quasar | 1f1ad9c1f639326946f39129cb9ff5015669a0a3dd9e21db07163fb48cb6b709

Analysis

max time kernel
595s
max time network
599s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
03/05/2024, 17:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ZenStudio.exe
Size

17.2MB
MD5

2b8322f747ed7623d698c524ccf2ea16
SHA1

fae3a00cd6334cee7e793aa6bb56bffc45c0bca0
SHA256

1f1ad9c1f639326946f39129cb9ff5015669a0a3dd9e21db07163fb48cb6b709
SHA512

e1a3070b760cd7999339a21e72618b7614c1b26bf5b2acbbdfd45c27eb115d0d566fa5d835cf505d274025366a2a474450bd49b3607340cf52731c7f26e784e4
SSDEEP

393216:DaLCsFu4++WuIuffxPvMFQFgs20pHOMOv59/dWnnETyNS0yRMtEX:DaBIETfMMuMWHlo9vyrX

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.1.116:4782

Mutex

f55cb366-2131-4b43-b653-b1dfe19ea719

Attributes

encryption_key
2209A46D68E2D7B07274489E0B5E4FBE909ACAFC
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Update
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001c00000002ab60-227.dat	family_quasar
behavioral1/memory/784-265-0x0000000000B60000-0x0000000000E84000-memory.dmp	family_quasar

Downloads MZ/PE file

Executes dropped EXE 13 IoCs

pid	Process
784	Discord Spammer.exe
1352	Client.exe
4568	Discord Spammer.exe
1808	Discord Spammer.exe
4140	Discord Spammer.exe
3972	Discord Spammer.exe
4084	Discord Spammer.exe
952	Discord Spammer.exe
4480	Discord Spammer.exe
3884	Discord Spammer.exe
1580	Discord Spammer.exe
4804	Discord Spammer.exe
2128	Discord Spammer.exe

Loads dropped DLL 2 IoCs

pid	Process
2840	ZenStudio.exe
2840	ZenStudio.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2400	schtasks.exe
3764	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000_Classes\Local Settings	msedge.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 637145.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Discord Spammer.exe:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe\:SmartScreen:$DATA	Discord Spammer.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2328	msedge.exe
2328	msedge.exe
4596	msedge.exe
4596	msedge.exe
4824	msedge.exe
4824	msedge.exe
5080	identity_helper.exe
5080	identity_helper.exe
4176	msedge.exe
4176	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	784	Discord Spammer.exe
Token: SeDebugPrivilege	1352	Client.exe
Token: SeDebugPrivilege	4568	Discord Spammer.exe
Token: SeDebugPrivilege	1808	Discord Spammer.exe
Token: SeDebugPrivilege	4140	Discord Spammer.exe
Token: SeDebugPrivilege	3972	Discord Spammer.exe
Token: SeDebugPrivilege	4084	Discord Spammer.exe
Token: SeDebugPrivilege	952	Discord Spammer.exe
Token: SeDebugPrivilege	4480	Discord Spammer.exe
Token: SeDebugPrivilege	3884	Discord Spammer.exe
Token: SeDebugPrivilege	1580	Discord Spammer.exe
Token: SeDebugPrivilege	4804	Discord Spammer.exe
Token: SeDebugPrivilege	2128	Discord Spammer.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1352	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4596 wrote to memory of 4916	4596	msedge.exe	84
PID 4596 wrote to memory of 4916	4596	msedge.exe	84
PID 4596 wrote to memory of 1484	4596	msedge.exe	85
PID 4596 wrote to memory of 1484	4596	msedge.exe	85
PID 4596 wrote to memory of 1484	4596	msedge.exe	85
PID 4596 wrote to memory of 1484	4596	msedge.exe	85
PID 4596 wrote to memory of 1484	4596	msedge.exe	85
PID 4596 wrote to memory of 1484	4596	msedge.exe	85
PID 4596 wrote to memory of 1484	4596	msedge.exe	85
PID 4596 wrote to memory of 1484	4596	msedge.exe	85
PID 4596 wrote to memory of 1484	4596	msedge.exe	85
PID 4596 wrote to memory of 1484	4596	msedge.exe	85
PID 4596 wrote to memory of 1484	4596	msedge.exe	85
PID 4596 wrote to memory of 1484	4596	msedge.exe	85
PID 4596 wrote to memory of 1484	4596	msedge.exe	85
PID 4596 wrote to memory of 1484	4596	msedge.exe	85
PID 4596 wrote to memory of 1484	4596	msedge.exe	85
PID 4596 wrote to memory of 1484	4596	msedge.exe	85
PID 4596 wrote to memory of 1484	4596	msedge.exe	85
PID 4596 wrote to memory of 1484	4596	msedge.exe	85
PID 4596 wrote to memory of 1484	4596	msedge.exe	85
PID 4596 wrote to memory of 1484	4596	msedge.exe	85
PID 4596 wrote to memory of 1484	4596	msedge.exe	85
PID 4596 wrote to memory of 1484	4596	msedge.exe	85
PID 4596 wrote to memory of 1484	4596	msedge.exe	85
PID 4596 wrote to memory of 1484	4596	msedge.exe	85
PID 4596 wrote to memory of 1484	4596	msedge.exe	85
PID 4596 wrote to memory of 1484	4596	msedge.exe	85
PID 4596 wrote to memory of 1484	4596	msedge.exe	85
PID 4596 wrote to memory of 1484	4596	msedge.exe	85
PID 4596 wrote to memory of 1484	4596	msedge.exe	85
PID 4596 wrote to memory of 1484	4596	msedge.exe	85
PID 4596 wrote to memory of 1484	4596	msedge.exe	85
PID 4596 wrote to memory of 1484	4596	msedge.exe	85
PID 4596 wrote to memory of 1484	4596	msedge.exe	85
PID 4596 wrote to memory of 1484	4596	msedge.exe	85
PID 4596 wrote to memory of 1484	4596	msedge.exe	85
PID 4596 wrote to memory of 1484	4596	msedge.exe	85
PID 4596 wrote to memory of 1484	4596	msedge.exe	85
PID 4596 wrote to memory of 1484	4596	msedge.exe	85
PID 4596 wrote to memory of 1484	4596	msedge.exe	85
PID 4596 wrote to memory of 1484	4596	msedge.exe	85
PID 4596 wrote to memory of 2328	4596	msedge.exe	86
PID 4596 wrote to memory of 2328	4596	msedge.exe	86
PID 4596 wrote to memory of 3032	4596	msedge.exe	87
PID 4596 wrote to memory of 3032	4596	msedge.exe	87
PID 4596 wrote to memory of 3032	4596	msedge.exe	87
PID 4596 wrote to memory of 3032	4596	msedge.exe	87
PID 4596 wrote to memory of 3032	4596	msedge.exe	87
PID 4596 wrote to memory of 3032	4596	msedge.exe	87
PID 4596 wrote to memory of 3032	4596	msedge.exe	87
PID 4596 wrote to memory of 3032	4596	msedge.exe	87
PID 4596 wrote to memory of 3032	4596	msedge.exe	87
PID 4596 wrote to memory of 3032	4596	msedge.exe	87
PID 4596 wrote to memory of 3032	4596	msedge.exe	87
PID 4596 wrote to memory of 3032	4596	msedge.exe	87
PID 4596 wrote to memory of 3032	4596	msedge.exe	87
PID 4596 wrote to memory of 3032	4596	msedge.exe	87
PID 4596 wrote to memory of 3032	4596	msedge.exe	87
PID 4596 wrote to memory of 3032	4596	msedge.exe	87
PID 4596 wrote to memory of 3032	4596	msedge.exe	87
PID 4596 wrote to memory of 3032	4596	msedge.exe	87
PID 4596 wrote to memory of 3032	4596	msedge.exe	87
PID 4596 wrote to memory of 3032	4596	msedge.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ZenStudio.exe
"C:\Users\Admin\AppData\Local\Temp\ZenStudio.exe"
1⤵
- Loads dropped DLL
PID:2840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd4a423cb8,0x7ffd4a423cc8,0x7ffd4a423cd8
  2⤵
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1884 /prefetch:2
  2⤵
  PID:1484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2548 /prefetch:8
  2⤵
  PID:3032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:3868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:2344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1
  2⤵
  PID:1664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4552 /prefetch:1
  2⤵
  PID:1552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
  2⤵
  PID:4804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
  2⤵
  PID:556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1
  2⤵
  PID:4604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4988 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4824
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5700 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4544 /prefetch:1
  2⤵
  PID:2432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
  2⤵
  PID:2552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3864 /prefetch:1
  2⤵
  PID:3212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2632 /prefetch:1
  2⤵
  PID:2060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
  2⤵
  PID:1652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1
  2⤵
  PID:2324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
  2⤵
  PID:3872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:1
  2⤵
  PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6276 /prefetch:8
  2⤵
  PID:4312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3352 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4176
- C:\Users\Admin\Downloads\Discord Spammer.exe
  "C:\Users\Admin\Downloads\Discord Spammer.exe"
  2⤵
  - Executes dropped EXE
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  PID:784
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:3764
- - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1352
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:2400
- C:\Users\Admin\Downloads\Discord Spammer.exe
  "C:\Users\Admin\Downloads\Discord Spammer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4568
- C:\Users\Admin\Downloads\Discord Spammer.exe
  "C:\Users\Admin\Downloads\Discord Spammer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1808
- C:\Users\Admin\Downloads\Discord Spammer.exe
  "C:\Users\Admin\Downloads\Discord Spammer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4140
- C:\Users\Admin\Downloads\Discord Spammer.exe
  "C:\Users\Admin\Downloads\Discord Spammer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3972
- C:\Users\Admin\Downloads\Discord Spammer.exe
  "C:\Users\Admin\Downloads\Discord Spammer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4084
- C:\Users\Admin\Downloads\Discord Spammer.exe
  "C:\Users\Admin\Downloads\Discord Spammer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:952
- C:\Users\Admin\Downloads\Discord Spammer.exe
  "C:\Users\Admin\Downloads\Discord Spammer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4480
- C:\Users\Admin\Downloads\Discord Spammer.exe
  "C:\Users\Admin\Downloads\Discord Spammer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3884
- C:\Users\Admin\Downloads\Discord Spammer.exe
  "C:\Users\Admin\Downloads\Discord Spammer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1828,13665575194490175902,12111850600698544781,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3580 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:652

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:652

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2988

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3028

C:\Users\Admin\Downloads\Discord Spammer.exe
"C:\Users\Admin\Downloads\Discord Spammer.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4804

C:\Users\Admin\Downloads\Discord Spammer.exe
"C:\Users\Admin\Downloads\Discord Spammer.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Discord Spammer.exe.log

Filesize
1KB

MD5
b4e91d2e5f40d5e2586a86cf3bb4df24

SHA1
31920b3a41aa4400d4a0230a7622848789b38672

SHA256
5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210

SHA512
968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
22cececc69be16a1c696b62b4e66f90e

SHA1
b20b7f87f8bc64c1008b06a6528fc9c9da449c2f

SHA256
d940b85bc83f69e8370a801951eb6b8bb97efbb3aa427664105db76e44707258

SHA512
2b2e548f2c8f84d321ef2afdf31128065c3593b884ca8111b05800960b5378b99c7efa6165d02fba4c11e6e4b49b14e419d89f76d55ef574f4ac2b7d6ecb3d48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5a85ad170d758e61ae5648c9402be224

SHA1
e6dfce354b5e9719bc4b28a24bb8241fc433e16f

SHA256
af0da8b5ad8127ae0ef7773bc9c4b145ed3fe7fbef4c48278649e1e3aa5ce617

SHA512
641414d91c993f74b6b71654522359d606c7f94ac0fcca6478d1bc33c30f4a9fdb9ce6f8e281c79a2f9b9670fda8a4ccdd80e7d64347c1f66d8c9ef024bcb09b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
f5daa7d735aaee1e4d4869cf57f6e07b

SHA1
d915cf03892e9bc4ee524bca3a06eaf021d716fa

SHA256
83632a00256f5ff8e2378e601ff7f256f3e42f110fe7a5d79a7f41bfbd3c22bd

SHA512
2ee4121384e7f4286bd1598e23e9a8fa67c810d905820890212747a8e7b44064b0baf4559fa10c6328daf4b9683d47c1873eb9a90b2ec319e2f88ab624600abd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
387B

MD5
a76d8ae9523bcf5bb2caa451121a0d91

SHA1
4867caa19f280aabdc4f85f6468335d70ad1d996

SHA256
515a528f05f0c708175813df2e149b0960d193bd4dac47a11a7641745c8a063b

SHA512
9dbab2a7c6ce09335a805a319399b95ad818c94153d57818cdf30cd26f825ab4517d15dca8bf4156a0aab5a24a6c06977ddb5f9d27f4be8f601a813dc88b9a57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b17335a194ca657fbe646b88280b37a3

SHA1
164a8568ccb19f20fbcd8b76fa52d3ae241c3a0a

SHA256
0ad5a78d5ae9a6fa8aa5c145fb9b6852f48d8ead700803feef3b82615690ab66

SHA512
0af7fe2245f7e5874d9fc5ce2b2d39d08494f5e075544eacd033fe8e1b55ccdfe40e1c502673531e1968c78a2cd172e78bba218a1522fb5c8297dedecd62ebf4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4846bf099d76f22adfba5196e3238476

SHA1
5d40bb39f2c5ea768464ae77f9081eb428925142

SHA256
1233912ed8d00a17be0abe84a3aa79f0b8a52fcb53e93e64e9a83f8ac7380236

SHA512
e027528dcd7783ac20c5c0c777b83ca64e75d4dfb7ef67dd310861991ca30e3b858c3e33868baef205f8ece4e6ea1bd97f50be78044cbfc4960fc42100bbd5bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1379f9d5ea26381c4a28ff656de785a5

SHA1
1be6663c7b1ee069e61b83c5d23845010cf4eef4

SHA256
49d0381c847e86e9a89d63aa8f5a2bdde071068b58068fabfaf76e99bfa32265

SHA512
07cd13e08efd7e69a4dce6d036f37feb609adec3f5b3c5c6fbe02ef8e4cc35c97c7812aa0d85bc5a11b8f23b2b8e8704bf2ae98e06da922f0ff8eb3ae1d8fad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1babd2bf870221bf3cbe1169a2d88478

SHA1
1e49d37e913068836200fd5b8ce06b721e3a693e

SHA256
5db7821e7e31c9b4110aec72719dad5b58503103564644a3d684e92a4f36ee89

SHA512
50efe44464a3265d0a39ec498d77df8828c5de69463980ee151f1c5ab004aa79a3b4193c4dc6ae98e203b6686c2e3316eb211a4d0b47faf857713c6d0b572d5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
248ee323bfbd827ed0b9f6709d424dea

SHA1
5b76d691f5da8ad25fb3e7c6a0db38007a435b9a

SHA256
d00bbaff790282e7787e15194d319215f0193a5c9b8042763dbf5502e0bc5b3e

SHA512
7cda75d98c005dca1c68f4df247e9713bd79c0b7b92fb0eecbead82602a61569816980a885b9548aedfd07489087f6e31c461c788c69bc01b6c7cc226628ec97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
794b5a40d9862dd2673e890a9acf7d6a

SHA1
895be693322ab701384b02a401e63b24341f62ae

SHA256
085d3f96656baecaa3af3de608bfe3e329c1baf8509f38c56b26c9d94292511c

SHA512
da33aabce9c6b780217c8c4d9298818ed526dd82c81b02ca7ee96f2b81414187e290607fa3e65374f9071a20e547265181347171325f95e746d41f0ca80b9829

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8b0ed1b019fcc55c4e086fcd013f7487

SHA1
853ccad344126bcd02ac1d1bdb1e89d241b39c3d

SHA256
38410cfff783b1734f5f0cd69a7cb2e653bdcc562850ddf971d45113a7f10bd9

SHA512
bef79b32438473cdfb792a4517bb60f47abaca9b2034b682848a3fcd3fa6b14b17a034fb193f181f77bd998a292f1cb9e6e7a993b3a2347c0b13a72e72dd3b0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d665b4e45dfdc340a662745d8d721b11

SHA1
d9d8fbb96bb94a292b77f5124a0dad6c098b18bc

SHA256
41f5f99fb7034e7b46e0bc2da84d10d2c2101fbac2b18a856bdd09a07ca3d81c

SHA512
408093e737a075428cc8190c76b394660f56bc9c214fc2cfebd9b63cf12dad48210616ee986f40feef8eae042e002990a06261e5fbaefd8a400b368257222407

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa6EE7.tmp\InstallOptions.dll

Filesize
15KB

MD5
d095b082b7c5ba4665d40d9c5042af6d

SHA1
2220277304af105ca6c56219f56f04e894b28d27

SHA256
b2091205e225fc07daf1101218c64ce62a4690cacac9c3d0644d12e93e4c213c

SHA512
61fb5cf84028437d8a63d0fda53d9fe0f521d8fe04e96853a5b7a22050c4c4fb5528ff0cdbb3ae6bc74a5033563fc417fc7537e4778227c9fd6633ae844c47d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa6EE7.tmp\ioSpecial.ini

Filesize
1KB

MD5
72b94be225535826e23580b1dd6d43cb

SHA1
302b647295f8431355f87aad2637a613ccb5bf59

SHA256
2e6c1e18b1ab8b2c801e761581e30e6fae535f27f01797126e5618aac2db4347

SHA512
1c8c9acd43805f62a04d1c9991969fa401d39dfeaa0b79783b1625b8a7ae73aa5fc80df4faf8876d428c56fa291c70a986a21f5745a9b7467b30a24bc68dd0e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa6EE7.tmp\ioSpecial.ini

Filesize
1KB

MD5
78073055d6f628a4ffc5a995a40c4e49

SHA1
0306f84c31e66f7b147ee926c3a8edc3f85ec8ae

SHA256
272f20201e6127e903d8b0c5654cdaf31e8febe698b3ec92157e8d5e9d5cd4bb

SHA512
64b2ec0de433fbe704db4580dc4405ec9f9bbc80b0321d2bae75b23d3d4a7224906323bf25d01183f11527e3a8215169222da884c6e41e2d46c54b61e64a9fab

Download Submit
C:\Users\Admin\Downloads\Discord Spammer.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 637145.crdownload

Filesize
3.1MB

MD5
ea51c23d05223ab87b453d75a67f54dd

SHA1
338c3f1a35a103d8b468a5c7bcd4e94823f5a97b

SHA256
b6b13eaf085d5c457ad6a51b8eb95d5556dba3d612e8fe942fb1891ecbaf6518

SHA512
66252ebb285d1a483ba7fbcb598b4c103cce4320bddba1c96ce0ff163a2562c92cbf895a16e3da8ae67a31d741073557be71fa883df3452fa6bac348f3da5464

Download Submit
memory/784-265-0x0000000000B60000-0x0000000000E84000-memory.dmp

Filesize
3.1MB

Download
memory/1352-274-0x000000001C0C0000-0x000000001C172000-memory.dmp

Filesize
712KB

Download
memory/1352-273-0x000000001BFB0000-0x000000001C000000-memory.dmp

Filesize
320KB

Download