Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
139s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
02/02/2025, 03:52
Static task
static1
URLScan task
urlscan1
General
Malware Config
Extracted
quasar
2.1.0.0
C
sunday-n.gl.at.ply.gg:45214
VNM_MUTEX_JOaTNk0VrI3HINWRTc
-
encryption_key
BVfQN2TWXpz6KPjx5tNq
-
install_name
V.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
V
-
subdirectory
SubDir
Signatures
-
Contains code to disable Windows Defender 2 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral1/files/0x0004000000023079-66.dat disable_win_def behavioral1/memory/2140-101-0x0000000000840000-0x00000000008CC000-memory.dmp disable_win_def -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" $77-V.exe -
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection $77-V.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" $77-V.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" $77-V.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" $77-V.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" $77-V.exe -
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral1/files/0x0004000000023079-66.dat family_quasar behavioral1/memory/2140-101-0x0000000000840000-0x00000000008CC000-memory.dmp family_quasar -
Venomrat family
-
Downloads MZ/PE file 1 IoCs
flow pid Process 32 1952 msedge.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Control Panel\International\Geo\Nation $77-V.exe -
Executes dropped EXE 3 IoCs
pid Process 2140 $77-V.exe 1456 V.exe 5056 $77-V.exe -
Windows security modification 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features $77-V.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" $77-V.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 39 ip-api.com -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\SubDir V.exe File created C:\Windows\SysWOW64\SubDir\r77-x64.dll $77-V.exe File created C:\Windows\SysWOW64\SubDir\V.exe $77-V.exe File opened for modification C:\Windows\SysWOW64\SubDir\V.exe $77-V.exe File created C:\Windows\SysWOW64\SubDir\V.exe:SmartScreen:$DATA $77-V.exe File opened for modification C:\Windows\SysWOW64\SubDir\V.exe V.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language $77-V.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language $77-V.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language V.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1648 PING.EXE -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000_Classes\Local Settings taskmgr.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 975834.crdownload:SmartScreen msedge.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1648 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4820 schtasks.exe 4148 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 36 IoCs
pid Process 1952 msedge.exe 1952 msedge.exe 536 msedge.exe 536 msedge.exe 2968 identity_helper.exe 2968 identity_helper.exe 1860 msedge.exe 1860 msedge.exe 4808 powershell.exe 4808 powershell.exe 4808 powershell.exe 2140 $77-V.exe 2140 $77-V.exe 2140 $77-V.exe 2140 $77-V.exe 2140 $77-V.exe 2140 $77-V.exe 2140 $77-V.exe 5056 $77-V.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
pid Process 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 2140 $77-V.exe Token: SeDebugPrivilege 4808 powershell.exe Token: SeDebugPrivilege 1456 V.exe Token: SeDebugPrivilege 1456 V.exe Token: SeDebugPrivilege 5056 $77-V.exe Token: SeDebugPrivilege 2752 taskmgr.exe Token: SeSystemProfilePrivilege 2752 taskmgr.exe Token: SeCreateGlobalPrivilege 2752 taskmgr.exe Token: 33 2752 taskmgr.exe Token: SeIncBasePriorityPrivilege 2752 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe 2752 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1456 V.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 536 wrote to memory of 3088 536 msedge.exe 83 PID 536 wrote to memory of 3088 536 msedge.exe 83 PID 536 wrote to memory of 3376 536 msedge.exe 84 PID 536 wrote to memory of 3376 536 msedge.exe 84 PID 536 wrote to memory of 3376 536 msedge.exe 84 PID 536 wrote to memory of 3376 536 msedge.exe 84 PID 536 wrote to memory of 3376 536 msedge.exe 84 PID 536 wrote to memory of 3376 536 msedge.exe 84 PID 536 wrote to memory of 3376 536 msedge.exe 84 PID 536 wrote to memory of 3376 536 msedge.exe 84 PID 536 wrote to memory of 3376 536 msedge.exe 84 PID 536 wrote to memory of 3376 536 msedge.exe 84 PID 536 wrote to memory of 3376 536 msedge.exe 84 PID 536 wrote to memory of 3376 536 msedge.exe 84 PID 536 wrote to memory of 3376 536 msedge.exe 84 PID 536 wrote to memory of 3376 536 msedge.exe 84 PID 536 wrote to memory of 3376 536 msedge.exe 84 PID 536 wrote to memory of 3376 536 msedge.exe 84 PID 536 wrote to memory of 3376 536 msedge.exe 84 PID 536 wrote to memory of 3376 536 msedge.exe 84 PID 536 wrote to memory of 3376 536 msedge.exe 84 PID 536 wrote to memory of 3376 536 msedge.exe 84 PID 536 wrote to memory of 3376 536 msedge.exe 84 PID 536 wrote to memory of 3376 536 msedge.exe 84 PID 536 wrote to memory of 3376 536 msedge.exe 84 PID 536 wrote to memory of 3376 536 msedge.exe 84 PID 536 wrote to memory of 3376 536 msedge.exe 84 PID 536 wrote to memory of 3376 536 msedge.exe 84 PID 536 wrote to memory of 3376 536 msedge.exe 84 PID 536 wrote to memory of 3376 536 msedge.exe 84 PID 536 wrote to memory of 3376 536 msedge.exe 84 PID 536 wrote to memory of 3376 536 msedge.exe 84 PID 536 wrote to memory of 3376 536 msedge.exe 84 PID 536 wrote to memory of 3376 536 msedge.exe 84 PID 536 wrote to memory of 3376 536 msedge.exe 84 PID 536 wrote to memory of 3376 536 msedge.exe 84 PID 536 wrote to memory of 3376 536 msedge.exe 84 PID 536 wrote to memory of 3376 536 msedge.exe 84 PID 536 wrote to memory of 3376 536 msedge.exe 84 PID 536 wrote to memory of 3376 536 msedge.exe 84 PID 536 wrote to memory of 3376 536 msedge.exe 84 PID 536 wrote to memory of 3376 536 msedge.exe 84 PID 536 wrote to memory of 1952 536 msedge.exe 85 PID 536 wrote to memory of 1952 536 msedge.exe 85 PID 536 wrote to memory of 4676 536 msedge.exe 86 PID 536 wrote to memory of 4676 536 msedge.exe 86 PID 536 wrote to memory of 4676 536 msedge.exe 86 PID 536 wrote to memory of 4676 536 msedge.exe 86 PID 536 wrote to memory of 4676 536 msedge.exe 86 PID 536 wrote to memory of 4676 536 msedge.exe 86 PID 536 wrote to memory of 4676 536 msedge.exe 86 PID 536 wrote to memory of 4676 536 msedge.exe 86 PID 536 wrote to memory of 4676 536 msedge.exe 86 PID 536 wrote to memory of 4676 536 msedge.exe 86 PID 536 wrote to memory of 4676 536 msedge.exe 86 PID 536 wrote to memory of 4676 536 msedge.exe 86 PID 536 wrote to memory of 4676 536 msedge.exe 86 PID 536 wrote to memory of 4676 536 msedge.exe 86 PID 536 wrote to memory of 4676 536 msedge.exe 86 PID 536 wrote to memory of 4676 536 msedge.exe 86 PID 536 wrote to memory of 4676 536 msedge.exe 86 PID 536 wrote to memory of 4676 536 msedge.exe 86 PID 536 wrote to memory of 4676 536 msedge.exe 86 PID 536 wrote to memory of 4676 536 msedge.exe 86
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://gofile.io/d/Hbsz201⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb6cff46f8,0x7ffb6cff4708,0x7ffb6cff47182⤵PID:3088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,7470335223017905340,5666991496388552177,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:22⤵PID:3376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,7470335223017905340,5666991496388552177,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:32⤵
- Downloads MZ/PE file
- Suspicious behavior: EnumeratesProcesses
PID:1952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,7470335223017905340,5666991496388552177,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:82⤵PID:4676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7470335223017905340,5666991496388552177,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:12⤵PID:4524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7470335223017905340,5666991496388552177,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:12⤵PID:556
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7470335223017905340,5666991496388552177,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:12⤵PID:724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,7470335223017905340,5666991496388552177,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3308 /prefetch:82⤵PID:4876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,7470335223017905340,5666991496388552177,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3308 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7470335223017905340,5666991496388552177,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:12⤵PID:2504
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,7470335223017905340,5666991496388552177,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3964 /prefetch:82⤵PID:2128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7470335223017905340,5666991496388552177,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:12⤵PID:3092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2108,7470335223017905340,5666991496388552177,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6004 /prefetch:82⤵PID:3836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,7470335223017905340,5666991496388552177,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5716 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1860
-
-
C:\Users\Admin\Downloads\$77-V.exe"C:\Users\Admin\Downloads\$77-V.exe"2⤵
- Modifies Windows Defender DisableAntiSpyware settings
- Modifies Windows Defender Real-time Protection settings
- Modifies Windows Defender TamperProtection settings
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2140 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "V" /sc ONLOGON /tr "C:\Users\Admin\Downloads\$77-V.exe" /rl HIGHEST /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4820
-
-
C:\Windows\SysWOW64\SubDir\V.exe"C:\Windows\SysWOW64\SubDir\V.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1456 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "V" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\V.exe" /rl HIGHEST /f4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4148
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4808
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit3⤵
- System Location Discovery: System Language Discovery
PID:5900 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*4⤵
- System Location Discovery: System Language Discovery
PID:5956
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HMAOtMOXpA8l.bat" "3⤵
- System Location Discovery: System Language Discovery
PID:2844 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
- System Location Discovery: System Language Discovery
PID:3472
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1648
-
-
C:\Users\Admin\Downloads\$77-V.exe"C:\Users\Admin\Downloads\$77-V.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5056
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7470335223017905340,5666991496388552177,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:12⤵PID:4700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7470335223017905340,5666991496388552177,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:12⤵PID:4004
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7470335223017905340,5666991496388552177,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:12⤵PID:5224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7470335223017905340,5666991496388552177,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6316 /prefetch:12⤵PID:5232
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4136
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:916
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2752
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5380
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Scheduled Task
1Discovery
Browser Information Discovery
1Peripheral Device Discovery
1Query Registry
3Remote System Discovery
1System Information Discovery
4System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD510eab9c2684febb5327b6976f2047587
SHA1a12ed54146a7f5c4c580416aecb899549712449e
SHA256f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928
SHA5127e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50
-
Filesize
152B
MD59bfb45e464f029b27cd825568bc06765
SHA1a4962b4fd45004732f071e16977522709ab0ce60
SHA256ceb8f1b0aaa1ba575c3704e73fd77edf932d68c8be902b33f1ba3b1d130cd139
SHA512f87cce8bb5489b56027f5a285b948b639a1c7b0f213a111f057235177e5bffc537627c82586736704e398a0185cf2ad8ba8cdee788531fb753a2d08f16e906c7
-
Filesize
152B
MD5ae2a8f2ebc841509f7b978edf590d3cd
SHA191358152e27c0165334913228005540756c35bd3
SHA256631550765e3db02be0709748c0634a2cfdab711cea94f5890854d0c1dfbcb214
SHA512e52180dd175f1e6ff72d76400085869387cd70da33919de219a04dc26871e8421e93b22e7c59125c19c6ee54a8a8f742d796ac68ea9077c9dab5f03b80967d11
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize144B
MD5ad25ea841b5d30c23852fc4610564f93
SHA1e5f7200cfadf96e70dac36f082c3a8d620f7b248
SHA256ceae34d6d0deaca3e41074e510c5d07296f924370fdf03f028fc09df7b2e68a5
SHA512633e9c0d76e6abdc0026a0e7ab0b10cf9f5f52330817a14ea400c8170f9f757ee0bcc1606742c713e0841d355e48194367b7b0bf2688ab4ecb5df593489174b8
-
Filesize
391B
MD57c0d79b95ae2cf3dfd2a4054af266439
SHA1c632524bc5141e51619f1bbab0149e8c9ad7660e
SHA256482f5001679264f5a3f2a293accc44b07e092ea861755a66428fadcb0ff43d6d
SHA512e2f8cf3582f48b0886ae7299646b1029f36c0e081fad45445b4a99f04b5993106fe7a0288842c50eb4ee10ad2dd32c98a848849b52e190c869144d5701804411
-
Filesize
7KB
MD56db8b2ebed5301291f25dedcc7ec5cb3
SHA13aabf98b2804b41dd90d13d2b49686d365518cc1
SHA25692ca9602891aef3e247c33ab8ce3383089eafc44caa7164a00b30ab55510345e
SHA512bef85597c0dfacbb382093f0644c7c43e757d11381a5e961eb107bda4a48945b7786c4013813490b35c8e5677e7b67e373dbeb5fc273d91de7712701a4bf956b
-
Filesize
6KB
MD51207317acc1680d197dab9a415dbe061
SHA1bb92779188357d57a5848382c9d786cdb0e92b65
SHA256cec15ac1ca99d02fcefb0f36963143c94af70dd52ea5cf9a4c28fc3b1360c7ce
SHA5126421a18a9637bf6fecf8998fd6be694964914046fd253dfeac04b2dc92ced1f65757c8544bf96ff29e8ab84646a7208dc8ad32c987ace0d8ea87bc972d736072
-
Filesize
6KB
MD5be62cbd2e3f508f20a8b0ba9d5e799b1
SHA1d79f630e27ca3e2175e51b7c78e3ce914febc0f2
SHA256439aca193b005e2255cb6d33e7910075c19dddf95f26ab2f777b3d18baa6675d
SHA512aaee70d5f567f32308a397e7b695f9b40c7efc57b787bf1d179397ef0a0301994955f5e66a77300e9cb2cd0f862c618d53411469b9a278a31d0a4f16d97ca8a2
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
11KB
MD517533d3c48145685b07a71694e362f6f
SHA1cd5b6437dc71d9b6746dd43e046f5e142dc9c7d5
SHA2569b004464681526c094404ab2f06dcb7cd6d27f944bd69b37104b701dff15abd6
SHA512fb1f630400634bf27020b541da3444097a398cda8afc83909163ba1631e41cd322eb16568894087a3ff03035a879cf2f6e7b0125d93e25eeb2908f5ef1505f82
-
Filesize
11KB
MD56e16cdbe77676f023d26ba04fa388ebf
SHA164b1fe335ecc5742b04a4751c96f05b67fb331ed
SHA2568c801f08487989f8edf008773e8fb9bf0af8b5834e2fe1f62879c3f9dc10f6ca
SHA51263f6daff7bd64f3e316ae0b6fe621efd292d76b26f8e37f1890ec77d50ff9ca81551d4122e0e5bbd90b12d1122196316ce346550c77a6fd4f3541900ca15cbef
-
Filesize
193B
MD5e2710cf5d595f6d7edaf21a746883fe5
SHA1858f707c0707b7ad6464ffd439b2773b29f8451b
SHA2560eda537d8a61f0e703c7c8b1e3456df8f4aba6afeb0268aa7441c1ec927e3823
SHA512cb648fdfcea0c67e5dff5c17b077130e24b4652983cd9f98225edae9c4752867eead0e95282e1d691dbe823c8d370527c9e9850251bd1d708e7e65b0046bd66d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
534KB
MD527f7ed9d9bdb092d895b6ee50de6a443
SHA1215ec121a3487e1cc4b60a6d374f976ffd42f10a
SHA2565da9c2b56f6159326a37baebb51b80b6b1c53e51e52923047d04a63056b3baef
SHA51237c1b35348539996c1982d0349256c5cf924f1d8b6d719d9bc53bf2fe6b989bf98aadf936b23f52fcc458881b08248d1add146f1c933b6e6dcd32d447b842cb3