838242684353,9028363235964165140,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
  2⤵
  PID:4712
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:5136
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff67f455460,0x7ff67f455470,0x7ff67f455480
    3⤵
    PID:5384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2236,6984721838242684353,9028363235964165140,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=7320 /prefetch:8
  2⤵
  PID:5188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,6984721838242684353,9028363235964165140,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4248 /prefetch:1
  2⤵
  PID:5196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,6984721838242684353,9028363235964165140,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7512 /prefetch:1
  2⤵
  PID:5264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,6984721838242684353,9028363235964165140,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1
  2⤵
  PID:5516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2236,6984721838242684353,9028363235964165140,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7816 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,6984721838242684353,9028363235964165140,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3676 /prefetch:1
  2⤵
  PID:6096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,6984721838242684353,9028363235964165140,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7112 /prefetch:1
  2⤵
  PID:5256

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:736

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2076

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3576

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap18165:108:7zEvent30913
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:6004

C:\Users\Admin\Desktop\Panel Ejecutador MTA 3.14.exe
"C:\Users\Admin\Desktop\Panel Ejecutador MTA 3.14.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5600
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1372
- C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5664
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0d57a449c855203411a38d5ae80bc24c

SHA1
b361032efa556fc4557bbad595ce89c4b0c13dba

SHA256
bb59bab10e406cd91bdfe4fc0e8ce2817a6ca32fc731ccb3f90b6b79c1a46c21

SHA512
8d4244dc9c0e9518cd71aacaa54d43c1e2d74519e3e692160b2b040d00aac25c4ba7a5705391e50957d46c8c711dc07604effea3bc06c8956ecf717f61008da3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
77fe0ce7e1f9c9ec2f198ad2536bf753

SHA1
2a366472f227a24f3c0fba0af544676ea58438d7

SHA256
c69ca7653724e1e9e52518de8f4f030813e1431223d5b6ad3270531d8df89f00

SHA512
e8d4e17b93fb19364eeeffc5b1016fdbe566a8b8d702005291ff263367840b8ccc76290d8a3ad457d40fb5d1c2204bdaa5acba9374236c77935ebb0fe597a095

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
70c4bd4ec4f0e0e5648237154f5bd341

SHA1
550f52e07cd17fce4a640df3f276a07294825547

SHA256
f702edc9c6fa9d6c7719f2114d6acf23285f58a3d1a7ccb1d18dabe5985477d3

SHA512
2c7827578c0e552908bd10210e89171fe7427b61fae12c1285c434cfd829abf30b377bb4448f756d7a02d13291f8bdd11b78ff1a67d0fe0b16f5aba9f79cca70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
378750e45011c6acfe699152cd5a13a8

SHA1
00a99a3d1830ff5463ea7a89546165fce29284de

SHA256
64f1c039236d749401d3ea601192c09d5b29fd1c1ba598e8d80cd2b04b9319da

SHA512
daf9caa7a5bb668997057db4f4943917a95bb26db6fa5525c7e9320f67aec3b38ef33e2cc899a9544b9c0d35374a824205aef0c86bdd54555ffb42d4a7add2aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
dcc4ee2f792897c3f3149336cb7a0eb9

SHA1
b9af1789172c0a2e974044146803355abff61623

SHA256
1381b776ef69b174ef7243fc53452219ca4dcb71b6b9f79727b47f0e57310876

SHA512
ef44054f0d0beb478a07a6189680cfa0be6d23cd44f5c8c123bb8ec4749c53e8edde786fa16b59dd55aa4a138410426f28ad0b49ede7f1e2b0aba4cfbbcbd2cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe58b59f.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
20d389cc32aa2a2853610772773481af

SHA1
12d0cbc4cce0e40880d61edad9dc5b588fc8ef13

SHA256
16dc324ea35f668f7d2afbdf529b28f9b22693d8d75d5fa70693991e96e1dbbb

SHA512
92a8e949fc43346926a4baf9d84fd10989feee6f7fd6788ded7151392a4c2ab580a78ed57be68c93ddde8d426cf5c82c559059de4dcadfd9ad473312579a615f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
1171f62cd1fad582ec39f0ca00a2fb3a

SHA1
14848004e09cd407c779008810682df3bcdd699c

SHA256
83136c570ce9a06711dd9c2ff28ce5804a6a5ce9b7bc7185182a1071f2d83337

SHA512
50cae73dca62f4cccf3b7225e058b4de54c2400e23d09194cec72d1b9c00538f8b81c3c8490645f0f8378227b46ec71233b0d34d7c090b76609b09774b983b3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
50413f430e206b08a7efe1d97e9e1ad3

SHA1
fc30320cda587f95de8cb6ca6575531e55026fd3

SHA256
3e636c4eec9b8d31d34210aad8b530c79972f0e52cfcaa9a1441f17cdf61b9f9

SHA512
80a23d4a1ccb497d980cc561c80abaac95fe579fc61f2cb799e263d179e43b773cbf43c59c041e6fa81417cbf442dbab53d78b8e0f9458326b66f4fd004d77ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
9b2345e425acf05ffaa1dee20d4fdbe7

SHA1
aecf86c5a5d24b77aea68f6bc99e7f42c9048bc3

SHA256
1eb6cc0eab0b222c1111dba69db74281366b9f5dc9f8707ff215b09155c58d14

SHA512
647fc97d693b709ef3b0877b6de1d4f9f4e1085d35b809d27360ede1be52b37f9a967fb80ce43be35d60b52409c7e4036376d7d931c96f0660a2eeffa58a8208

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
77006dacd174a80aa9b867f95d5df337

SHA1
7078db638c72ee5cf4ede7911e4421cc4ae103c7

SHA256
5e22af33da2ed3f3197d9c899a8fec5e2716b54be019c484cd59960da8f143d9

SHA512
e8268ed24af38eaebda4cd864e5580ed1bb63e3e4b72a27fe3404baeb7c8c944a7e79282712ac9d0b33f0123654dedb1984633d6ae2a5b412d6536e2b0389bb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
597b41bd7236bc0c14e4f3a90eb7ad6c

SHA1
ed0e1e1479d9998d0dcaf8d0aae4a139f6073d9a

SHA256
b571ba873506ea7ed948ec6eb0d30781e600ed42f45c97ca95238d38ced4c6a4

SHA512
ff505d47da05d036b6d6a9155fdd21fe46e7a7d00c5672f622b4c3190232f5e99933952c9cc3ba91b7e88eabb73e8b0c418a285c37268b8aeb4a036e9552b0c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5852de.TMP

Filesize
48B

MD5
582e372bc46ce962dc1dede2b6f13e28

SHA1
b0ea2d5d296d9e1b15ea0fb66199e991cb47b6f1

SHA256
09e2473b3d97b2bf022bfea915c7de79bedc58ea16befc992f29ce440177dc45

SHA512
d4d95e647b01112843b1c6080f166aac4080f2286e81b5cfc4771a46b89a5c2855b9fea5b6a5b3b9b13f97fb1d94cf35cfcc78277c634e1e2bbaedb90546e1ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
fbabd461b7bb8d20ab3f8584ce8c1921

SHA1
102a97124a621fe92fbd7cff9c111a4a70b4f743

SHA256
086c5e90839248e258461faba8116225eb7d4dda79720dddefdd17aa9c07b072

SHA512
96a01e7cdd22fa77149b0a4abc4385161ef6c8a25ea11a7058072714580fe0016f7e2a0bac990558a79c869ddc8390c538e491f9ea7fd5d93a924015539e3aaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
cc0594d24f03757c2b8901fc3327b55a

SHA1
fa27df9668e1fb6ece01a752ffe47f368a70c62a

SHA256
1e85b611b1bdf62e7eb688a071a32150641f50fdc5ab226ae10b1fdac87811d2

SHA512
e3406ae0f37156c3f819e660aa6936898c83d2e6d3a5d96d6c8bdfd37e4c90a707a0759977c8d2f14614e6c356a33499d8936cb8dc68e2d1e770e26f2e612299

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581122.TMP

Filesize
706B

MD5
8f63b51cd02ef618985633f2e68a55ab

SHA1
a94184d320a701d022ff0bc05ffce5d6905e8411

SHA256
7033575b344787d41989741726de1aa6861c443ccaff0c3c5495e942bfbdf7d9

SHA512
7385a2d7daa0c8ac2ed0f862d6a70e054b97851eac5cdd83008f85994f4a7c08d053a8a80df55f578dc496e506ef68b50788d7c0e525aac489c4db0136bf16e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\c93b6705-2345-4476-b073-572eeeddb15c.tmp

Filesize
5KB

MD5
aa4357b4b77238aaa4000a61d76fa57a

SHA1
ebac246301cd36e90f708c567acfe93bac237404

SHA256
ed58d3fe5e0b3bb37916fd0a55bdc59de922ffcc9d9563dd99d46a798fd32a30

SHA512
892b73048666a2bbb6c3bf7cf0c5d707d53be02d1e6cf93cbe6dfa9407155a91b1706c38cd174dd96ce2e72c0412d5d2889b40d4fe1ca532ae5b5b9a7e080ced

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
a44f4c6d49f9c2c0c2f6f3503d3d353e

SHA1
817a36a9af424d134f00c3fa733d99fb96219f81

SHA256
bbc712f5e9ef9f1788120790bfdae2dd59a42891b994563b949edc1d58191390

SHA512
e9231266e1de58f2620da54ed4db686eba45a1f244dac343f1e48e7cb8aaf6d9214ba7e3c8049e0a2fb3cc1f56106dfd0e3bb4578ac6c1d8c9dd2b2de1175eb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2975f7c9790a753c9bd3cad386e9d68d

SHA1
8bd1d57d485434500af811f072537befc8b92736

SHA256
e835cb5f84e5b49027c4bd509000943f3cce64f5cc830347729123bcae802f28

SHA512
f67a5059a55589c902a57e85ba5fed98f144947a0e4538870396375aa260162b9beab23bd7e90e3db5f8a2d3db97ee349a46902741aa86a4ddcdc29175b891f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
e364aabd225ae33558b8aba61a502833

SHA1
242bef68c9c53fa0126563ea69baceffba93f208

SHA256
dcdd9cce940aafd35929df6b150bb0bc9cd84e84d7790ebe13fb6640950b3b3f

SHA512
c405d11baa936d42e34965b9792e30e1c7993f225689ca5ba6f568669bc5e068e2f965c2ee9b1de4b9c5baaa151e8647a14508f07b3755620e5f9a5da85bf440

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
ad0dd3d64b432dff4df1d16b9859fece

SHA1
8839ab4c84b0824ab0b090296f15ae5e46646439

SHA256
6c6e5622f1a07f1b068bc40a85af4440a84805415711b8315e818eb2db947d30

SHA512
ecf288400e7b99e0543f8257631b79bbbe9048311080d515f656557d8142fe1a4427c6f55128d9123ec793a36805d4ca5046044b199f25a194937f07067959fb

Download Submit
C:\Users\Admin\Desktop\Panel Ejecutador MTA 3.14.exe

Filesize
3.3MB

MD5
5791d405ca0a97a89eeaeb4f2be628be

SHA1
a012d40aaaa01db12a83b0e4408d012fd383dd0b

SHA256
6c67a1bf1d558b31a790e4bdcef062c9b49f00a1b3d7361dfc8308d55b87bc5d

SHA512
3971447d6a5f1ffe51bb1acc0d2525aa5bca521358c67828e6bd983d68e8c22dfa83ab49109575bc113e13de861682af563a3ed21e5ef48cce1bfcdb8f1f2afd

Download Submit
C:\Users\Admin\Desktop\Panel Ejecutador MTA 3.14.zip

Filesize
1.1MB

MD5
d345c2eb24b0d3806865fda604ad1cc8

SHA1
6b813317f6108f2c242babda58097070503df242

SHA256
9261f3eefa0aef107e865784d8b8b62d4e7213056dfe535893920a344fa0d908

SHA512
76c941b833ffcef6da121c2e2735952ed81cbf7c6a6260a227040d37abf0adaa41461045c69710331345d52d95aac89ddf0a256ebc85fbdb2ed703106999ab74

Download Submit
memory/5600-475-0x0000000000090000-0x00000000003E6000-memory.dmp

Filesize
3.3MB

Download
memory/5664-478-0x000000001B950000-0x000000001B9A0000-memory.dmp

Filesize
320KB

Download
memory/5664-481-0x000000001B910000-0x000000001B922000-memory.dmp

Filesize
72KB

Download
memory/5664-482-0x000000001CB00000-0x000000001CB3C000-memory.dmp

Filesize
240KB

Download
memory/5664-479-0x000000001CB80000-0x000000001CC32000-memory.dmp

Filesize
712KB

Download