quasar | hxxps://gofile[.]io/d/XUQ3Zo

Analysis

max time kernel
72s
max time network
68s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
17-05-2024 15:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/XUQ3Zo

Score

10^/10

quasar poofnrico spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

PoofNRico

nahchris-49021.portmap.host:49021

Mutex

1a5d095f-2c59-4b3f-b053-5bd928b2e541

Attributes

encryption_key
ADBAB4BC16998E7E1913E54C27829FE47C72BE6D
install_name
PlutoBETAv2.exe
log_directory
Logs
reconnect_delay
3000
startup_key
DiscordUpdater.exe
subdirectory
PlutoBETAv2

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Unconfirmed 94836.crdownload	family_quasar
behavioral1/memory/1264-108-0x0000000000FA0000-0x00000000012C4000-memory.dmp	family_quasar

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

InfinityBETA.V2.exePlutoBETAv2.exe

pid process

1264 InfinityBETA.V2.exe
4012 PlutoBETAv2.exe

pid	process
1264	InfinityBETA.V2.exe
4012	PlutoBETAv2.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	Taskmgr.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1384 schtasks.exe
3608 schtasks.exe

pid	process
1384	schtasks.exe
3608	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 2 IoCs

Processes:

msedge.exeTaskmgr.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings	Taskmgr.exe

NTFS ADS 3 IoCs

Processes:

msedge.exemsedge.exeInfinityBETA.V2.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 94836.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\InfinityBETA.V2.exe:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\PlutoBETAv2\PlutoBETAv2.exe\:SmartScreen:$DATA	InfinityBETA.V2.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exeTaskmgr.exe

pid	process
1632	msedge.exe
1632	msedge.exe
4596	msedge.exe
4596	msedge.exe
4788	identity_helper.exe
4788	identity_helper.exe
788	msedge.exe
788	msedge.exe
776	msedge.exe
776	msedge.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

msedge.exe

pid process

4596 msedge.exe
4596 msedge.exe
4596 msedge.exe
4596 msedge.exe
4596 msedge.exe
4596 msedge.exe
4596 msedge.exe
4596 msedge.exe
4596 msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

InfinityBETA.V2.exePlutoBETAv2.exeTaskmgr.exe

description	pid	process
Token: SeDebugPrivilege	1264	InfinityBETA.V2.exe
Token: SeDebugPrivilege	4012	PlutoBETAv2.exe
Token: SeDebugPrivilege	3140	Taskmgr.exe
Token: SeSystemProfilePrivilege	3140	Taskmgr.exe
Token: SeCreateGlobalPrivilege	3140	Taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exePlutoBETAv2.exeTaskmgr.exe

pid	process
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4012	PlutoBETAv2.exe
4012	PlutoBETAv2.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

msedge.exePlutoBETAv2.exeTaskmgr.exe

pid	process
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4012	PlutoBETAv2.exe
4012	PlutoBETAv2.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe
3140	Taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

PlutoBETAv2.exe

pid process

4012 PlutoBETAv2.exe

pid	process
4012	PlutoBETAv2.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4596 wrote to memory of 4540	4596	msedge.exe	msedge.exe
PID 4596 wrote to memory of 4540	4596	msedge.exe	msedge.exe
PID 4596 wrote to memory of 4272	4596	msedge.exe	msedge.exe
PID 4596 wrote to memory of 4272	4596	msedge.exe	msedge.exe
PID 4596 wrote to memory of 4272	4596	msedge.exe	msedge.exe
PID 4596 wrote to memory of 4272	4596	msedge.exe	msedge.exe
PID 4596 wrote to memory of 4272	4596	msedge.exe	msedge.exe
PID 4596 wrote to memory of 4272	4596	msedge.exe	msedge.exe
PID 4596 wrote to memory of 4272	4596	msedge.exe	msedge.exe
PID 4596 wrote to memory of 4272	4596	msedge.exe	msedge.exe
PID 4596 wrote to memory of 4272	4596	msedge.exe	msedge.exe
PID 4596 wrote to memory of 4272	4596	msedge.exe	msedge.exe
PID 4596 wrote to memory of 4272	4596	msedge.exe	msedge.exe
PID 4596 wrote to memory of 4272	4596	msedge.exe	msedge.exe
PID 4596 wrote to memory of 4272	4596	msedge.exe	msedge.exe
PID 4596 wrote to memory of 4272	4596	msedge.exe	msedge.exe
PID 4596 wrote to memory of 4272	4596	msedge.exe	msedge.exe
PID 4596 wrote to memory of 4272	4596	msedge.exe	msedge.exe
PID 4596 wrote to memory of 4272	4596	msedge.exe	msedge.exe
PID 4596 wrote to memory of 4272	4596	msedge.exe	msedge.exe
PID 4596 wrote to memory of 4272	4596	msedge.exe	msedge.exe
PID 4596 wrote to memory of 4272	4596	msedge.exe	msedge.exe
PID 4596 wrote to memory of 4272	4596	msedge.exe	msedge.exe
PID 4596 wrote to memory of 4272	4596	msedge.exe	msedge.exe
PID 4596 wrote to memory of 4272	4596	msedge.exe	msedge.exe
PID 4596 wrote to memory of 4272	4596	msedge.exe	msedge.exe
PID 4596 wrote to memory of 4272	4596	msedge.exe	msedge.exe
PID 4596 wrote to memory of 4272	4596	msedge.exe	msedge.exe
PID 4596 wrote to memory of 4272	4596	msedge.exe	msedge.exe
PID 4596 wrote to memory of 4272	4596	msedge.exe	msedge.exe
PID 4596 wrote to memory of 4272	4596	msedge.exe	msedge.exe
PID 4596 wrote to memory of 4272	4596	msedge.exe	msedge.exe
PID 4596 wrote to memory of 4272	4596	msedge.exe	msedge.exe
PID 4596 wrote to memory of 4272	4596	msedge.exe	msedge.exe
PID 4596 wrote to memory of 4272	4596	msedge.exe	msedge.exe
PID 4596 wrote to memory of 4272	4596	msedge.exe	msedge.exe
PID 4596 wrote to memory of 4272	4596	msedge.exe	msedge.exe
PID 4596 wrote to memory of 4272	4596	msedge.exe	msedge.exe
PID 4596 wrote to memory of 4272	4596	msedge.exe	msedge.exe
PID 4596 wrote to memory of 4272	4596	msedge.exe	msedge.exe
PID 4596 wrote to memory of 4272	4596	msedge.exe	msedge.exe
PID 4596 wrote to memory of 4272	4596	msedge.exe	msedge.exe
PID 4596 wrote to memory of 1632	4596	msedge.exe	msedge.exe
PID 4596 wrote to memory of 1632	4596	msedge.exe	msedge.exe
PID 4596 wrote to memory of 5060	4596	msedge.exe	msedge.exe
PID 4596 wrote to memory of 5060	4596	msedge.exe	msedge.exe
PID 4596 wrote to memory of 5060	4596	msedge.exe	msedge.exe
PID 4596 wrote to memory of 5060	4596	msedge.exe	msedge.exe
PID 4596 wrote to memory of 5060	4596	msedge.exe	msedge.exe
PID 4596 wrote to memory of 5060	4596	msedge.exe	msedge.exe
PID 4596 wrote to memory of 5060	4596	msedge.exe	msedge.exe
PID 4596 wrote to memory of 5060	4596	msedge.exe	msedge.exe
PID 4596 wrote to memory of 5060	4596	msedge.exe	msedge.exe
PID 4596 wrote to memory of 5060	4596	msedge.exe	msedge.exe
PID 4596 wrote to memory of 5060	4596	msedge.exe	msedge.exe
PID 4596 wrote to memory of 5060	4596	msedge.exe	msedge.exe
PID 4596 wrote to memory of 5060	4596	msedge.exe	msedge.exe
PID 4596 wrote to memory of 5060	4596	msedge.exe	msedge.exe
PID 4596 wrote to memory of 5060	4596	msedge.exe	msedge.exe
PID 4596 wrote to memory of 5060	4596	msedge.exe	msedge.exe
PID 4596 wrote to memory of 5060	4596	msedge.exe	msedge.exe
PID 4596 wrote to memory of 5060	4596	msedge.exe	msedge.exe
PID 4596 wrote to memory of 5060	4596	msedge.exe	msedge.exe
PID 4596 wrote to memory of 5060	4596	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/XUQ3Zo
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffbe8813cb8,0x7ffbe8813cc8,0x7ffbe8813cd8
2⤵
PID:4540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1860,9781588012461971526,11824576062357363356,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1876 /prefetch:2
2⤵
PID:4272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1860,9781588012461971526,11824576062357363356,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1860,9781588012461971526,11824576062357363356,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8
2⤵
PID:5060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,9781588012461971526,11824576062357363356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
2⤵
PID:1700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,9781588012461971526,11824576062357363356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
2⤵
PID:644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,9781588012461971526,11824576062357363356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3744 /prefetch:1
2⤵
PID:1332

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1860,9781588012461971526,11824576062357363356,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,9781588012461971526,11824576062357363356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
2⤵
PID:1932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1860,9781588012461971526,11824576062357363356,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,9781588012461971526,11824576062357363356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
2⤵
PID:412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1860,9781588012461971526,11824576062357363356,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5744 /prefetch:8
2⤵
PID:4688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1860,9781588012461971526,11824576062357363356,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5580 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:776

C:\Users\Admin\Downloads\InfinityBETA.V2.exe
"C:\Users\Admin\Downloads\InfinityBETA.V2.exe"
2⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
PID:1264

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "DiscordUpdater.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\PlutoBETAv2\PlutoBETAv2.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:1384

C:\Users\Admin\AppData\Roaming\PlutoBETAv2\PlutoBETAv2.exe
"C:\Users\Admin\AppData\Roaming\PlutoBETAv2\PlutoBETAv2.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4012

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "DiscordUpdater.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\PlutoBETAv2\PlutoBETAv2.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:3608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,9781588012461971526,11824576062357363356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2312 /prefetch:1
2⤵
PID:4772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,9781588012461971526,11824576062357363356,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:1
2⤵
PID:2836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,9781588012461971526,11824576062357363356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:1
2⤵
PID:1352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,9781588012461971526,11824576062357363356,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6248 /prefetch:1
2⤵
PID:5076

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1876

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1988

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3860

C:\Windows\System32\Taskmgr.exe
"C:\Windows\System32\Taskmgr.exe"
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5e027def9b55f3d49cde9fb82beba238

SHA1
64baabd8454c210162cbc3a90d6a2daaf87d856a

SHA256
9816e980b04f1fe7efaa4b9c83ff6a0fdd485ee65a884c001b43a0cad7c39d83

SHA512
a315e1336c5ec70cbb002969e539068ba92f3ec681b6d863db95227fd1808a778fd994e2fb03f28f0e401677aa5f7c66813e315b6b99a5065384c49586f9782e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0c5042350ee7871ccbfdc856bde96f3f

SHA1
90222f176bc96ec17d1bdad2d31bc994c000900c

SHA256
b8b1cb139d4d19a85adce0152fa3c4f6adfb73a322d7253820e848c6f82afc1b

SHA512
2efdb535fa6a06c4f9702b2129f2dd07c330e37fd10b492f2236007c660c1707773c22005d1e1fa580dbf633dc1a700ada3b7b611ef9accd9555a17a244f61ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
fa26e96bd8b1117447866af46e75ecdd

SHA1
a625eb26a08d53a669705309c9f18ac0ecf87aae

SHA256
67ce8575b736e77b39adf2cdc2ce2850cb1b0ba39c8ea59a2c24fb11d1ff936f

SHA512
dccdd0c5f855ee42327deecb6fe8d14c5a1737d8e2825f2de392f4e65c6ad44add2ea419cc509a2699499fd72d480a58f0ec9f48e9e1a59452683c5a8f9a2c98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
317B

MD5
afc6cddd7e64d81e52b729d09f227107

SHA1
ad0d3740f4b66de83db8862911c07dc91928d2f6

SHA256
b5e81a7c7d80feaaa10ee7bc8aaef9f21a5c1e4b03b3823ed115022311d674a0

SHA512
844edb69585153c378a7c97709983776fc9303a32fb5ef8122ecca32adfc0b265f5ef7118ee07814da5c020ac7ba1bf2a2f66d46312e4d8e6df99aab2e5f9b2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
08c9710a545364b0a015a1e0220f7adc

SHA1
a71b1761066ed6e3da89c987853763ea218ded9c

SHA256
89806e78d0c0a42153e3ef5723c269825a177371d7d9d7b375e3733a0dc666a1

SHA512
1cc07e42a77813ecc5b641547555f17f20f454d1c3071a0535c1d00f00add0987b3326703092489509eab0bd7edf1ce09cc92dff095263543a451b58924c9f04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
074427486fdaeb2adb632920cc3d3eb6

SHA1
f5992964719d70f1a40e0968b783239c22179688

SHA256
b9e1dee612e0d26f0816a5109292c16e659154f3a15e56037b271fef184cdec4

SHA512
2c49e4d3e2aa744874f42915b8e7bdb1c6aa0cd4ff2ec3ed1182d38ae43b08f7d8d64ed658f4d3b95e8823a54701096ad9959fb0cac52d389ae11187db83f991

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
33f06577ab63b74523069a5be11bfeba

SHA1
db1dbf359d0b1d4ec24345acde29a50597bcfc71

SHA256
12dca1c8fb9237813a56a59a34ee1103be0610d1f53df903b1063f7521d9ec7b

SHA512
cc75ca0ec1d7f44cd15dc0b7c21e0bc89365d3d178a781ff88dbe40f09e45ad9a9f9124e6894b62f123ce68c930c10ad5122b26e4887532171a8c174a62cf1b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6900ac0747ea6b550ea8860ad86cdb49

SHA1
3d51121302b357d3a0a4de530dd5782873c6d07e

SHA256
8a753273ce65b796f04326ad01908495c3070f1824125fd03ea4b35050802690

SHA512
04d85cbad9295031933f2e6bbc61b68d6b9ce5262bcff1961651fe98f56d2bb4260f445ec1d4a83624b05ae69a774f8baa1fa5283177ca0f24f2671d76244e0d

Download Submit
C:\Users\Admin\Downloads\InfinityBETA.V2.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 94836.crdownload

Filesize
3.1MB

MD5
1b84762faebd8469f686f703cbaef7b9

SHA1
41e135a8a2a9525e09a2303055430e36d95780cd

SHA256
4b857bc454edef7fa460fecb36f676fa38bab8b3304f3f07d12b9777fa0b68cb

SHA512
da9482a2ef6fbe659afff4c5a0d1911145bb93be47dd5a714e4e1c24802f1e9d9669f5a209665a7da752e56d2c82c41e48c5bd951d26a2cd763fc8a62d4e703c

Download Submit
\??\pipe\LOCAL\crashpad_4596_JDHWYAVIWMNWSWOC

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1264-108-0x0000000000FA0000-0x00000000012C4000-memory.dmp

Filesize
3.1MB

Download
memory/3140-159-0x000001B35EA70000-0x000001B35EA71000-memory.dmp

Filesize
4KB

Download
memory/3140-164-0x000001B35EA70000-0x000001B35EA71000-memory.dmp

Filesize
4KB

Download
memory/3140-161-0x000001B35EA70000-0x000001B35EA71000-memory.dmp

Filesize
4KB

Download
memory/3140-162-0x000001B35EA70000-0x000001B35EA71000-memory.dmp

Filesize
4KB

Download
memory/3140-152-0x000001B35EA70000-0x000001B35EA71000-memory.dmp

Filesize
4KB

Download
memory/3140-154-0x000001B35EA70000-0x000001B35EA71000-memory.dmp

Filesize
4KB

Download
memory/3140-153-0x000001B35EA70000-0x000001B35EA71000-memory.dmp

Filesize
4KB

Download
memory/3140-163-0x000001B35EA70000-0x000001B35EA71000-memory.dmp

Filesize
4KB

Download
memory/3140-158-0x000001B35EA70000-0x000001B35EA71000-memory.dmp

Filesize
4KB

Download
memory/3140-160-0x000001B35EA70000-0x000001B35EA71000-memory.dmp

Filesize
4KB

Download
memory/4012-129-0x000000001CBB0000-0x000000001CBEC000-memory.dmp

Filesize
240KB

Download
memory/4012-116-0x000000001BFA0000-0x000000001C052000-memory.dmp

Filesize
712KB

Download
memory/4012-150-0x000000001D460000-0x000000001D988000-memory.dmp

Filesize
5.2MB

Download
memory/4012-128-0x000000001BF40000-0x000000001BF52000-memory.dmp

Filesize
72KB

Download
memory/4012-115-0x000000001BE90000-0x000000001BEE0000-memory.dmp

Filesize
320KB

Download