quasar | hxxps://gofile[.]io/d/Qghnbe

Analysis

max time kernel
145s
max time network
148s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
04-02-2025 09:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/Qghnbe

Score

10^/10

quasar office04 defense_evasion discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

98.218.3.74:4800

10.0.0.34:4800

Mutex

dd229ccb-39cd-4301-9413-ea14fa25ce22

Attributes

encryption_key
F023A1C93603AFE96871B3F0323AA7B852FA745F
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
discord
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001900000002ab3d-68.dat	family_quasar
behavioral1/memory/1192-98-0x0000000000AA0000-0x0000000000DD4000-memory.dmp	family_quasar

Downloads MZ/PE file 1 IoCs

flow	pid	Process
19	4916	msedge.exe

Executes dropped EXE 12 IoCs

pid	Process
1192	Client-built.exe
5440	Client.exe
4720	Client-built.exe
6108	Client-built.exe
5764	Client-built.exe
5788	Client-built.exe
4220	Client-built.exe
2424	Client-built.exe
4708	Client-built.exe
4316	Client-built.exe
5744	Client-built.exe
4012	Client-built (1).exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Client-built (1).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Client-built.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

NTFS ADS 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe\:SmartScreen:$DATA	Client-built.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 998919.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 521103.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Client-built (1).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 776752.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Client-built.exe:Zone.Identifier	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2936	schtasks.exe
4692	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4916	msedge.exe
4916	msedge.exe
5348	msedge.exe
5348	msedge.exe
4088	identity_helper.exe
4088	identity_helper.exe
4360	msedge.exe
4360	msedge.exe
972	msedge.exe
972	msedge.exe
2004	msedge.exe
2004	msedge.exe
5584	msedge.exe
5584	msedge.exe
5584	msedge.exe
5584	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	1192	Client-built.exe
Token: SeDebugPrivilege	5440	Client.exe
Token: SeDebugPrivilege	4720	Client-built.exe
Token: SeDebugPrivilege	6108	Client-built.exe
Token: SeDebugPrivilege	5764	Client-built.exe
Token: SeDebugPrivilege	5788	Client-built.exe
Token: SeDebugPrivilege	4220	Client-built.exe
Token: SeDebugPrivilege	2424	Client-built.exe
Token: SeDebugPrivilege	4708	Client-built.exe
Token: SeDebugPrivilege	4316	Client-built.exe
Token: SeDebugPrivilege	5744	Client-built.exe
Token: SeDebugPrivilege	4012	Client-built (1).exe

Suspicious use of FindShellTrayWindow 55 IoCs

pid	Process
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5440	Client.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe

Suspicious use of SendNotifyMessage 13 IoCs

pid	Process
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5440	Client.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5440	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5348 wrote to memory of 3348	5348	msedge.exe	77
PID 5348 wrote to memory of 3348	5348	msedge.exe	77
PID 5348 wrote to memory of 4880	5348	msedge.exe	78
PID 5348 wrote to memory of 4880	5348	msedge.exe	78
PID 5348 wrote to memory of 4880	5348	msedge.exe	78
PID 5348 wrote to memory of 4880	5348	msedge.exe	78
PID 5348 wrote to memory of 4880	5348	msedge.exe	78
PID 5348 wrote to memory of 4880	5348	msedge.exe	78
PID 5348 wrote to memory of 4880	5348	msedge.exe	78
PID 5348 wrote to memory of 4880	5348	msedge.exe	78
PID 5348 wrote to memory of 4880	5348	msedge.exe	78
PID 5348 wrote to memory of 4880	5348	msedge.exe	78
PID 5348 wrote to memory of 4880	5348	msedge.exe	78
PID 5348 wrote to memory of 4880	5348	msedge.exe	78
PID 5348 wrote to memory of 4880	5348	msedge.exe	78
PID 5348 wrote to memory of 4880	5348	msedge.exe	78
PID 5348 wrote to memory of 4880	5348	msedge.exe	78
PID 5348 wrote to memory of 4880	5348	msedge.exe	78
PID 5348 wrote to memory of 4880	5348	msedge.exe	78
PID 5348 wrote to memory of 4880	5348	msedge.exe	78
PID 5348 wrote to memory of 4880	5348	msedge.exe	78
PID 5348 wrote to memory of 4880	5348	msedge.exe	78
PID 5348 wrote to memory of 4880	5348	msedge.exe	78
PID 5348 wrote to memory of 4880	5348	msedge.exe	78
PID 5348 wrote to memory of 4880	5348	msedge.exe	78
PID 5348 wrote to memory of 4880	5348	msedge.exe	78
PID 5348 wrote to memory of 4880	5348	msedge.exe	78
PID 5348 wrote to memory of 4880	5348	msedge.exe	78
PID 5348 wrote to memory of 4880	5348	msedge.exe	78
PID 5348 wrote to memory of 4880	5348	msedge.exe	78
PID 5348 wrote to memory of 4880	5348	msedge.exe	78
PID 5348 wrote to memory of 4880	5348	msedge.exe	78
PID 5348 wrote to memory of 4880	5348	msedge.exe	78
PID 5348 wrote to memory of 4880	5348	msedge.exe	78
PID 5348 wrote to memory of 4880	5348	msedge.exe	78
PID 5348 wrote to memory of 4880	5348	msedge.exe	78
PID 5348 wrote to memory of 4880	5348	msedge.exe	78
PID 5348 wrote to memory of 4880	5348	msedge.exe	78
PID 5348 wrote to memory of 4880	5348	msedge.exe	78
PID 5348 wrote to memory of 4880	5348	msedge.exe	78
PID 5348 wrote to memory of 4880	5348	msedge.exe	78
PID 5348 wrote to memory of 4880	5348	msedge.exe	78
PID 5348 wrote to memory of 4916	5348	msedge.exe	79
PID 5348 wrote to memory of 4916	5348	msedge.exe	79
PID 5348 wrote to memory of 5816	5348	msedge.exe	80
PID 5348 wrote to memory of 5816	5348	msedge.exe	80
PID 5348 wrote to memory of 5816	5348	msedge.exe	80
PID 5348 wrote to memory of 5816	5348	msedge.exe	80
PID 5348 wrote to memory of 5816	5348	msedge.exe	80
PID 5348 wrote to memory of 5816	5348	msedge.exe	80
PID 5348 wrote to memory of 5816	5348	msedge.exe	80
PID 5348 wrote to memory of 5816	5348	msedge.exe	80
PID 5348 wrote to memory of 5816	5348	msedge.exe	80
PID 5348 wrote to memory of 5816	5348	msedge.exe	80
PID 5348 wrote to memory of 5816	5348	msedge.exe	80
PID 5348 wrote to memory of 5816	5348	msedge.exe	80
PID 5348 wrote to memory of 5816	5348	msedge.exe	80
PID 5348 wrote to memory of 5816	5348	msedge.exe	80
PID 5348 wrote to memory of 5816	5348	msedge.exe	80
PID 5348 wrote to memory of 5816	5348	msedge.exe	80
PID 5348 wrote to memory of 5816	5348	msedge.exe	80
PID 5348 wrote to memory of 5816	5348	msedge.exe	80
PID 5348 wrote to memory of 5816	5348	msedge.exe	80
PID 5348 wrote to memory of 5816	5348	msedge.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/Qghnbe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff994db3cb8,0x7ff994db3cc8,0x7ff994db3cd8
  2⤵
  PID:3348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1836,4888669930534713400,3480092150907688049,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1836,4888669930534713400,3480092150907688049,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1836,4888669930534713400,3480092150907688049,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
  2⤵
  PID:5816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,4888669930534713400,3480092150907688049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:2236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,4888669930534713400,3480092150907688049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:5192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,4888669930534713400,3480092150907688049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4528 /prefetch:1
  2⤵
  PID:2788
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1836,4888669930534713400,3480092150907688049,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4976 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1836,4888669930534713400,3480092150907688049,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4020 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,4888669930534713400,3480092150907688049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4012 /prefetch:1
  2⤵
  PID:2616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,4888669930534713400,3480092150907688049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
  2⤵
  PID:1012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1836,4888669930534713400,3480092150907688049,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5876 /prefetch:8
  2⤵
  PID:1712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1836,4888669930534713400,3480092150907688049,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1952 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:972
- C:\Users\Admin\Downloads\Client-built.exe
  "C:\Users\Admin\Downloads\Client-built.exe"
  2⤵
  - Executes dropped EXE
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  PID:1192
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2936
- - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:5440
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,4888669930534713400,3480092150907688049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:1
  2⤵
  PID:2924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,4888669930534713400,3480092150907688049,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
  2⤵
  PID:3396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,4888669930534713400,3480092150907688049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:1
  2⤵
  PID:4488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,4888669930534713400,3480092150907688049,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
  2⤵
  PID:4668
- C:\Users\Admin\Downloads\Client-built.exe
  "C:\Users\Admin\Downloads\Client-built.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4720
- C:\Users\Admin\Downloads\Client-built.exe
  "C:\Users\Admin\Downloads\Client-built.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:6108
- C:\Users\Admin\Downloads\Client-built.exe
  "C:\Users\Admin\Downloads\Client-built.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5764
- C:\Users\Admin\Downloads\Client-built.exe
  "C:\Users\Admin\Downloads\Client-built.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5788
- C:\Users\Admin\Downloads\Client-built.exe
  "C:\Users\Admin\Downloads\Client-built.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4220
- C:\Users\Admin\Downloads\Client-built.exe
  "C:\Users\Admin\Downloads\Client-built.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2424
- C:\Users\Admin\Downloads\Client-built.exe
  "C:\Users\Admin\Downloads\Client-built.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4708
- C:\Users\Admin\Downloads\Client-built.exe
  "C:\Users\Admin\Downloads\Client-built.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4316
- C:\Users\Admin\Downloads\Client-built.exe
  "C:\Users\Admin\Downloads\Client-built.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,4888669930534713400,3480092150907688049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
  2⤵
  PID:3688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,4888669930534713400,3480092150907688049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
  2⤵
  PID:1324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,4888669930534713400,3480092150907688049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
  2⤵
  PID:3776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,4888669930534713400,3480092150907688049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1680 /prefetch:1
  2⤵
  PID:1240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1836,4888669930534713400,3480092150907688049,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6248 /prefetch:8
  2⤵
  PID:4104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1836,4888669930534713400,3480092150907688049,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2004
- C:\Users\Admin\Downloads\Client-built (1).exe
  "C:\Users\Admin\Downloads\Client-built (1).exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1836,4888669930534713400,3480092150907688049,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=880 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5584

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3760

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client-built.exe.log

Filesize
1KB

MD5
b4e91d2e5f40d5e2586a86cf3bb4df24

SHA1
31920b3a41aa4400d4a0230a7622848789b38672

SHA256
5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210

SHA512
968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
003b92b33b2eb97e6c1a0929121829b8

SHA1
6f18e96c7a2e07fb5a80acb3c9916748fd48827a

SHA256
8001f251d5932a62bfe17b0ba3686ce255ecf9adb95a06ecb954faa096be3e54

SHA512
18005c6c07475e6dd1ec310fe511353381cf0f15d086cf20dc6ed8825c872944185c767f80306e56fec9380804933aa37a8f12c720398b4b3b42cb216b41cf77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
051a939f60dced99602add88b5b71f58

SHA1
a71acd61be911ff6ff7e5a9e5965597c8c7c0765

SHA256
2cff121889a0a77f49cdc4564bdd1320cf588c9dcd36012dbc3669cf73015d10

SHA512
a9c72ed43b895089a9e036aba6da96213fedd2f05f0a69ae8d1fa07851ac8263e58af86c7103ce4b4f9cfe92f9c9d0a46085c066a54ce825ef53505fdb988d1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
6fb5bdc2064c968afe97cff26298ebf4

SHA1
a85fc8099a7afe327a32a3dc5ca700392aa878c5

SHA256
f8a04d30ab3fd0acba0e5f907c745aac15902b51d6b9729a005660ffc90f4eb8

SHA512
90012d5621563a409ba5b7b9349d69b59af92a1ce49fd12642b9c5691364b4f0d96d33776d8573b63587a159a68d4a34df6c5f39db8801bf946c1c3eea6e65ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
391B

MD5
7c0d79b95ae2cf3dfd2a4054af266439

SHA1
c632524bc5141e51619f1bbab0149e8c9ad7660e

SHA256
482f5001679264f5a3f2a293accc44b07e092ea861755a66428fadcb0ff43d6d

SHA512
e2f8cf3582f48b0886ae7299646b1029f36c0e081fad45445b4a99f04b5993106fe7a0288842c50eb4ee10ad2dd32c98a848849b52e190c869144d5701804411

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e27bb68c866bc0c9ffc0dfdced1fbb9f

SHA1
59dc903773ee3d0aaaa8f54e4c2352801045b5e8

SHA256
d15df0b28c04e6ce3eb87139dc669dc61bfe0e8933d8725bb01df54d09758f3f

SHA512
3870d2ce7ab511da66d12035594baea3e40c69b5b658de027f6a64117cc2a3bcd7dfaa172894f6805bca53b51e8927be8d866f5247cbbf9395aef08f41b63e0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1b40fb0c6f9e0a3490ca3b1fcd7a0df0

SHA1
be79aaa0203982fc1145a4b61c9139d95fdf0cee

SHA256
eac2e9a64a9f625dd60b3a2ed9f32f3cfefacf725bffd688d86ef5bae93782df

SHA512
857b6fabba47e9083db0a2e0c00653c1bf6a0297df66f9a113a3e885710888e9419e8974698e1da97c831a13ffce2eca1b271d91721a8050410b4c48975826b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7bf0019b7ded6e13f34c593114863143

SHA1
bd8eec0296ce8555af98602e11e34043b9247cda

SHA256
257dc0e555dc3e464a7f940e4d77d7cbc78841f5788831f608768c50386340bb

SHA512
0649554b30c60b64555860c3e09df32d685196b59771030a606ff21e026b6d4b648da0d383d03bd927b0d01ea0dfb4d05be2e84b82b116e5912771694e72cefc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
88e0b7a5025efe0cdc58e0fda60c664d

SHA1
c73bd25ef47809e5664ba1a955442531a3973be6

SHA256
d9a025a3a9a1f904c30a783d8e35f2c7658ba2192d943b07b0a03e17109c74f4

SHA512
f631b58984095350351c07abe330fe5d93069d0b1cb92472749cc382d541c18081b7cbc42c6f4ddcf110721f68552b30a699543dcfbda9008e10432550f17fe0

Download Submit
C:\Users\Admin\Downloads\Client-built.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 776752.crdownload

Filesize
3.2MB

MD5
14f2d5b34cc1c9ca87ae1387ee6cb5fa

SHA1
53cf3d9cbf058e4e0e9fd2e6e10b938a81d1309e

SHA256
3ebf548fd226fad09d7de88cca9cb56cc97dcabeb9cc2f375a9de12a3d453723

SHA512
d6f83f9e06dbca8fc721bf85c34c9e1d2cd3ecff158bbccb16b0f4c519530372fb011445e451df5e3e81243b0000361ee601331acfae5dc71fa92fd9f51fb302

Download Submit
memory/1192-98-0x0000000000AA0000-0x0000000000DD4000-memory.dmp

Filesize
3.2MB

Download
memory/5440-106-0x000000001BB50000-0x000000001BBA0000-memory.dmp

Filesize
320KB

Download
memory/5440-107-0x000000001C470000-0x000000001C522000-memory.dmp

Filesize
712KB

Download