quasar | 4c6183029dcf2e4d604c473c2dfb4f72037b6a8f13d9183b0842fd201e422d7a

Analysis

max time kernel
96s
max time network
102s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
01-02-2025 23:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

nx7phD.html
Size

7KB
MD5

aa5d13590623abb5d3963a8af5dfb85d
SHA1

8dcb62e75f970ac4f9f78e2558f335951b599774
SHA256

4c6183029dcf2e4d604c473c2dfb4f72037b6a8f13d9183b0842fd201e422d7a
SHA512

94899bfebc29d4d76c1a8d0e9b787ae50386a5e8718194791d27d86eb7e67e1b0e1a9b0a4e68031905c767419bd767b9d2666ac5ffd0a8dd87c0bf842ac7282b
SSDEEP

96:CMq9SlLh2B3Zq36uWl/PtxyjttJQ8Maoah3vL5LaNclmnU1Eh2sS:T1lLhwJrPahtJxMaoah3vG12sS

Score

10^/10

quasar office04 defense_evasion discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

10.0.2.15:4782

Mutex

66d25d16-09a7-4f10-9c42-f3d9c7cdb26e

Attributes

encryption_key
CA4CB708676EB95751DED8C839286B4754CDEA48
install_name
GalaxySwapperV2.exe
log_directory
Logs
reconnect_delay
3000
startup_key
GalaxySwapperV2 Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001900000002ab90-142.dat	family_quasar
behavioral1/memory/3444-182-0x0000000000170000-0x0000000000494000-memory.dmp	family_quasar

Downloads MZ/PE file 1 IoCs

flow	pid	Process
29	4056	msedge.exe

Executes dropped EXE 6 IoCs

pid	Process
3444	GalaxySwapperV2.exe
2880	GalaxySwapperV2.exe
6076	GalaxySwapperV2.exe
5424	GalaxySwapperV2.exe
2728	GalaxySwapperV2.exe
5352	GalaxySwapperV2.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\GalaxySwapperV2.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 969721.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\GalaxySwapperV2.exe:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\SubDir\GalaxySwapperV2.exe\:SmartScreen:$DATA	GalaxySwapperV2.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4952	schtasks.exe
2260	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4056	msedge.exe
4056	msedge.exe
4940	msedge.exe
4940	msedge.exe
684	identity_helper.exe
684	identity_helper.exe
4132	msedge.exe
4132	msedge.exe
2440	msedge.exe
2440	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3444	GalaxySwapperV2.exe
Token: SeDebugPrivilege	2880	GalaxySwapperV2.exe
Token: SeDebugPrivilege	6076	GalaxySwapperV2.exe
Token: SeDebugPrivilege	5424	GalaxySwapperV2.exe
Token: SeDebugPrivilege	2728	GalaxySwapperV2.exe
Token: SeDebugPrivilege	5352	GalaxySwapperV2.exe

Suspicious use of FindShellTrayWindow 45 IoCs

pid	Process
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2880	GalaxySwapperV2.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4940 wrote to memory of 5184	4940	msedge.exe	77
PID 4940 wrote to memory of 5184	4940	msedge.exe	77
PID 4940 wrote to memory of 5132	4940	msedge.exe	78
PID 4940 wrote to memory of 5132	4940	msedge.exe	78
PID 4940 wrote to memory of 5132	4940	msedge.exe	78
PID 4940 wrote to memory of 5132	4940	msedge.exe	78
PID 4940 wrote to memory of 5132	4940	msedge.exe	78
PID 4940 wrote to memory of 5132	4940	msedge.exe	78
PID 4940 wrote to memory of 5132	4940	msedge.exe	78
PID 4940 wrote to memory of 5132	4940	msedge.exe	78
PID 4940 wrote to memory of 5132	4940	msedge.exe	78
PID 4940 wrote to memory of 5132	4940	msedge.exe	78
PID 4940 wrote to memory of 5132	4940	msedge.exe	78
PID 4940 wrote to memory of 5132	4940	msedge.exe	78
PID 4940 wrote to memory of 5132	4940	msedge.exe	78
PID 4940 wrote to memory of 5132	4940	msedge.exe	78
PID 4940 wrote to memory of 5132	4940	msedge.exe	78
PID 4940 wrote to memory of 5132	4940	msedge.exe	78
PID 4940 wrote to memory of 5132	4940	msedge.exe	78
PID 4940 wrote to memory of 5132	4940	msedge.exe	78
PID 4940 wrote to memory of 5132	4940	msedge.exe	78
PID 4940 wrote to memory of 5132	4940	msedge.exe	78
PID 4940 wrote to memory of 5132	4940	msedge.exe	78
PID 4940 wrote to memory of 5132	4940	msedge.exe	78
PID 4940 wrote to memory of 5132	4940	msedge.exe	78
PID 4940 wrote to memory of 5132	4940	msedge.exe	78
PID 4940 wrote to memory of 5132	4940	msedge.exe	78
PID 4940 wrote to memory of 5132	4940	msedge.exe	78
PID 4940 wrote to memory of 5132	4940	msedge.exe	78
PID 4940 wrote to memory of 5132	4940	msedge.exe	78
PID 4940 wrote to memory of 5132	4940	msedge.exe	78
PID 4940 wrote to memory of 5132	4940	msedge.exe	78
PID 4940 wrote to memory of 5132	4940	msedge.exe	78
PID 4940 wrote to memory of 5132	4940	msedge.exe	78
PID 4940 wrote to memory of 5132	4940	msedge.exe	78
PID 4940 wrote to memory of 5132	4940	msedge.exe	78
PID 4940 wrote to memory of 5132	4940	msedge.exe	78
PID 4940 wrote to memory of 5132	4940	msedge.exe	78
PID 4940 wrote to memory of 5132	4940	msedge.exe	78
PID 4940 wrote to memory of 5132	4940	msedge.exe	78
PID 4940 wrote to memory of 5132	4940	msedge.exe	78
PID 4940 wrote to memory of 5132	4940	msedge.exe	78
PID 4940 wrote to memory of 4056	4940	msedge.exe	79
PID 4940 wrote to memory of 4056	4940	msedge.exe	79
PID 4940 wrote to memory of 4564	4940	msedge.exe	80
PID 4940 wrote to memory of 4564	4940	msedge.exe	80
PID 4940 wrote to memory of 4564	4940	msedge.exe	80
PID 4940 wrote to memory of 4564	4940	msedge.exe	80
PID 4940 wrote to memory of 4564	4940	msedge.exe	80
PID 4940 wrote to memory of 4564	4940	msedge.exe	80
PID 4940 wrote to memory of 4564	4940	msedge.exe	80
PID 4940 wrote to memory of 4564	4940	msedge.exe	80
PID 4940 wrote to memory of 4564	4940	msedge.exe	80
PID 4940 wrote to memory of 4564	4940	msedge.exe	80
PID 4940 wrote to memory of 4564	4940	msedge.exe	80
PID 4940 wrote to memory of 4564	4940	msedge.exe	80
PID 4940 wrote to memory of 4564	4940	msedge.exe	80
PID 4940 wrote to memory of 4564	4940	msedge.exe	80
PID 4940 wrote to memory of 4564	4940	msedge.exe	80
PID 4940 wrote to memory of 4564	4940	msedge.exe	80
PID 4940 wrote to memory of 4564	4940	msedge.exe	80
PID 4940 wrote to memory of 4564	4940	msedge.exe	80
PID 4940 wrote to memory of 4564	4940	msedge.exe	80
PID 4940 wrote to memory of 4564	4940	msedge.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\nx7phD.html
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaf6b93cb8,0x7ffaf6b93cc8,0x7ffaf6b93cd8
  2⤵
  PID:5184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,10284325444445757238,16836223277284069411,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1964 /prefetch:2
  2⤵
  PID:5132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,10284325444445757238,16836223277284069411,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:4056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,10284325444445757238,16836223277284069411,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
  2⤵
  PID:4564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10284325444445757238,16836223277284069411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:1576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10284325444445757238,16836223277284069411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:1596
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1924,10284325444445757238,16836223277284069411,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4996 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1924,10284325444445757238,16836223277284069411,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5028 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10284325444445757238,16836223277284069411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
  2⤵
  PID:2592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10284325444445757238,16836223277284069411,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
  2⤵
  PID:1940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10284325444445757238,16836223277284069411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
  2⤵
  PID:3212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10284325444445757238,16836223277284069411,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
  2⤵
  PID:3456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10284325444445757238,16836223277284069411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
  2⤵
  PID:5460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10284325444445757238,16836223277284069411,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:1
  2⤵
  PID:5984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10284325444445757238,16836223277284069411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
  2⤵
  PID:2744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10284325444445757238,16836223277284069411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2588 /prefetch:1
  2⤵
  PID:5920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10284325444445757238,16836223277284069411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
  2⤵
  PID:3036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10284325444445757238,16836223277284069411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
  2⤵
  PID:1564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10284325444445757238,16836223277284069411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
  2⤵
  PID:5264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10284325444445757238,16836223277284069411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4168 /prefetch:1
  2⤵
  PID:2292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1924,10284325444445757238,16836223277284069411,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6492 /prefetch:8
  2⤵
  PID:5800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,10284325444445757238,16836223277284069411,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6892 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2440
- C:\Users\Admin\Downloads\GalaxySwapperV2.exe
  "C:\Users\Admin\Downloads\GalaxySwapperV2.exe"
  2⤵
  - Executes dropped EXE
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  PID:3444
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "GalaxySwapperV2 Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\GalaxySwapperV2.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4952
- - C:\Users\Admin\AppData\Roaming\SubDir\GalaxySwapperV2.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\GalaxySwapperV2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2880
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "GalaxySwapperV2 Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\GalaxySwapperV2.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2260

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1892

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3644

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2480

C:\Users\Admin\Downloads\GalaxySwapperV2.exe
"C:\Users\Admin\Downloads\GalaxySwapperV2.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6076

C:\Users\Admin\Downloads\GalaxySwapperV2.exe
"C:\Users\Admin\Downloads\GalaxySwapperV2.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5424

C:\Users\Admin\Downloads\GalaxySwapperV2.exe
"C:\Users\Admin\Downloads\GalaxySwapperV2.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2728

C:\Users\Admin\Downloads\GalaxySwapperV2.exe
"C:\Users\Admin\Downloads\GalaxySwapperV2.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\GalaxySwapperV2.exe.log

Filesize
1KB

MD5
b4e91d2e5f40d5e2586a86cf3bb4df24

SHA1
31920b3a41aa4400d4a0230a7622848789b38672

SHA256
5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210

SHA512
968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c0a1774f8079fe496e694f35dfdcf8bc

SHA1
da3b4b9fca9a3f81b6be5b0cd6dd700603d448d3

SHA256
c041da0b90a5343ede7364ccf0428852103832c4efa8065a0cd1e8ce1ff181cb

SHA512
60d9e87f8383fe3afa2c8935f0e5a842624bb24b03b2d8057e0da342b08df18cf70bf55e41fa3ae54f73bc40a274cf6393d79ae01f6a1784273a25fa2761728b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e11c77d0fa99af6b1b282a22dcb1cf4a

SHA1
2593a41a6a63143d837700d01aa27b1817d17a4d

SHA256
d96f9bfcc81ba66db49a3385266a631899a919ed802835e6fb6b9f7759476ea0

SHA512
c8f69f503ab070a758e8e3ae57945c0172ead1894fdbfa2d853e5bb976ed3817ecc8f188eefd5092481effd4ef650788c8ff9a8d9a5ee4526f090952d7c859f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\449081b4-b4bc-4876-9aa0-b4ab97bae912.tmp

Filesize
5KB

MD5
e619440abd0ad4803826062256cef765

SHA1
ec85e7c92a60952ae69abd49058fcfcd69bbee3f

SHA256
78944a4772b6419f09de592fc696acb5f8d4f3292421582f77e0d64a397eb146

SHA512
519ae283b34a93c89d743871554e666b16fe4dd40337f2b328808a46eec493a43e8556c154cce70bf803d82a36bd0bbd015077526333c11f099faa2d63e0c4a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
03e1050ba9c742c137051788881502a5

SHA1
07f276b0ed29737c46d952efd31a803f85d0a1a0

SHA256
a76b41c6839809dece0bce5c34acbf49e9a1aa3073d3b0b13f84227fc3436852

SHA512
efc8a4edfd93d9f9446d265eede61770b57ab273ebf421c969a72426b73a348f9c09a348a2fdf68ce3a021313e474ece3858e512bdf79ebe4c7c30f69e75b43e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1000B

MD5
b41205bbf82113ff459f843ba873d684

SHA1
a65e2b60f11641f10fd1e19d1920c53c067bbc4c

SHA256
44355bca33c7e0de0cfefe7f3a8134edc6c4399caee706183759bbdc9e92a3d3

SHA512
a22d7dff791d19e626b4b802120e7cc467b7c62d8c601b3f4a0d30257e49c46256a6d85b3577c7f6b3aa0cbde461ecf6c803f8f5a551ac6c5c7a401f935813aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b7c8efad08b24e17d39c282d205f651b

SHA1
69018e29a3d8cff2645f981379d00b4adb73e354

SHA256
9f7c6f9f8bbbbfd5c517defa97d8a7e535f5335b0a1b1751b3290408abef20c4

SHA512
76a8439be3f2f2c42e3e95b3ea6ba8aeba262e8c269e25e5b6948a97b4a2f0ba5a4dc704534f0c37979446e77874fb890f587338df6a839296619c631214aad7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
82a927c624236a7c230224a1740252e1

SHA1
7e0b6bfb766fa62268eb9803bb62b3f056b6bbcd

SHA256
c2e8de54164f05d6470203dd37c34782082474d8735aa9c6c73b2733d526dc75

SHA512
69d0436d16a0fa7ac620db0357b6013b18621cfdaa4c9d1650da45383824d8ddcda91c6af0e6585a1cc3b4188a8532b2195a8e4754468fb5b72c8d34784efb09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e623454b89d014b0a47b5dfff919c838

SHA1
b46358a37a04721f7eff070e8890afa9431c7f41

SHA256
62c5e5f905886e8ccd5260cc1d0e4dc4132cbd25274ddae2b8681e4af99377b7

SHA512
9f8fdd461f7d608984f05866c3d967b978cd5260b7664ffd8980fb5fd325787b1e75627baafa657cfd5669038ab470f511669742503bd1de98df6ea95a4cf068

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d58bf190447fb04d641e56c7489e83e4

SHA1
1198116cbd0d998a6a86a4a572b6ca20232f8570

SHA256
c5b4759ee476caf022cefecb2c9e6067d4064c83f37872247b64aee70f93ae73

SHA512
f2dc184b115f26ac79efef39327cbefe099023b626c4671b8943ec7b9a8d19cc6e7d123d7c83d9e165221e6086e3308f63ccc0c0eeda773bb0aa3d9407b8d383

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fa207ae32df35ada4c606d3d4af1e5a2

SHA1
f808fbda9155c2686f39b19ed8dd59e1c54b54e0

SHA256
7118cfbd4c0363c50ce86375293b7efc9ad5f6fe4a719267f82ee49e7da27c00

SHA512
d0be09ebabe78a496b705169b15986a446c220c851ebde6fe66081fc6a709a310db98a777627e574f8fe242ade0cff88d5adde8e8b710ee4ffc64b0429f4ccac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3391fccf54d7bb8bb8d6974593f4f200

SHA1
c0419b16bea7178cf5a940f4411d42dab4e27b1b

SHA256
1d3c554dc77a6130f0cbe396611b4a9f33860dd45c2b00d409860ac0dbf68f9e

SHA512
3d231fa15c1b3671c5b28d7ac327fe08d9693b17cc22e182f4337ab4a5d384f739f7ce69c382e2bbbeaaf28fe0954053be1d45b192117e10501c641d208f89c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
cba9b1be3031639d1f151e4dbfd126b7

SHA1
fdeec193840459493db9cd1551703ce0247096f2

SHA256
4f0d5d226ebabe0b61a5760690e69cabb87e504b72be46801e4c678f68e43dfb

SHA512
439ca0233f15dc8386aca2ddfeebe647e35a6959702ab6de4dd964cfa81f4552b20ac1125f3225cdc97918913434a2efd8d06bf3e1db354fcd70f525155c5969

Download Submit
C:\Users\Admin\Downloads\GalaxySwapperV2.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 969721.crdownload

Filesize
3.1MB

MD5
4473eb5f028928243a62f140394b1a87

SHA1
737e1fd958a58ecd7e7bc648c51040eb291d48ec

SHA256
e6c9154f27b20bbcddef45d027df342ef2259f2e6b982ffff199ec9824bc53e1

SHA512
96e4f3a71a595bf78e8ee32fb0af43f9082fd82863d9fbcbcbce44ec6fac756cf0d03b19091e4900af866242ebf79d02c7df3aadd7905df73db1b8f5257293dd

Download Submit
memory/2880-192-0x000000001C560000-0x000000001C612000-memory.dmp

Filesize
712KB

Download
memory/2880-191-0x0000000002FE0000-0x0000000003030000-memory.dmp

Filesize
320KB

Download
memory/3444-182-0x0000000000170000-0x0000000000494000-memory.dmp

Filesize
3.1MB

Download