Analysis
-
max time kernel
17s -
max time network
19s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
24-05-2024 00:05
Behavioral task
behavioral1
Sample
vir.exe
Resource
win11-20240426-en
General
-
Target
vir.exe
-
Size
36.9MB
-
MD5
2d4e021175d1b6bbee51be15e9bec384
-
SHA1
24256916b2c654a4c9055f0e1e6fe423654310f0
-
SHA256
cb9036f98e1865c5b9d4a82f76fc60176bf6353ee3e1a41d72c198bf992cd19d
-
SHA512
cbbf62fa974781192db459c546b5cd575d59ec528e04a63a8f7d8eb3fabec810ddef5c41d854aac4633fea0a36129b1a263540b38d0f77594799aa5af90d448d
-
SSDEEP
786432:J4RerlLa3nbEwrkACTe6YQbjGEhM6XHXkvj:aulW3bEoALHUr
Malware Config
Signatures
-
.NET Reactor proctector 35 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
resource yara_rule behavioral1/memory/2456-40-0x0000000006090000-0x00000000065E0000-memory.dmp net_reactor behavioral1/memory/2456-45-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor behavioral1/memory/2456-42-0x0000000005B40000-0x000000000608E000-memory.dmp net_reactor behavioral1/memory/2456-55-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor behavioral1/memory/2456-66-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor behavioral1/memory/2456-81-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor behavioral1/memory/2456-87-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor behavioral1/memory/2456-93-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor behavioral1/memory/2456-105-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor behavioral1/memory/2456-109-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor behavioral1/memory/2456-111-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor behavioral1/memory/2456-117-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor behavioral1/memory/2456-115-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor behavioral1/memory/2456-114-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor behavioral1/memory/2456-107-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor behavioral1/memory/2456-103-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor behavioral1/memory/2456-101-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor behavioral1/memory/2456-97-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor behavioral1/memory/2456-95-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor behavioral1/memory/2456-99-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor behavioral1/memory/2456-91-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor behavioral1/memory/2456-89-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor behavioral1/memory/2456-83-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor behavioral1/memory/2456-79-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor behavioral1/memory/2456-85-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor behavioral1/memory/2456-69-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor behavioral1/memory/2456-64-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor behavioral1/memory/2456-62-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor behavioral1/memory/2456-60-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor behavioral1/memory/2456-58-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor behavioral1/memory/2456-49-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor behavioral1/memory/2456-53-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor behavioral1/memory/2456-51-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor behavioral1/memory/2456-47-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor behavioral1/memory/2456-44-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor -
Executes dropped EXE 3 IoCs
pid Process 2456 Rover.exe 2664 psiphon3.exe 224 regmess.exe -
resource yara_rule behavioral1/files/0x000100000002a9d0-686.dat upx behavioral1/memory/2664-796-0x0000000000880000-0x0000000001EA7000-memory.dmp upx behavioral1/memory/2664-2284-0x0000000000880000-0x0000000001EA7000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 484 2664 WerFault.exe 100 -
Delays execution with timeout.exe 1 IoCs
pid Process 4576 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Kills process with taskkill 1 IoCs
pid Process 464 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Internet Explorer\GPU\SubSysId = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListDomainAttributeSet = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "31108521" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395196024" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Internet Explorer\GPU\Revision = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "1153534973" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "13" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "8" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Internet Explorer\BrowserEmulation iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Internet Explorer\GPU\VendorId = "4318" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "9" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Internet Explorer\GPU\SoftwareFallback = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395196024" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Internet Explorer\GPU\DeviceId = "140" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe -
Modifies registry class 8 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\psiphon psiphon3.exe Set value (str) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\psiphon\ = "URL:psiphon" psiphon3.exe Set value (str) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\psiphon\URL Protocol psiphon3.exe Key created \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\psiphon\shell\open\command psiphon3.exe Key created \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\psiphon\shell psiphon3.exe Key created \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\psiphon\shell\open psiphon3.exe Set value (str) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\psiphon\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\vir_75d7f261-14ee-4d09-aa07-44719b677553\\psiphon3.exe\" -- \"%1\"" psiphon3.exe Key created \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3680 msedge.exe 3680 msedge.exe 388 msedge.exe 388 msedge.exe 2080 msedge.exe 2080 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 388 msedge.exe 388 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 464 taskkill.exe Token: SeDebugPrivilege 2456 Rover.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2664 psiphon3.exe 2664 psiphon3.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3332 wrote to memory of 1096 3332 vir.exe 80 PID 3332 wrote to memory of 1096 3332 vir.exe 80 PID 3332 wrote to memory of 1096 3332 vir.exe 80 PID 1096 wrote to memory of 464 1096 cmd.exe 83 PID 1096 wrote to memory of 464 1096 cmd.exe 83 PID 1096 wrote to memory of 464 1096 cmd.exe 83 PID 1096 wrote to memory of 2456 1096 cmd.exe 85 PID 1096 wrote to memory of 2456 1096 cmd.exe 85 PID 1096 wrote to memory of 2456 1096 cmd.exe 85 PID 1096 wrote to memory of 388 1096 cmd.exe 86 PID 1096 wrote to memory of 388 1096 cmd.exe 86 PID 388 wrote to memory of 4952 388 msedge.exe 89 PID 388 wrote to memory of 4952 388 msedge.exe 89 PID 1096 wrote to memory of 3560 1096 cmd.exe 90 PID 1096 wrote to memory of 3560 1096 cmd.exe 90 PID 1096 wrote to memory of 3560 1096 cmd.exe 90 PID 388 wrote to memory of 4436 388 msedge.exe 91 PID 388 wrote to memory of 4436 388 msedge.exe 91 PID 388 wrote to memory of 4436 388 msedge.exe 91 PID 388 wrote to memory of 4436 388 msedge.exe 91 PID 388 wrote to memory of 4436 388 msedge.exe 91 PID 388 wrote to memory of 4436 388 msedge.exe 91 PID 388 wrote to memory of 4436 388 msedge.exe 91 PID 388 wrote to memory of 4436 388 msedge.exe 91 PID 388 wrote to memory of 4436 388 msedge.exe 91 PID 388 wrote to memory of 4436 388 msedge.exe 91 PID 388 wrote to memory of 4436 388 msedge.exe 91 PID 388 wrote to memory of 4436 388 msedge.exe 91 PID 388 wrote to memory of 4436 388 msedge.exe 91 PID 388 wrote to memory of 4436 388 msedge.exe 91 PID 388 wrote to memory of 4436 388 msedge.exe 91 PID 388 wrote to memory of 4436 388 msedge.exe 91 PID 388 wrote to memory of 4436 388 msedge.exe 91 PID 388 wrote to memory of 4436 388 msedge.exe 91 PID 388 wrote to memory of 4436 388 msedge.exe 91 PID 388 wrote to memory of 4436 388 msedge.exe 91 PID 388 wrote to memory of 4436 388 msedge.exe 91 PID 388 wrote to memory of 4436 388 msedge.exe 91 PID 388 wrote to memory of 4436 388 msedge.exe 91 PID 388 wrote to memory of 4436 388 msedge.exe 91 PID 388 wrote to memory of 4436 388 msedge.exe 91 PID 388 wrote to memory of 4436 388 msedge.exe 91 PID 388 wrote to memory of 4436 388 msedge.exe 91 PID 388 wrote to memory of 4436 388 msedge.exe 91 PID 388 wrote to memory of 4436 388 msedge.exe 91 PID 388 wrote to memory of 4436 388 msedge.exe 91 PID 388 wrote to memory of 4436 388 msedge.exe 91 PID 388 wrote to memory of 4436 388 msedge.exe 91 PID 388 wrote to memory of 4436 388 msedge.exe 91 PID 388 wrote to memory of 4436 388 msedge.exe 91 PID 388 wrote to memory of 4436 388 msedge.exe 91 PID 388 wrote to memory of 4436 388 msedge.exe 91 PID 388 wrote to memory of 4436 388 msedge.exe 91 PID 388 wrote to memory of 4436 388 msedge.exe 91 PID 388 wrote to memory of 4436 388 msedge.exe 91 PID 388 wrote to memory of 4436 388 msedge.exe 91 PID 388 wrote to memory of 3680 388 msedge.exe 92 PID 388 wrote to memory of 3680 388 msedge.exe 92 PID 388 wrote to memory of 4896 388 msedge.exe 93 PID 388 wrote to memory of 4896 388 msedge.exe 93 PID 388 wrote to memory of 4896 388 msedge.exe 93 PID 388 wrote to memory of 4896 388 msedge.exe 93 PID 388 wrote to memory of 4896 388 msedge.exe 93 PID 388 wrote to memory of 4896 388 msedge.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\vir.exe"C:\Users\Admin\AppData\Local\Temp\vir.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3332 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vir_75d7f261-14ee-4d09-aa07-44719b677553\main.cmd" "2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im WindowsDefender.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:464
-
-
C:\Users\Admin\AppData\Local\Temp\vir_75d7f261-14ee-4d09-aa07-44719b677553\Rover.exeRover.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\vir_75d7f261-14ee-4d09-aa07-44719b677553\web.htm3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffacd1c3cb8,0x7ffacd1c3cc8,0x7ffacd1c3cd84⤵PID:4952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,10845542644916710736,1446915014530673093,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:24⤵PID:4436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,10845542644916710736,1446915014530673093,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:3680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,10845542644916710736,1446915014530673093,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2628 /prefetch:84⤵PID:4896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,10845542644916710736,1446915014530673093,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3052 /prefetch:14⤵PID:2508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,10845542644916710736,1446915014530673093,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3060 /prefetch:14⤵PID:468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,10845542644916710736,1446915014530673093,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2552 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
PID:2080
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vir_75d7f261-14ee-4d09-aa07-44719b677553\helper.vbs"3⤵PID:3560
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\vir_75d7f261-14ee-4d09-aa07-44719b677553\spinner.gif3⤵
- Modifies Internet Explorer settings
PID:2956
-
-
C:\Users\Admin\AppData\Local\Temp\vir_75d7f261-14ee-4d09-aa07-44719b677553\psiphon3.exepsiphon3.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2664 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 18444⤵
- Program crash
PID:484
-
-
-
C:\Users\Admin\AppData\Local\Temp\vir_75d7f261-14ee-4d09-aa07-44719b677553\regmess.exeregmess.exe3⤵
- Executes dropped EXE
PID:224 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\regmess_063a7685-adb5-437d-8275-2364a9045ba7\regmess.bat" "4⤵PID:2408
-
C:\Windows\SysWOW64\reg.exereg import Setup.reg /reg:325⤵PID:2544
-
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 103⤵
- Delays execution with timeout.exe
PID:4576
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2372
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1052
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2664 -ip 26641⤵PID:3812
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD59faad3e004614b187287bed750e56acc
SHA1eeea3627a208df5a8cf627b0d39561167d272ac5
SHA25664a60300c46447926ce44b48ce179d01eff3dba906b83b17e48db0c738ca38a9
SHA512a7470fe359229c2932aa39417e1cd0dc47f351963cbb39f4026f3a2954e05e3238f3605e13c870c9fe24ae56a0d07e1a6943df0e891bdcd46fd9ae4b7a48ab90
-
Filesize
152B
MD57915c5c12c884cc2fa03af40f3d2e49d
SHA1d48085f85761cde9c287b0b70a918c7ce8008629
SHA256e79d4b86d8cabd981d719da7f55e0540831df7fa0f8df5b19c0671137406c3da
SHA5124c71eb6836546d4cfdb39cd84b6c44687b2c2dee31e2e658d12f809225cbd495f20ce69030bff1d80468605a3523d23b6dea166975cedae25b02a75479c3f217
-
Filesize
61B
MD54df4574bfbb7e0b0bc56c2c9b12b6c47
SHA181efcbd3e3da8221444a21f45305af6fa4b71907
SHA256e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377
SHA51278b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a
-
Filesize
5KB
MD599501bef66b95be9fdeb147cb1a37b46
SHA19a99778bc45002facf5f3dcbef48ddef4d5ac071
SHA2569a40881ab81007a4ffc6d8cead22bb9053e177058f1d0fa574ce3616f50034d7
SHA512028e61e6fb62dfa2290f412514cf2a74d306876192557c2b9e665fe4e7982bffcd0bc8a7029059c94bc1cf33f0e2df76755f59ea572bd27c1cce97149c7c3fe9
-
Filesize
5KB
MD52d81a77939a16d1dd1bfe6db3b57a652
SHA1da5cbcacd7ee1ddcd6deb049edfe4ff2722816ee
SHA2566992b6303c35401259c82b891913e1f646987c7aefed8ef19761a323bbb7aa58
SHA5129d97728f49d3d9ebe2354c4d37d1310f2c969e41d25f4eb9a718b2e3b456df098e246619539d752ec7edc0071df347d8543bd4c68474c806af602ee98e8ac053
-
Filesize
11KB
MD5a6936de53c87e5fcb9dbe104105c4004
SHA1bce9595c52011d24d88a01dad743b2758ba9aa2f
SHA256a8a929c49991b4ea400df8ad603fa6b687750036ab600c7eca5da3ce6bb88ad2
SHA512555abd1c2f784eef8177f6fafc863acea5ceda6be143df0361640f20e4ce791370a831935dd246dd31a2e0e372583d56273c9b4e48205ba9f67b1ed430b24f40
-
Filesize
10KB
MD5bee007a5a5b6e1001cfc391d178cf5ba
SHA14478c5db863011a846ad2db5cf5e30a8cdb5f819
SHA2568001fb963acb6e4342750a3b0a704c353107b60516dbdb614c5192e199168d50
SHA512120ece82ec85b4dc1d25e004899848a50c5b5c3fc32971890a9fd7b22840881fa89c22a2102d3878e516f039e1a5f2c63687862f04de0111011cd38279125c41
-
Filesize
28B
MD57cb66dc89fe80337d3cc76467cfdcf98
SHA18b683342a055b3a5ba0ab6e7089872165d69d5bc
SHA2562609e65a1aedbbd73c5679675f07da7b171e48111a556a62935a8843f93e0127
SHA51254d27b3b74b12d5ce86806efd0a5a5ac6e6df99c08415cbe815b0ef1d45fc0dce2c9342badd302278134c1526070ba3796914b5206529d4f9045d8448a3079e8
-
Filesize
392B
MD5d388dfd4f8f9b8b31a09b2c44a3e39d7
SHA1fb7d36907e200920fe632fb192c546b68f28c03a
SHA256a917ddc25d483b737296f945b8b7701a08d4692d0d34417fe1b590caac28359c
SHA5122fcff4775a0e93c53b525b44aadefe4532efd790c504d0343626a7322a7c99073ed645eb08bd13b31e752e09c13f07b74e43f0eb1c46be082efc948b34364401
-
Filesize
5.1MB
MD563d052b547c66ac7678685d9f3308884
SHA1a6e42e6a86e3ff9fec137c52b1086ee140a7b242
SHA2568634e9241729f16a8c2c23d5c184384815b97026e3d1a2d6dd0ddc825b142aba
SHA512565b9243ec14dc1cf6f6ddf4a7158e208937f553367e55cd59f62f1834fcfb7d9fb387b0636dc07520f590dcd55eb5f60f34ea2279dc736f134db7b19e3aa642
-
Filesize
26B
MD57a97744bc621cf22890e2aebd10fd5c8
SHA11147c8df448fe73da6aa6c396c5c53457df87620
SHA256153fed1733e81de7f9d221a1584a78999baa93bc8697500d8923550c774ed709
SHA51289c73b73d4b52cf8e940fa2f1580fdc89f902b1eeb4b2abc17f09229a6130532a08cdb91205b9813a65cb7cd31ca020fe728b03d9a0fabb71131864c2966f967
-
Filesize
1KB
MD5bb130f376e3b817134b94e9c832d6843
SHA1c528cb7076567d7ce3e25232b5f5927ffa8eff10
SHA256974486e4604fce6a4873f49d7ec18625533e2ec7bd78bf68a0be20dd8859d1d7
SHA512a523527edd3255c7e0515ddac57d518dd003f7692976bfbcb86fd363c887595160cadd3073dee6a79aa32c80336f4b4b65eb92179ba4ec691ac3be3137b3ff7e
-
Filesize
7.4MB
MD550b9d2aea0106f1953c6dc506a7d6d0a
SHA11317c91d02bbe65740524b759d3d34a57caff35a
SHA256b0943c4928e44893029025bcc0973e5c8d7dbf71cc40d199a03c563ecb9d687d
SHA5129581a98853f17226db96c77ae5ef281d8ba98cbc1db660a018b4bf45c9a9fb6c5a1aaaf4c2bae5d09f78a569ecb3e8162a4b77a9649a1f788a0dbdde99bd596c
-
Filesize
680KB
MD530bba5cf00fd210476978618539058d9
SHA136c0160196e41561991404bf96efae9a952f1ca0
SHA256162947d11d177ccf6da4eb75f56877e14341b24f8a06b503c7d13f43bd653bcd
SHA512449830ae87e66182c811ed21036e90bcbce6c78a972581d5bcb71bdf2bca07ffea263c9be74cf3619b1ba8f377ea014a4c840f1510cae92fbe1f3c1dd507fd7c
-
Filesize
44KB
MD5324f8384507560259aaa182eb0c7f94a
SHA13b86304767e541ddb32fdda2e9996d8dbeca16ed
SHA256f48c4f9c5fc87e8d7679948439544a97f1539b423860e7c7470bd9b563aceab5
SHA512cc1b61df496cfb7c51d268139c6853d05bace6f733bc13c757c87cd64a11933c3a673b97fba778e515a9ff5f8c4ea52e7091f3beda1d8452bc3f6b59382f300d
-
Filesize
212B
MD5e81c57260456ac0df66ef4e88138bed3
SHA10304e684033142a96e049461c0c8b1420b8fb650
SHA2564b22f2f0add8546487bd4f1cc6eba404ee5353c10cf0eae58ce5b664ca1e2485
SHA512d73b58c087b660dc7d9f1c81828e4e6d7368bd3d702d6dcff719345d7d612685b1747979c89c483d35e480ded9666fdd2178452444b87e9f402ba01b0e43771c