quasar | b497751b7d0e1988e1823d4153b3599f1ca3adf266cd6a6229e12443d775d655

Analysis

max time kernel
104s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-01-2025 08:46

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

SLC.exe
Size

3.1MB
MD5

6c7cafe14c7c3e1f29c7fa5c5cb1051b
SHA1

42511e8a5aff9d3ab5681e06c73f1e2f866739b6
SHA256

b497751b7d0e1988e1823d4153b3599f1ca3adf266cd6a6229e12443d775d655
SHA512

6115aba8cfde1f6974ed4ea031757c979c4061492405c0d95158be903db6bdaaf89e11ae92844d5f2c24c8f89c650d3386af4e26c9b4427b9f04d5cc7262d0c8
SSDEEP

49152:WvEt62XlaSFNWPjljiFa2RoUYIv8RJ6ObR3LoGdZTHHB72eh2NT:WvY62XlaSFNWPjljiFXRoUYIv8RJ6I

Score

10^/10

quasar slimed discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

slimed

124.170.69.79:4782

Mutex

b3546883-bf09-4184-b0d7-93f8e2017ac3

Attributes

encryption_key
F9BD0DD063B48ED4F322D04F8B868E3F8771E29A
install_name
Client.exe
log_directory
Logs
reconnect_delay
30
startup_key
start
subdirectory
SLC

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/1468-1-0x0000000000340000-0x0000000000664000-memory.dmp	family_quasar
behavioral2/files/0x0008000000023c9c-5.dat	family_quasar

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 1 IoCs

pid	Process
224	Client.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "162"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4272	schtasks.exe
1276	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3964	msedge.exe
3964	msedge.exe
4388	msedge.exe
4388	msedge.exe
3316	identity_helper.exe
3316	identity_helper.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
224	Client.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1468	SLC.exe
Token: SeDebugPrivilege	224	Client.exe
Token: SeShutdownPrivilege	5020	shutdown.exe
Token: SeRemoteShutdownPrivilege	5020	shutdown.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
224	Client.exe
3948	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 4272	1468	SLC.exe	83
PID 1468 wrote to memory of 4272	1468	SLC.exe	83
PID 1468 wrote to memory of 224	1468	SLC.exe	85
PID 1468 wrote to memory of 224	1468	SLC.exe	85
PID 224 wrote to memory of 1276	224	Client.exe	86
PID 224 wrote to memory of 1276	224	Client.exe	86
PID 4388 wrote to memory of 3708	4388	msedge.exe	112
PID 4388 wrote to memory of 3708	4388	msedge.exe	112
PID 4388 wrote to memory of 2248	4388	msedge.exe	113
PID 4388 wrote to memory of 2248	4388	msedge.exe	113
PID 4388 wrote to memory of 2248	4388	msedge.exe	113
PID 4388 wrote to memory of 2248	4388	msedge.exe	113
PID 4388 wrote to memory of 2248	4388	msedge.exe	113
PID 4388 wrote to memory of 2248	4388	msedge.exe	113
PID 4388 wrote to memory of 2248	4388	msedge.exe	113
PID 4388 wrote to memory of 2248	4388	msedge.exe	113
PID 4388 wrote to memory of 2248	4388	msedge.exe	113
PID 4388 wrote to memory of 2248	4388	msedge.exe	113
PID 4388 wrote to memory of 2248	4388	msedge.exe	113
PID 4388 wrote to memory of 2248	4388	msedge.exe	113
PID 4388 wrote to memory of 2248	4388	msedge.exe	113
PID 4388 wrote to memory of 2248	4388	msedge.exe	113
PID 4388 wrote to memory of 2248	4388	msedge.exe	113
PID 4388 wrote to memory of 2248	4388	msedge.exe	113
PID 4388 wrote to memory of 2248	4388	msedge.exe	113
PID 4388 wrote to memory of 2248	4388	msedge.exe	113
PID 4388 wrote to memory of 2248	4388	msedge.exe	113
PID 4388 wrote to memory of 2248	4388	msedge.exe	113
PID 4388 wrote to memory of 2248	4388	msedge.exe	113
PID 4388 wrote to memory of 2248	4388	msedge.exe	113
PID 4388 wrote to memory of 2248	4388	msedge.exe	113
PID 4388 wrote to memory of 2248	4388	msedge.exe	113
PID 4388 wrote to memory of 2248	4388	msedge.exe	113
PID 4388 wrote to memory of 2248	4388	msedge.exe	113
PID 4388 wrote to memory of 2248	4388	msedge.exe	113
PID 4388 wrote to memory of 2248	4388	msedge.exe	113
PID 4388 wrote to memory of 2248	4388	msedge.exe	113
PID 4388 wrote to memory of 2248	4388	msedge.exe	113
PID 4388 wrote to memory of 2248	4388	msedge.exe	113
PID 4388 wrote to memory of 2248	4388	msedge.exe	113
PID 4388 wrote to memory of 2248	4388	msedge.exe	113
PID 4388 wrote to memory of 2248	4388	msedge.exe	113
PID 4388 wrote to memory of 2248	4388	msedge.exe	113
PID 4388 wrote to memory of 2248	4388	msedge.exe	113
PID 4388 wrote to memory of 2248	4388	msedge.exe	113
PID 4388 wrote to memory of 2248	4388	msedge.exe	113
PID 4388 wrote to memory of 2248	4388	msedge.exe	113
PID 4388 wrote to memory of 2248	4388	msedge.exe	113
PID 4388 wrote to memory of 3964	4388	msedge.exe	114
PID 4388 wrote to memory of 3964	4388	msedge.exe	114
PID 4388 wrote to memory of 2336	4388	msedge.exe	115
PID 4388 wrote to memory of 2336	4388	msedge.exe	115
PID 4388 wrote to memory of 2336	4388	msedge.exe	115
PID 4388 wrote to memory of 2336	4388	msedge.exe	115
PID 4388 wrote to memory of 2336	4388	msedge.exe	115
PID 4388 wrote to memory of 2336	4388	msedge.exe	115
PID 4388 wrote to memory of 2336	4388	msedge.exe	115
PID 4388 wrote to memory of 2336	4388	msedge.exe	115
PID 4388 wrote to memory of 2336	4388	msedge.exe	115
PID 4388 wrote to memory of 2336	4388	msedge.exe	115
PID 4388 wrote to memory of 2336	4388	msedge.exe	115
PID 4388 wrote to memory of 2336	4388	msedge.exe	115
PID 4388 wrote to memory of 2336	4388	msedge.exe	115
PID 4388 wrote to memory of 2336	4388	msedge.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\SLC.exe
"C:\Users\Admin\AppData\Local\Temp\SLC.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "start" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SLC\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4272
- C:\Users\Admin\AppData\Roaming\SLC\Client.exe
  "C:\Users\Admin\AppData\Roaming\SLC\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:224
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "start" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SLC\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1276
- - C:\Windows\System32\shutdown.exe
    "C:\Windows\System32\shutdown.exe" /r /t 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RepairUse.htm
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffeacee46f8,0x7ffeacee4708,0x7ffeacee4718
  2⤵
  PID:3708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2000,4227393430315788835,274103419126844681,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2012 /prefetch:2
  2⤵
  PID:2248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2000,4227393430315788835,274103419126844681,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2000,4227393430315788835,274103419126844681,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:8
  2⤵
  PID:2336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,4227393430315788835,274103419126844681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:1644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,4227393430315788835,274103419126844681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:1684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,4227393430315788835,274103419126844681,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4440 /prefetch:1
  2⤵
  PID:400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,4227393430315788835,274103419126844681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4304 /prefetch:1
  2⤵
  PID:2040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,4227393430315788835,274103419126844681,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3684 /prefetch:1
  2⤵
  PID:1756
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2000,4227393430315788835,274103419126844681,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 /prefetch:8
  2⤵
  PID:2700
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2000,4227393430315788835,274103419126844681,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,4227393430315788835,274103419126844681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:2876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,4227393430315788835,274103419126844681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
  2⤵
  PID:516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,4227393430315788835,274103419126844681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
  2⤵
  PID:2424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,4227393430315788835,274103419126844681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3704 /prefetch:1
  2⤵
  PID:1584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,4227393430315788835,274103419126844681,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:1464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,4227393430315788835,274103419126844681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:1
  2⤵
  PID:1656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,4227393430315788835,274103419126844681,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
  2⤵
  PID:2120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,4227393430315788835,274103419126844681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
  2⤵
  PID:2456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,4227393430315788835,274103419126844681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
  2⤵
  PID:456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,4227393430315788835,274103419126844681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
  2⤵
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,4227393430315788835,274103419126844681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:2004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,4227393430315788835,274103419126844681,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:2872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,4227393430315788835,274103419126844681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
  2⤵
  PID:2108

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1276

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2816

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38ff055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c2d9eeb3fdd75834f0ac3f9767de8d6f

SHA1
4d16a7e82190f8490a00008bd53d85fb92e379b0

SHA256
1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66

SHA512
d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e55832d7cd7e868a2c087c4c73678018

SHA1
ed7a2f6d6437e907218ffba9128802eaf414a0eb

SHA256
a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574

SHA512
897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\7cf1a98f-9b6b-41d9-bd38-1a553c29a65f.tmp

Filesize
6KB

MD5
9198236cbafa21e9c056c391a4deda32

SHA1
fc7a3696f49f36fc6f68ea4f12161151ab375442

SHA256
ba4879dd63ca735b2a6610196256e3ec8d03b8846399d5dc4b7189856930b1c0

SHA512
5c67c6969f96811abedcfa837bf4bdd46d146601426316ff3a4db2b5daf27e08604e5eb4a36e512ae649e964a95897c006698c9f13511b6bd93c891174b64557

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
70KB

MD5
3b06aa689e8bf1aed00d923a55cfdd49

SHA1
ca186701396ba24d747438e6de95397ed5014361

SHA256
cd1569510154d7fa83732ccf69e41e833421f4e5ec7f70a5353ad07940ec445c

SHA512
0422b94ec68439a172281605264dede7b987804b3acfdeeb86ca7b12249e0bd90e8e625f9549a9635165034b089d59861260bedf7676f9fa68c5b332123035ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
19KB

MD5
1bd4ae71ef8e69ad4b5ffd8dc7d2dcb5

SHA1
6dd8803e59949c985d6a9df2f26c833041a5178c

SHA256
af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725

SHA512
b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
63KB

MD5
226541550a51911c375216f718493f65

SHA1
f6e608468401f9384cabdef45ca19e2afacc84bd

SHA256
caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5

SHA512
2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e02461ee8117f9d30f986abfaf5459aa

SHA1
9e1dad30dc2560ed190f6ea39770a6441a7ccdd9

SHA256
51e36654a4548c01db474a9be622ca08f497ce53aaf81b6dfbfa99d751ddb77b

SHA512
7061830e9d6f740ac1281adf60e2fa2ebd933785dbebd765a1e2202c698c794fe0ebdfa6f0d8bfb6be82dfc2fce9089365f666ab2d28b4c64e41adb9bd311e6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5788e26ff78fd11f3389fc1ad8feeb04

SHA1
8f807d09c077ba218f9cff614d8f74c3546c146c

SHA256
e77523d2ed8c01aca26c2816160f89dd2c65fd6a416fc808e2988c6f9ff79c7a

SHA512
a6d4d3d1bd1d311aa066f4fca3cf6f13af3c03094bfef9d967653c801872e06bfd27d468d168c29342fcdc85acd3a34241c60606fc58d6fbae25909391d39e6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
706B

MD5
3f9a8eb91c99fccd023d8aaae7f42595

SHA1
a5e004a780e339416a62be9a49c837a554df8b98

SHA256
828d46dcea0da865d10d0376e9ee25e086312ac051574c96615ee5bfe3b2a679

SHA512
a87c2dc9e91a1b2242b7cdfee931bb601b5817d2f9247ec8de6d342eac96636520eac26e5ad543249efe03c36eee363b9cba63325aa2703c45b731afec67a116

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
706B

MD5
bc19baa2d8bf5093b8649b692a859855

SHA1
61ab486b43f024d812758d65da510b777c200160

SHA256
22af6625c97718941eced10e88871781227f5b3efc11b1615dd69c161603da2e

SHA512
876862f9ce566b5897c7220f4e0eeba7d238beb3376ef614c78bd5e09dc18efb946616062e727c0829e74880f8465b32a88249bca72ce978ed473e70f67d06d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
706B

MD5
ee044a2b6e4fa0e4ad0cd2b5ab5d1c2b

SHA1
84e19af81da9324379f00437b45f2c424f85d4dd

SHA256
113a9796ec8647a5c81a57b2690e05a337ef5f7b3fde624d45f7d102001bb6bd

SHA512
1079144a361df20f40da4b67d6e76b67d6322cda1fee0acee5f3507e2429d50f5e9164b650e76c888d0c7cd8f3ed9b5a6ef3080948b60d9d8e9a0b20b8359f81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe589ecb.TMP

Filesize
538B

MD5
21bc14bfafbc7a40ca98bed13f149004

SHA1
152c03795daf5e2e5c2978631320c4613d05ec34

SHA256
c9dbfbd1adf56e44ea0320c0329fc6b00c8e22245b64ed4f2e6d37f2c4fde8d8

SHA512
38335d95d599bc0b3b0936e10f5c6dfce812364421bf020ad50643adb74984dabdc1b022c17e855c907d9055f16595e6e1ef8d981be74cb6191b79eda93c5c55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\bf7f7fbe-78b9-49e8-b7ee-d21ffcf50b35.tmp

Filesize
5KB

MD5
9a4b1930419cfe01d6649d9d29867681

SHA1
d382be217639f70052ccbef568b2f2f97a7d24d4

SHA256
12e26788d0a1971c3319e53207fcda9e3a87dfdc64fc77a9bc992a683ae3795a

SHA512
49707a7a805191a8d1f4eae23575e9ae94f12d9a560475d2b15b18844800bd829bddd2cb84f9f61eaa2c463e3068b455920d760dc91450a4c46412b427f749e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f9e8f7c12c3d67737abae60c5394093a

SHA1
ebda66d3f37d3c9e0d543a8ecc3360431d867830

SHA256
b76dd81f8e46b168d416c433ca034d5534796ae482804ca31b111f15a2fd6909

SHA512
3fc44a6fe40d0b456cdf78d4d93fffe38a22f6c5fe604a9a2bc3d4463a9191e84fc9dce8c64148552a7b68e3d57188b9f7386f9584b67015a271205be3fd977f

Download Submit
C:\Users\Admin\AppData\Roaming\SLC\Client.exe

Filesize
3.1MB

MD5
6c7cafe14c7c3e1f29c7fa5c5cb1051b

SHA1
42511e8a5aff9d3ab5681e06c73f1e2f866739b6

SHA256
b497751b7d0e1988e1823d4153b3599f1ca3adf266cd6a6229e12443d775d655

SHA512
6115aba8cfde1f6974ed4ea031757c979c4061492405c0d95158be903db6bdaaf89e11ae92844d5f2c24c8f89c650d3386af4e26c9b4427b9f04d5cc7262d0c8

Download Submit
memory/224-17-0x000000001C450000-0x000000001C48C000-memory.dmp

Filesize
240KB

Download
memory/224-11-0x00007FFEB3DF0000-0x00007FFEB48B1000-memory.dmp

Filesize
10.8MB

Download
memory/224-9-0x00007FFEB3DF0000-0x00007FFEB48B1000-memory.dmp

Filesize
10.8MB

Download
memory/224-18-0x00007FFEB3DF0000-0x00007FFEB48B1000-memory.dmp

Filesize
10.8MB

Download
memory/224-43-0x000000001D4E0000-0x000000001DA08000-memory.dmp

Filesize
5.2MB

Download
memory/224-16-0x000000001BBE0000-0x000000001BBF2000-memory.dmp

Filesize
72KB

Download
memory/224-13-0x000000001BC50000-0x000000001BD02000-memory.dmp

Filesize
712KB

Download
memory/224-12-0x000000001BB40000-0x000000001BB90000-memory.dmp

Filesize
320KB

Download
memory/224-449-0x00007FFEB3DF0000-0x00007FFEB48B1000-memory.dmp

Filesize
10.8MB

Download
memory/1468-0-0x00007FFEB3DF3000-0x00007FFEB3DF5000-memory.dmp

Filesize
8KB

Download
memory/1468-10-0x00007FFEB3DF0000-0x00007FFEB48B1000-memory.dmp

Filesize
10.8MB

Download
memory/1468-2-0x00007FFEB3DF0000-0x00007FFEB48B1000-memory.dmp

Filesize
10.8MB

Download
memory/1468-1-0x0000000000340000-0x0000000000664000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads