Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
7ZenStudio.exe
windows11-21h2-x64
10$PLUGINSDI...er.dll
windows11-21h2-x64
3$PLUGINSDI...ns.dll
windows11-21h2-x64
3$PLUGINSDI...el.dll
windows11-21h2-x64
7$PLUGINSDI...nu.dll
windows11-21h2-x64
3$PLUGINSDI...em.dll
windows11-21h2-x64
3$PLUGINSDI...dl.dll
windows11-21h2-x64
3ZenStudio.exe
windows11-21h2-x64
1Analysis
-
max time kernel
595s -
max time network
599s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system -
submitted
03/05/2024, 17:51
Behavioral task
behavioral1
Sample
ZenStudio.exe
Resource
win11-20240419-en
Behavioral task
behavioral2
Sample
$PLUGINSDIR/DotNetChecker.dll
Resource
win11-20240419-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win11-20240426-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/SelfDel.dll
Resource
win11-20240426-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/StartMenu.dll
Resource
win11-20240426-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win11-20240426-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/nsisdl.dll
Resource
win11-20240426-en
Behavioral task
behavioral8
Sample
ZenStudio.exe
Resource
win11-20240419-en
General
-
Target
ZenStudio.exe
-
Size
17.2MB
-
MD5
2b8322f747ed7623d698c524ccf2ea16
-
SHA1
fae3a00cd6334cee7e793aa6bb56bffc45c0bca0
-
SHA256
1f1ad9c1f639326946f39129cb9ff5015669a0a3dd9e21db07163fb48cb6b709
-
SHA512
e1a3070b760cd7999339a21e72618b7614c1b26bf5b2acbbdfd45c27eb115d0d566fa5d835cf505d274025366a2a474450bd49b3607340cf52731c7f26e784e4
-
SSDEEP
393216:DaLCsFu4++WuIuffxPvMFQFgs20pHOMOv59/dWnnETyNS0yRMtEX:DaBIETfMMuMWHlo9vyrX
Malware Config
Extracted
quasar
1.4.1
Office04
192.168.1.116:4782
f55cb366-2131-4b43-b653-b1dfe19ea719
-
encryption_key
2209A46D68E2D7B07274489E0B5E4FBE909ACAFC
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Update
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
resource yara_rule behavioral1/files/0x001c00000002ab60-227.dat family_quasar behavioral1/memory/784-265-0x0000000000B60000-0x0000000000E84000-memory.dmp family_quasar -
Downloads MZ/PE file
-
Executes dropped EXE 13 IoCs
pid Process 784 Discord Spammer.exe 1352 Client.exe 4568 Discord Spammer.exe 1808 Discord Spammer.exe 4140 Discord Spammer.exe 3972 Discord Spammer.exe 4084 Discord Spammer.exe 952 Discord Spammer.exe 4480 Discord Spammer.exe 3884 Discord Spammer.exe 1580 Discord Spammer.exe 4804 Discord Spammer.exe 2128 Discord Spammer.exe -
Loads dropped DLL 2 IoCs
pid Process 2840 ZenStudio.exe 2840 ZenStudio.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2400 schtasks.exe 3764 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000_Classes\Local Settings msedge.exe -
NTFS ADS 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 637145.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Discord Spammer.exe:Zone.Identifier msedge.exe File created C:\Users\Admin\AppData\Roaming\SubDir\Client.exe\:SmartScreen:$DATA Discord Spammer.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2328 msedge.exe 2328 msedge.exe 4596 msedge.exe 4596 msedge.exe 4824 msedge.exe 4824 msedge.exe 5080 identity_helper.exe 5080 identity_helper.exe 4176 msedge.exe 4176 msedge.exe 652 msedge.exe 652 msedge.exe 652 msedge.exe 652 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs
pid Process 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 784 Discord Spammer.exe Token: SeDebugPrivilege 1352 Client.exe Token: SeDebugPrivilege 4568 Discord Spammer.exe Token: SeDebugPrivilege 1808 Discord Spammer.exe Token: SeDebugPrivilege 4140 Discord Spammer.exe Token: SeDebugPrivilege 3972 Discord Spammer.exe Token: SeDebugPrivilege 4084 Discord Spammer.exe Token: SeDebugPrivilege 952 Discord Spammer.exe Token: SeDebugPrivilege 4480 Discord Spammer.exe Token: SeDebugPrivilege 3884 Discord Spammer.exe Token: SeDebugPrivilege 1580 Discord Spammer.exe Token: SeDebugPrivilege 4804 Discord Spammer.exe Token: SeDebugPrivilege 2128 Discord Spammer.exe -
Suspicious use of FindShellTrayWindow 37 IoCs
pid Process 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1352 Client.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4596 wrote to memory of 4916 4596 msedge.exe 84 PID 4596 wrote to memory of 4916 4596 msedge.exe 84 PID 4596 wrote to memory of 1484 4596 msedge.exe 85 PID 4596 wrote to memory of 1484 4596 msedge.exe 85 PID 4596 wrote to memory of 1484 4596 msedge.exe 85 PID 4596 wrote to memory of 1484 4596 msedge.exe 85 PID 4596 wrote to memory of 1484 4596 msedge.exe 85 PID 4596 wrote to memory of 1484 4596 msedge.exe 85 PID 4596 wrote to memory of 1484 4596 msedge.exe 85 PID 4596 wrote to memory of 1484 4596 msedge.exe 85 PID 4596 wrote to memory of 1484 4596 msedge.exe 85 PID 4596 wrote to memory of 1484 4596 msedge.exe 85 PID 4596 wrote to memory of 1484 4596 msedge.exe 85 PID 4596 wrote to memory of 1484 4596 msedge.exe 85 PID 4596 wrote to memory of 1484 4596 msedge.exe 85 PID 4596 wrote to memory of 1484 4596 msedge.exe 85 PID 4596 wrote to memory of 1484 4596 msedge.exe 85 PID 4596 wrote to memory of 1484 4596 msedge.exe 85 PID 4596 wrote to memory of 1484 4596 msedge.exe 85 PID 4596 wrote to memory of 1484 4596 msedge.exe 85 PID 4596 wrote to memory of 1484 4596 msedge.exe 85 PID 4596 wrote to memory of 1484 4596 msedge.exe 85 PID 4596 wrote to memory of 1484 4596 msedge.exe 85 PID 4596 wrote to memory of 1484 4596 msedge.exe 85 PID 4596 wrote to memory of 1484 4596 msedge.exe 85 PID 4596 wrote to memory of 1484 4596 msedge.exe 85 PID 4596 wrote to memory of 1484 4596 msedge.exe 85 PID 4596 wrote to memory of 1484 4596 msedge.exe 85 PID 4596 wrote to memory of 1484 4596 msedge.exe 85 PID 4596 wrote to memory of 1484 4596 msedge.exe 85 PID 4596 wrote to memory of 1484 4596 msedge.exe 85 PID 4596 wrote to memory of 1484 4596 msedge.exe 85 PID 4596 wrote to memory of 1484 4596 msedge.exe 85 PID 4596 wrote to memory of 1484 4596 msedge.exe 85 PID 4596 wrote to memory of 1484 4596 msedge.exe 85 PID 4596 wrote to memory of 1484 4596 msedge.exe 85 PID 4596 wrote to memory of 1484 4596 msedge.exe 85 PID 4596 wrote to memory of 1484 4596 msedge.exe 85 PID 4596 wrote to memory of 1484 4596 msedge.exe 85 PID 4596 wrote to memory of 1484 4596 msedge.exe 85 PID 4596 wrote to memory of 1484 4596 msedge.exe 85 PID 4596 wrote to memory of 1484 4596 msedge.exe 85 PID 4596 wrote to memory of 2328 4596 msedge.exe 86 PID 4596 wrote to memory of 2328 4596 msedge.exe 86 PID 4596 wrote to memory of 3032 4596 msedge.exe 87 PID 4596 wrote to memory of 3032 4596 msedge.exe 87 PID 4596 wrote to memory of 3032 4596 msedge.exe 87 PID 4596 wrote to memory of 3032 4596 msedge.exe 87 PID 4596 wrote to memory of 3032 4596 msedge.exe 87 PID 4596 wrote to memory of 3032 4596 msedge.exe 87 PID 4596 wrote to memory of 3032 4596 msedge.exe 87 PID 4596 wrote to memory of 3032 4596 msedge.exe 87 PID 4596 wrote to memory of 3032 4596 msedge.exe 87 PID 4596 wrote to memory of 3032 4596 msedge.exe 87 PID 4596 wrote to memory of 3032 4596 msedge.exe 87 PID 4596 wrote to memory of 3032 4596 msedge.exe 87 PID 4596 wrote to memory of 3032 4596 msedge.exe 87 PID 4596 wrote to memory of 3032 4596 msedge.exe 87 PID 4596 wrote to memory of 3032 4596 msedge.exe 87 PID 4596 wrote to memory of 3032 4596 msedge.exe 87 PID 4596 wrote to memory of 3032 4596 msedge.exe 87 PID 4596 wrote to memory of 3032 4596 msedge.exe 87 PID 4596 wrote to memory of 3032 4596 msedge.exe 87 PID 4596 wrote to memory of 3032 4596 msedge.exe 87 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ZenStudio.exe"C:\Users\Admin\AppData\Local\Temp\ZenStudio.exe"1⤵
- Loads dropped DLL
PID:2840
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd4a423cb8,0x7ffd4a423cc8,0x7ffd4a423cd82⤵PID:4916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1884 /prefetch:22⤵PID:1484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2328
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2548 /prefetch:82⤵PID:3032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:12⤵PID:3868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:12⤵PID:2344
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:12⤵PID:1664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4552 /prefetch:12⤵PID:1552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:12⤵PID:4804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:12⤵PID:556
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:12⤵PID:4604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4988 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4824
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5700 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4544 /prefetch:12⤵PID:2432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:12⤵PID:2552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3864 /prefetch:12⤵PID:3212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2632 /prefetch:12⤵PID:2060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:12⤵PID:1652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:12⤵PID:2324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:12⤵PID:3872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:12⤵PID:4980
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6276 /prefetch:82⤵PID:4312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3352 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4176
-
-
C:\Users\Admin\Downloads\Discord Spammer.exe"C:\Users\Admin\Downloads\Discord Spammer.exe"2⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
PID:784 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:3764
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1352 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
PID:2400
-
-
-
-
C:\Users\Admin\Downloads\Discord Spammer.exe"C:\Users\Admin\Downloads\Discord Spammer.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4568
-
-
C:\Users\Admin\Downloads\Discord Spammer.exe"C:\Users\Admin\Downloads\Discord Spammer.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1808
-
-
C:\Users\Admin\Downloads\Discord Spammer.exe"C:\Users\Admin\Downloads\Discord Spammer.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4140
-
-
C:\Users\Admin\Downloads\Discord Spammer.exe"C:\Users\Admin\Downloads\Discord Spammer.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3972
-
-
C:\Users\Admin\Downloads\Discord Spammer.exe"C:\Users\Admin\Downloads\Discord Spammer.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4084
-
-
C:\Users\Admin\Downloads\Discord Spammer.exe"C:\Users\Admin\Downloads\Discord Spammer.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:952
-
-
C:\Users\Admin\Downloads\Discord Spammer.exe"C:\Users\Admin\Downloads\Discord Spammer.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4480
-
-
C:\Users\Admin\Downloads\Discord Spammer.exe"C:\Users\Admin\Downloads\Discord Spammer.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3884
-
-
C:\Users\Admin\Downloads\Discord Spammer.exe"C:\Users\Admin\Downloads\Discord Spammer.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1580
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3580 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:652
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:652
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2988
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3028
-
C:\Users\Admin\Downloads\Discord Spammer.exe"C:\Users\Admin\Downloads\Discord Spammer.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4804
-
C:\Users\Admin\Downloads\Discord Spammer.exe"C:\Users\Admin\Downloads\Discord Spammer.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2128
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b4e91d2e5f40d5e2586a86cf3bb4df24
SHA131920b3a41aa4400d4a0230a7622848789b38672
SHA2565d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210
SHA512968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319
-
Filesize
152B
MD522cececc69be16a1c696b62b4e66f90e
SHA1b20b7f87f8bc64c1008b06a6528fc9c9da449c2f
SHA256d940b85bc83f69e8370a801951eb6b8bb97efbb3aa427664105db76e44707258
SHA5122b2e548f2c8f84d321ef2afdf31128065c3593b884ca8111b05800960b5378b99c7efa6165d02fba4c11e6e4b49b14e419d89f76d55ef574f4ac2b7d6ecb3d48
-
Filesize
152B
MD55a85ad170d758e61ae5648c9402be224
SHA1e6dfce354b5e9719bc4b28a24bb8241fc433e16f
SHA256af0da8b5ad8127ae0ef7773bc9c4b145ed3fe7fbef4c48278649e1e3aa5ce617
SHA512641414d91c993f74b6b71654522359d606c7f94ac0fcca6478d1bc33c30f4a9fdb9ce6f8e281c79a2f9b9670fda8a4ccdd80e7d64347c1f66d8c9ef024bcb09b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize288B
MD5f5daa7d735aaee1e4d4869cf57f6e07b
SHA1d915cf03892e9bc4ee524bca3a06eaf021d716fa
SHA25683632a00256f5ff8e2378e601ff7f256f3e42f110fe7a5d79a7f41bfbd3c22bd
SHA5122ee4121384e7f4286bd1598e23e9a8fa67c810d905820890212747a8e7b44064b0baf4559fa10c6328daf4b9683d47c1873eb9a90b2ec319e2f88ab624600abd
-
Filesize
387B
MD5a76d8ae9523bcf5bb2caa451121a0d91
SHA14867caa19f280aabdc4f85f6468335d70ad1d996
SHA256515a528f05f0c708175813df2e149b0960d193bd4dac47a11a7641745c8a063b
SHA5129dbab2a7c6ce09335a805a319399b95ad818c94153d57818cdf30cd26f825ab4517d15dca8bf4156a0aab5a24a6c06977ddb5f9d27f4be8f601a813dc88b9a57
-
Filesize
5KB
MD5b17335a194ca657fbe646b88280b37a3
SHA1164a8568ccb19f20fbcd8b76fa52d3ae241c3a0a
SHA2560ad5a78d5ae9a6fa8aa5c145fb9b6852f48d8ead700803feef3b82615690ab66
SHA5120af7fe2245f7e5874d9fc5ce2b2d39d08494f5e075544eacd033fe8e1b55ccdfe40e1c502673531e1968c78a2cd172e78bba218a1522fb5c8297dedecd62ebf4
-
Filesize
6KB
MD54846bf099d76f22adfba5196e3238476
SHA15d40bb39f2c5ea768464ae77f9081eb428925142
SHA2561233912ed8d00a17be0abe84a3aa79f0b8a52fcb53e93e64e9a83f8ac7380236
SHA512e027528dcd7783ac20c5c0c777b83ca64e75d4dfb7ef67dd310861991ca30e3b858c3e33868baef205f8ece4e6ea1bd97f50be78044cbfc4960fc42100bbd5bf
-
Filesize
5KB
MD51379f9d5ea26381c4a28ff656de785a5
SHA11be6663c7b1ee069e61b83c5d23845010cf4eef4
SHA25649d0381c847e86e9a89d63aa8f5a2bdde071068b58068fabfaf76e99bfa32265
SHA51207cd13e08efd7e69a4dce6d036f37feb609adec3f5b3c5c6fbe02ef8e4cc35c97c7812aa0d85bc5a11b8f23b2b8e8704bf2ae98e06da922f0ff8eb3ae1d8fad6
-
Filesize
5KB
MD51babd2bf870221bf3cbe1169a2d88478
SHA11e49d37e913068836200fd5b8ce06b721e3a693e
SHA2565db7821e7e31c9b4110aec72719dad5b58503103564644a3d684e92a4f36ee89
SHA51250efe44464a3265d0a39ec498d77df8828c5de69463980ee151f1c5ab004aa79a3b4193c4dc6ae98e203b6686c2e3316eb211a4d0b47faf857713c6d0b572d5e
-
Filesize
5KB
MD5248ee323bfbd827ed0b9f6709d424dea
SHA15b76d691f5da8ad25fb3e7c6a0db38007a435b9a
SHA256d00bbaff790282e7787e15194d319215f0193a5c9b8042763dbf5502e0bc5b3e
SHA5127cda75d98c005dca1c68f4df247e9713bd79c0b7b92fb0eecbead82602a61569816980a885b9548aedfd07489087f6e31c461c788c69bc01b6c7cc226628ec97
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
12KB
MD5794b5a40d9862dd2673e890a9acf7d6a
SHA1895be693322ab701384b02a401e63b24341f62ae
SHA256085d3f96656baecaa3af3de608bfe3e329c1baf8509f38c56b26c9d94292511c
SHA512da33aabce9c6b780217c8c4d9298818ed526dd82c81b02ca7ee96f2b81414187e290607fa3e65374f9071a20e547265181347171325f95e746d41f0ca80b9829
-
Filesize
11KB
MD58b0ed1b019fcc55c4e086fcd013f7487
SHA1853ccad344126bcd02ac1d1bdb1e89d241b39c3d
SHA25638410cfff783b1734f5f0cd69a7cb2e653bdcc562850ddf971d45113a7f10bd9
SHA512bef79b32438473cdfb792a4517bb60f47abaca9b2034b682848a3fcd3fa6b14b17a034fb193f181f77bd998a292f1cb9e6e7a993b3a2347c0b13a72e72dd3b0d
-
Filesize
11KB
MD5d665b4e45dfdc340a662745d8d721b11
SHA1d9d8fbb96bb94a292b77f5124a0dad6c098b18bc
SHA25641f5f99fb7034e7b46e0bc2da84d10d2c2101fbac2b18a856bdd09a07ca3d81c
SHA512408093e737a075428cc8190c76b394660f56bc9c214fc2cfebd9b63cf12dad48210616ee986f40feef8eae042e002990a06261e5fbaefd8a400b368257222407
-
Filesize
15KB
MD5d095b082b7c5ba4665d40d9c5042af6d
SHA12220277304af105ca6c56219f56f04e894b28d27
SHA256b2091205e225fc07daf1101218c64ce62a4690cacac9c3d0644d12e93e4c213c
SHA51261fb5cf84028437d8a63d0fda53d9fe0f521d8fe04e96853a5b7a22050c4c4fb5528ff0cdbb3ae6bc74a5033563fc417fc7537e4778227c9fd6633ae844c47d9
-
Filesize
1KB
MD572b94be225535826e23580b1dd6d43cb
SHA1302b647295f8431355f87aad2637a613ccb5bf59
SHA2562e6c1e18b1ab8b2c801e761581e30e6fae535f27f01797126e5618aac2db4347
SHA5121c8c9acd43805f62a04d1c9991969fa401d39dfeaa0b79783b1625b8a7ae73aa5fc80df4faf8876d428c56fa291c70a986a21f5745a9b7467b30a24bc68dd0e8
-
Filesize
1KB
MD578073055d6f628a4ffc5a995a40c4e49
SHA10306f84c31e66f7b147ee926c3a8edc3f85ec8ae
SHA256272f20201e6127e903d8b0c5654cdaf31e8febe698b3ec92157e8d5e9d5cd4bb
SHA51264b2ec0de433fbe704db4580dc4405ec9f9bbc80b0321d2bae75b23d3d4a7224906323bf25d01183f11527e3a8215169222da884c6e41e2d46c54b61e64a9fab
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
3.1MB
MD5ea51c23d05223ab87b453d75a67f54dd
SHA1338c3f1a35a103d8b468a5c7bcd4e94823f5a97b
SHA256b6b13eaf085d5c457ad6a51b8eb95d5556dba3d612e8fe942fb1891ecbaf6518
SHA51266252ebb285d1a483ba7fbcb598b4c103cce4320bddba1c96ce0ff163a2562c92cbf895a16e3da8ae67a31d741073557be71fa883df3452fa6bac348f3da5464