quasar | c23c705943e416e750d0df38fb89f40188f0172eed163ec0d1458a993744f415

Resubmissions

11/01/2025, 14:51

250111-r8efbstram 3

11/01/2025, 14:29

250111-rt2bjs1nct 10

Analysis

max time kernel
42s
max time network
37s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11/01/2025, 14:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lol.exe
Size

4.9MB
MD5

1958ebce3ce234f5bc991d75bbeac04d
SHA1

a3a65a551398e3c81ecb8f4729ea4f879e018ea4
SHA256

8961760a99a872da1ba6555b2eafaa8e68dfce94136156fff0651ac61275acf5
SHA512

c99210237ac3135c9f75eeafe4803b129d0f7749c3960a8d127e4c28f982c8ecf61672bcf358a5f76cc02bd5cc27ca9863ed9d24ca75242db9799aa84675ac9c
SSDEEP

49152:DAodtaG9kS2U84B+FLan9k5TRM9zlfVjjotfsdS2Mc1xZ9mw53PvOL7CaI4LOOEl:h/B179A2Pbn2shvit4xAhQRxGck6lh

Score

10^/10

quasar nmw discovery execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

NMW

nm111-20223.portmap.host:20223

Mutex

0cf74134-5c38-42d6-bb49-4c83c1e37344

Attributes

encryption_key
F7F619EE7207F0CE79B19EAEA54D81315C5AE97B
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Exm Tweaks
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/4040-16-0x0000000000400000-0x000000000078E000-memory.dmp	family_quasar

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4512	powershell.exe
1676	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	lol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	lol.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1608 set thread context of 4040	1608	lol.exe	87
PID 5104 set thread context of 2728	5104	lol.exe	102

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wab.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1268	taskkill.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4512	powershell.exe
4512	powershell.exe
1608	lol.exe
1676	powershell.exe
1676	powershell.exe
5104	lol.exe
2732	msedge.exe
2732	msedge.exe
640	msedge.exe
640	msedge.exe
5052	identity_helper.exe
5052	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1608	lol.exe
Token: SeDebugPrivilege	4512	powershell.exe
Token: SeDebugPrivilege	5104	lol.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeDebugPrivilege	1268	taskkill.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 4512	1608	lol.exe	84
PID 1608 wrote to memory of 4512	1608	lol.exe	84
PID 1608 wrote to memory of 4960	1608	lol.exe	86
PID 1608 wrote to memory of 4960	1608	lol.exe	86
PID 1608 wrote to memory of 4040	1608	lol.exe	87
PID 1608 wrote to memory of 4040	1608	lol.exe	87
PID 1608 wrote to memory of 4040	1608	lol.exe	87
PID 1608 wrote to memory of 4040	1608	lol.exe	87
PID 1608 wrote to memory of 4040	1608	lol.exe	87
PID 1608 wrote to memory of 4040	1608	lol.exe	87
PID 1608 wrote to memory of 4040	1608	lol.exe	87
PID 1608 wrote to memory of 4040	1608	lol.exe	87
PID 5104 wrote to memory of 1676	5104	lol.exe	98
PID 5104 wrote to memory of 1676	5104	lol.exe	98
PID 5104 wrote to memory of 2360	5104	lol.exe	100
PID 5104 wrote to memory of 2360	5104	lol.exe	100
PID 5104 wrote to memory of 1324	5104	lol.exe	101
PID 5104 wrote to memory of 1324	5104	lol.exe	101
PID 5104 wrote to memory of 1324	5104	lol.exe	101
PID 5104 wrote to memory of 1324	5104	lol.exe	101
PID 5104 wrote to memory of 1324	5104	lol.exe	101
PID 5104 wrote to memory of 1324	5104	lol.exe	101
PID 5104 wrote to memory of 2728	5104	lol.exe	102
PID 5104 wrote to memory of 2728	5104	lol.exe	102
PID 5104 wrote to memory of 2728	5104	lol.exe	102
PID 5104 wrote to memory of 2728	5104	lol.exe	102
PID 5104 wrote to memory of 2728	5104	lol.exe	102
PID 5104 wrote to memory of 2728	5104	lol.exe	102
PID 5104 wrote to memory of 2728	5104	lol.exe	102
PID 5104 wrote to memory of 2728	5104	lol.exe	102
PID 2728 wrote to memory of 640	2728	aspnet_wp.exe	109
PID 2728 wrote to memory of 640	2728	aspnet_wp.exe	109
PID 640 wrote to memory of 3496	640	msedge.exe	110
PID 640 wrote to memory of 3496	640	msedge.exe	110
PID 640 wrote to memory of 1180	640	msedge.exe	111
PID 640 wrote to memory of 1180	640	msedge.exe	111
PID 640 wrote to memory of 1180	640	msedge.exe	111
PID 640 wrote to memory of 1180	640	msedge.exe	111
PID 640 wrote to memory of 1180	640	msedge.exe	111
PID 640 wrote to memory of 1180	640	msedge.exe	111
PID 640 wrote to memory of 1180	640	msedge.exe	111
PID 640 wrote to memory of 1180	640	msedge.exe	111
PID 640 wrote to memory of 1180	640	msedge.exe	111
PID 640 wrote to memory of 1180	640	msedge.exe	111
PID 640 wrote to memory of 1180	640	msedge.exe	111
PID 640 wrote to memory of 1180	640	msedge.exe	111
PID 640 wrote to memory of 1180	640	msedge.exe	111
PID 640 wrote to memory of 1180	640	msedge.exe	111
PID 640 wrote to memory of 1180	640	msedge.exe	111
PID 640 wrote to memory of 1180	640	msedge.exe	111
PID 640 wrote to memory of 1180	640	msedge.exe	111
PID 640 wrote to memory of 1180	640	msedge.exe	111
PID 640 wrote to memory of 1180	640	msedge.exe	111
PID 640 wrote to memory of 1180	640	msedge.exe	111
PID 640 wrote to memory of 1180	640	msedge.exe	111
PID 640 wrote to memory of 1180	640	msedge.exe	111
PID 640 wrote to memory of 1180	640	msedge.exe	111
PID 640 wrote to memory of 1180	640	msedge.exe	111
PID 640 wrote to memory of 1180	640	msedge.exe	111
PID 640 wrote to memory of 1180	640	msedge.exe	111
PID 640 wrote to memory of 1180	640	msedge.exe	111
PID 640 wrote to memory of 1180	640	msedge.exe	111
PID 640 wrote to memory of 1180	640	msedge.exe	111
PID 640 wrote to memory of 1180	640	msedge.exe	111

C:\Users\Admin\AppData\Local\Temp\lol.exe
"C:\Users\Admin\AppData\Local\Temp\lol.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4512
- C:\windows\system32\cmstp.exe
  "C:\windows\system32\cmstp.exe" /au C:\windows\temp\655632650.inf
  2⤵
  PID:4960
- C:\Program Files (x86)\Windows Mail\wab.exe
  "C:\Program Files (x86)\Windows Mail\wab.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4040
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=wab.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
    3⤵
    PID:1512
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff317046f8,0x7fff31704708,0x7fff31704718
      4⤵
      PID:2240
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=wab.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
    3⤵
    PID:5596
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xe0,0x108,0x7fff317046f8,0x7fff31704708,0x7fff31704718
      4⤵
      PID:5612

C:\Users\Admin\AppData\Local\Temp\lol.exe
C:\Users\Admin\AppData\Local\Temp\lol.exe
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1676
- C:\windows\system32\cmstp.exe
  "C:\windows\system32\cmstp.exe" /au C:\windows\temp\552134928.inf
  2⤵
  PID:2360
- C:\Windows\System32\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:1324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=aspnet_wp.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:640
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0xe4,0x104,0xfc,0x108,0x7fff317046f8,0x7fff31704708,0x7fff31704718
      4⤵
      PID:3496
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,3454348419946738905,3972599607764111372,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
      4⤵
      PID:1180
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1992,3454348419946738905,3972599607764111372,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2732
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1992,3454348419946738905,3972599607764111372,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2932 /prefetch:8
      4⤵
      PID:804
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,3454348419946738905,3972599607764111372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
      4⤵
      PID:2148
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,3454348419946738905,3972599607764111372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
      4⤵
      PID:4192
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,3454348419946738905,3972599607764111372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:1
      4⤵
      PID:1676
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1992,3454348419946738905,3972599607764111372,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 /prefetch:8
      4⤵
      PID:4948
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1992,3454348419946738905,3972599607764111372,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5052
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,3454348419946738905,3972599607764111372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
      4⤵
      PID:372
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,3454348419946738905,3972599607764111372,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:1
      4⤵
      PID:1512
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,3454348419946738905,3972599607764111372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
      4⤵
      PID:3280
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,3454348419946738905,3972599607764111372,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
      4⤵
      PID:3984
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,3454348419946738905,3972599607764111372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
      4⤵
      PID:4168
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,3454348419946738905,3972599607764111372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1
      4⤵
      PID:4640
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,3454348419946738905,3972599607764111372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1
      4⤵
      PID:3412
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,3454348419946738905,3972599607764111372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
      4⤵
      PID:5228
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,3454348419946738905,3972599607764111372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:1
      4⤵
      PID:5676
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,3454348419946738905,3972599607764111372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
      4⤵
      PID:5760
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=aspnet_wp.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
    3⤵
    PID:808
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff317046f8,0x7fff31704708,0x7fff31704718
      4⤵
      PID:2388

C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1268

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2964

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
443a627d539ca4eab732bad0cbe7332b

SHA1
86b18b906a1acd2a22f4b2c78ac3564c394a9569

SHA256
1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9

SHA512
923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
99afa4934d1e3c56bbce114b356e8a99

SHA1
3f0e7a1a28d9d9c06b6663df5d83a65c84d52581

SHA256
08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8

SHA512
76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
68KB

MD5
0cccccd82d68d5ff076e1bd047436ec8

SHA1
0b9d6ebef9ac1c03f8138e9fc9203f9cd69d2a73

SHA256
0e9d24e58133fdae2fe766ece9358afdc57da1568485bf36182851b6c1291246

SHA512
84c357d75e1b7c25249ef826bf5ea9ef4445f2d4f985ae7128363421ac28f1cf438256cb40cdfd2fcf9ad439900dfc7796f9ab850e0445dbbfab5c23f29575eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
487KB

MD5
831a0aa25af2c60a7380ea75c321d930

SHA1
140ec306c24ab6f348c4dde5900b219d817e2026

SHA256
8cdde5daa52335c0a4e416f6fc22aa80744207a38fc276bd65341c2d2e903557

SHA512
0147937b2b2cf9bbf7e8dbee2d598e156c6ce4ddff224b3dc48caed96e89038ecdff1ace743b82fdf6155c40b674f4b1983693dbe45c39898487d3b7be258161

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
89KB

MD5
6c66566329b8f1f2a69392a74e726d4c

SHA1
7609ceb7d28c601a8d7279c8b5921742a64d28ce

SHA256
f512f4fb0d4855fc4aa78e26516e9ec1cfabc423a353cd01bc68ee6098dc56d6

SHA512
aca511bfaf9b464aff7b14998f06a7e997e22fcbe7728401a1e4bd7e4eceb8c938bbd820a16d471d0b5a0589d8807b426b97292fc2a28578a62e4681185556c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
98KB

MD5
c0fc67fbc5c5eceb437b516b4365aa86

SHA1
6b5a02dc604f8b87eb9d456969b12b45dda79baa

SHA256
0b8baebdd76118229f6b486ab07c66d05b104fcc8a80df53261769f80ea093ea

SHA512
e73b48bd36052a2f31aabf40b32ada01fb8c92345a20e22126bed271bcab08ba0a677fd9fd29cca23e98379b6c1e0601bdae9f90c38d9369ba32f292450886d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
34KB

MD5
522037f008e03c9448ae0aaaf09e93cb

SHA1
8a32997eab79246beed5a37db0c92fbfb006bef2

SHA256
983c35607c4fb0b529ca732be42115d3fcaac947cee9c9632f7cacdbdecaf5a7

SHA512
643ec613b2e7bdbb2f61e1799c189b0e3392ea5ae10845eb0b1f1542a03569e886f4b54d5b38af10e78db49c71357108c94589474b181f6a4573b86cf2d6f0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
17KB

MD5
240c4cc15d9fd65405bb642ab81be615

SHA1
5a66783fe5dd932082f40811ae0769526874bfd3

SHA256
030272ce6ba1beca700ec83fded9dbdc89296fbde0633a7f5943ef5831876c07

SHA512
267fe31bc25944dd7b6071c2c2c271ccc188ae1f6a0d7e587dcf9198b81598da6b058d1b413f228df0cb37c8304329e808089388359651e81b5f3dec566d0ee0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
19KB

MD5
4d0bfea9ebda0657cee433600ed087b6

SHA1
f13c690b170d5ba6be45dedc576776ca79718d98

SHA256
67e7d8e61b9984289b6f3f476bbeb6ceb955bec823243263cf1ee57d7db7ae9a

SHA512
9136adec32f1d29a72a486b4604309aa8f9611663fa1e8d49079b67260b2b09cefdc3852cf5c08ca9f5d8ea718a16dbd8d8120ac3164b0d1519d8ef8a19e4ea5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
259KB

MD5
34504ed4414852e907ecc19528c2a9f0

SHA1
0694ca8841b146adcaf21c84dedc1b14e0a70646

SHA256
c5327ac879b833d7a4b68e7c5530b2040d31e1e17c7a139a1fdd3e33f6102810

SHA512
173b454754862f7750eaef45d9acf41e9da855f4584663f42b67daed6f407f07497348efdfcf14feeeda773414081248fec361ac4d4206f1dcc283e6a399be2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
628e94cc9b61653446ff3838fe80f241

SHA1
ee0e339925e72f2d560159a21e013a76b8fc0faa

SHA256
dea06c7d04dfbddaaf8189e14591f79e597eed75390283d109b210ba2bcf0638

SHA512
6cd0ade543819038606cc10f611fc652184ed5a27ff33c483a59338c49f5b6635f0ba33bf7e1aa9d693a188a9b7d4e5252136aaa7e97508c9bd992a9a31eefa1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
41ea5998bf2811e52ba1f843b90e7b21

SHA1
c63fce5760602574f48dcc225b3463af6d7d055e

SHA256
73eaeb471e5c9cad8aef48c21faf6bbf444bb3fbcd7bf79f666f95bfe87ba6df

SHA512
e99a11ac765f1cf564db4066ccd2716fcd71455f7c8928246bfa469f13530158de3e208c879a145fe91fd80567d5618a743d0cea6ff2371206641d1360015422

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9e03b1a479a5e20181a4fd54f95e4d18

SHA1
bde3f678922a04cfa352d9ac5165f1c258ba8b43

SHA256
0ee482fe38edff29e11ac0d29532038a653ee484f8658441c3c4c16a5d608b4b

SHA512
2fbc92c4ed0017aa53636318e8fdf9e4a0f427e41cd573cd69dffef38afa52b4f26b99e4ce4c61e5705fae1f5593c1ab36df2bd3a6dbde26046360a09e6c7636

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
73c6d93b37e8321abd3249ce797f784f

SHA1
9fe7c92b8d00ab6c6ea2f639daf4b277c5e6ecaf

SHA256
d48b507a848af8d489fe4683a1fb1dfcf6a4a3618ae8214c7e90f44ed2483dad

SHA512
d30e90120587b99147a2dbaf85ffcb979c8e3c7b45492c5dcc25ce094bf740a231cea997c9ad6103654803e0d43d0069a556dc1339a990a57be75924c291e99b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe589d45.TMP

Filesize
371B

MD5
acfb542d270c9a69bd01244a1ae45ff0

SHA1
af47fe2385233be32f5f4ce000ab9602f90a7e20

SHA256
789f33ff809d6445d7da65473d6283008e7a125b8605509420e7d2e416159013

SHA512
f7b4af5ad1925b8ee515b8715aa821fbe87d9d8f47bbb36b25cbc9da1e210f26a2d6c8930e4abc090c91f33920efb7adad0f9be9820f1e67590517f9ba1c341d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2069cbdea02224276a68e236c83be3b3

SHA1
241a91372a1f265fb810c1bb23dc5a5face2fba9

SHA256
84b2767ad70bfed727665c254a572a14ec06da9c79a8d1f7d11895bb50dd53d1

SHA512
5c489c073442841272b0f374ce686a75b67f4371cd631d7cc7ab8300a7978839f3d52e26735ae5c9269b9ada001bcc46eec389b53d0a3d183cfa5bfd82e03f9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_syq3rcfv.rct.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\lol.exe

Filesize
4.9MB

MD5
1958ebce3ce234f5bc991d75bbeac04d

SHA1
a3a65a551398e3c81ecb8f4729ea4f879e018ea4

SHA256
8961760a99a872da1ba6555b2eafaa8e68dfce94136156fff0651ac61275acf5

SHA512
c99210237ac3135c9f75eeafe4803b129d0f7749c3960a8d127e4c28f982c8ecf61672bcf358a5f76cc02bd5cc27ca9863ed9d24ca75242db9799aa84675ac9c

Download Submit
C:\windows\temp\655632650.inf

Filesize
512B

MD5
47bd066ba19bec1b8a7a947db20b343b

SHA1
0d2b3f71ece9bed2723e1799f3a3b5524b5ad421

SHA256
6e8338d3f69602ccbae478c887acb4f561eb450c48f100c53da74bc925b3e966

SHA512
e7e403fc5adeaddf5df00566ef60837de73d3a593e9c6aecc672c4251ad3d7c5bbfebe982f75e686b17733d9e8a5f2bd7734dc1391a3017bbb1d52f8109ccab9

Download Submit
memory/4040-16-0x0000000000400000-0x000000000078E000-memory.dmp

Filesize
3.6MB

Download
memory/4512-12-0x00007FFF303E0000-0x00007FFF30EA1000-memory.dmp

Filesize
10.8MB

Download
memory/4512-1-0x0000021847750000-0x0000021847772000-memory.dmp

Filesize
136KB

Download
memory/4512-0-0x00007FFF303E3000-0x00007FFF303E5000-memory.dmp

Filesize
8KB

Download
memory/4512-11-0x00007FFF303E0000-0x00007FFF30EA1000-memory.dmp

Filesize
10.8MB

Download
memory/4512-20-0x00007FFF303E0000-0x00007FFF30EA1000-memory.dmp

Filesize
10.8MB

Download
memory/4512-17-0x00007FFF303E0000-0x00007FFF30EA1000-memory.dmp

Filesize
10.8MB

Download