Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
04/02/2025, 09:27
Static task
static1
URLScan task
urlscan1
General
Malware Config
Extracted
quasar
1.4.1
Office04
98.218.3.74:4800
dd229ccb-39cd-4301-9413-ea14fa25ce22
-
encryption_key
F023A1C93603AFE96871B3F0323AA7B852FA745F
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
discord
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral1/files/0x001900000002abd5-66.dat family_quasar behavioral1/memory/5296-98-0x00000000004B0000-0x00000000007E4000-memory.dmp family_quasar -
Downloads MZ/PE file 1 IoCs
flow pid Process 21 1932 msedge.exe -
Executes dropped EXE 28 IoCs
pid Process 5296 bob2.exe 5604 Client.exe 2888 bob2.exe 5932 bob2.exe 3604 bob2.exe 5176 bob2.exe 1492 bob2.exe 4436 bob2.exe 3428 bob2.exe 2088 bob2.exe 8 bob2.exe 5100 bob2.exe 5928 bob2.exe 1688 bob2.exe 5024 bob2.exe 2976 bob2.exe 2036 bob2.exe 2740 bob2.exe 4736 bob2.exe 1576 bob2.exe 3508 bob2.exe 1924 bob2.exe 5280 bob2.exe 4924 bob2.exe 4152 bob2.exe 2868 bob2.exe 4692 bob2.exe 1044 bob2.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File opened for modification C:\Users\Admin\Downloads\bob2.exe:Zone.Identifier msedge.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings msedge.exe -
NTFS ADS 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 296004.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\bob2.exe:Zone.Identifier msedge.exe File created C:\Users\Admin\AppData\Roaming\SubDir\Client.exe\:SmartScreen:$DATA bob2.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4620 schtasks.exe 4944 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1932 msedge.exe 1932 msedge.exe 5316 msedge.exe 5316 msedge.exe 4140 identity_helper.exe 4140 identity_helper.exe 3212 msedge.exe 3212 msedge.exe 1208 msedge.exe 1208 msedge.exe 3520 msedge.exe 3520 msedge.exe 3520 msedge.exe 3520 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
pid Process 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
description pid Process Token: SeDebugPrivilege 5296 bob2.exe Token: SeDebugPrivilege 5604 Client.exe Token: SeDebugPrivilege 2888 bob2.exe Token: SeDebugPrivilege 5932 bob2.exe Token: SeDebugPrivilege 3604 bob2.exe Token: SeDebugPrivilege 5176 bob2.exe Token: SeDebugPrivilege 1492 bob2.exe Token: SeDebugPrivilege 4436 bob2.exe Token: SeDebugPrivilege 3428 bob2.exe Token: SeDebugPrivilege 2088 bob2.exe Token: SeDebugPrivilege 8 bob2.exe Token: SeDebugPrivilege 5100 bob2.exe Token: SeDebugPrivilege 5928 bob2.exe Token: SeDebugPrivilege 1688 bob2.exe Token: SeDebugPrivilege 5024 bob2.exe Token: SeDebugPrivilege 2976 bob2.exe Token: SeDebugPrivilege 2036 bob2.exe Token: SeDebugPrivilege 2740 bob2.exe Token: SeDebugPrivilege 4736 bob2.exe Token: SeDebugPrivilege 1576 bob2.exe Token: SeDebugPrivilege 3508 bob2.exe Token: SeDebugPrivilege 1924 bob2.exe Token: SeDebugPrivilege 5280 bob2.exe Token: SeDebugPrivilege 4924 bob2.exe Token: SeDebugPrivilege 4152 bob2.exe Token: SeDebugPrivilege 2868 bob2.exe Token: SeDebugPrivilege 4692 bob2.exe Token: SeDebugPrivilege 1044 bob2.exe -
Suspicious use of FindShellTrayWindow 38 IoCs
pid Process 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5604 Client.exe -
Suspicious use of SendNotifyMessage 13 IoCs
pid Process 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5316 msedge.exe 5604 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5604 Client.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5316 wrote to memory of 788 5316 msedge.exe 77 PID 5316 wrote to memory of 788 5316 msedge.exe 77 PID 5316 wrote to memory of 4856 5316 msedge.exe 78 PID 5316 wrote to memory of 4856 5316 msedge.exe 78 PID 5316 wrote to memory of 4856 5316 msedge.exe 78 PID 5316 wrote to memory of 4856 5316 msedge.exe 78 PID 5316 wrote to memory of 4856 5316 msedge.exe 78 PID 5316 wrote to memory of 4856 5316 msedge.exe 78 PID 5316 wrote to memory of 4856 5316 msedge.exe 78 PID 5316 wrote to memory of 4856 5316 msedge.exe 78 PID 5316 wrote to memory of 4856 5316 msedge.exe 78 PID 5316 wrote to memory of 4856 5316 msedge.exe 78 PID 5316 wrote to memory of 4856 5316 msedge.exe 78 PID 5316 wrote to memory of 4856 5316 msedge.exe 78 PID 5316 wrote to memory of 4856 5316 msedge.exe 78 PID 5316 wrote to memory of 4856 5316 msedge.exe 78 PID 5316 wrote to memory of 4856 5316 msedge.exe 78 PID 5316 wrote to memory of 4856 5316 msedge.exe 78 PID 5316 wrote to memory of 4856 5316 msedge.exe 78 PID 5316 wrote to memory of 4856 5316 msedge.exe 78 PID 5316 wrote to memory of 4856 5316 msedge.exe 78 PID 5316 wrote to memory of 4856 5316 msedge.exe 78 PID 5316 wrote to memory of 4856 5316 msedge.exe 78 PID 5316 wrote to memory of 4856 5316 msedge.exe 78 PID 5316 wrote to memory of 4856 5316 msedge.exe 78 PID 5316 wrote to memory of 4856 5316 msedge.exe 78 PID 5316 wrote to memory of 4856 5316 msedge.exe 78 PID 5316 wrote to memory of 4856 5316 msedge.exe 78 PID 5316 wrote to memory of 4856 5316 msedge.exe 78 PID 5316 wrote to memory of 4856 5316 msedge.exe 78 PID 5316 wrote to memory of 4856 5316 msedge.exe 78 PID 5316 wrote to memory of 4856 5316 msedge.exe 78 PID 5316 wrote to memory of 4856 5316 msedge.exe 78 PID 5316 wrote to memory of 4856 5316 msedge.exe 78 PID 5316 wrote to memory of 4856 5316 msedge.exe 78 PID 5316 wrote to memory of 4856 5316 msedge.exe 78 PID 5316 wrote to memory of 4856 5316 msedge.exe 78 PID 5316 wrote to memory of 4856 5316 msedge.exe 78 PID 5316 wrote to memory of 4856 5316 msedge.exe 78 PID 5316 wrote to memory of 4856 5316 msedge.exe 78 PID 5316 wrote to memory of 4856 5316 msedge.exe 78 PID 5316 wrote to memory of 4856 5316 msedge.exe 78 PID 5316 wrote to memory of 1932 5316 msedge.exe 79 PID 5316 wrote to memory of 1932 5316 msedge.exe 79 PID 5316 wrote to memory of 2724 5316 msedge.exe 80 PID 5316 wrote to memory of 2724 5316 msedge.exe 80 PID 5316 wrote to memory of 2724 5316 msedge.exe 80 PID 5316 wrote to memory of 2724 5316 msedge.exe 80 PID 5316 wrote to memory of 2724 5316 msedge.exe 80 PID 5316 wrote to memory of 2724 5316 msedge.exe 80 PID 5316 wrote to memory of 2724 5316 msedge.exe 80 PID 5316 wrote to memory of 2724 5316 msedge.exe 80 PID 5316 wrote to memory of 2724 5316 msedge.exe 80 PID 5316 wrote to memory of 2724 5316 msedge.exe 80 PID 5316 wrote to memory of 2724 5316 msedge.exe 80 PID 5316 wrote to memory of 2724 5316 msedge.exe 80 PID 5316 wrote to memory of 2724 5316 msedge.exe 80 PID 5316 wrote to memory of 2724 5316 msedge.exe 80 PID 5316 wrote to memory of 2724 5316 msedge.exe 80 PID 5316 wrote to memory of 2724 5316 msedge.exe 80 PID 5316 wrote to memory of 2724 5316 msedge.exe 80 PID 5316 wrote to memory of 2724 5316 msedge.exe 80 PID 5316 wrote to memory of 2724 5316 msedge.exe 80 PID 5316 wrote to memory of 2724 5316 msedge.exe 80 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/Qghnbe1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5316 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc69d23cb8,0x7ffc69d23cc8,0x7ffc69d23cd82⤵PID:788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1872,1365910796873513055,7008270663083957577,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:22⤵PID:4856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1872,1365910796873513055,7008270663083957577,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 /prefetch:32⤵
- Downloads MZ/PE file
- Suspicious behavior: EnumeratesProcesses
PID:1932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1872,1365910796873513055,7008270663083957577,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2632 /prefetch:82⤵PID:2724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,1365910796873513055,7008270663083957577,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:12⤵PID:5764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,1365910796873513055,7008270663083957577,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:12⤵PID:5692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,1365910796873513055,7008270663083957577,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4496 /prefetch:12⤵PID:1032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,1365910796873513055,7008270663083957577,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:12⤵PID:4148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1872,1365910796873513055,7008270663083957577,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4140
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,1365910796873513055,7008270663083957577,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4548 /prefetch:12⤵PID:3932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1872,1365910796873513055,7008270663083957577,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5800 /prefetch:82⤵PID:2444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1872,1365910796873513055,7008270663083957577,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4776 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1872,1365910796873513055,7008270663083957577,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5560 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:1208
-
-
C:\Users\Admin\Downloads\bob2.exe"C:\Users\Admin\Downloads\bob2.exe"2⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
PID:5296 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:4620
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5604 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:4944
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,1365910796873513055,7008270663083957577,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:12⤵PID:3464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,1365910796873513055,7008270663083957577,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:12⤵PID:4408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,1365910796873513055,7008270663083957577,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:12⤵PID:5636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,1365910796873513055,7008270663083957577,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6248 /prefetch:12⤵PID:1756
-
-
C:\Users\Admin\Downloads\bob2.exe"C:\Users\Admin\Downloads\bob2.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2888
-
-
C:\Users\Admin\Downloads\bob2.exe"C:\Users\Admin\Downloads\bob2.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5932
-
-
C:\Users\Admin\Downloads\bob2.exe"C:\Users\Admin\Downloads\bob2.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3604
-
-
C:\Users\Admin\Downloads\bob2.exe"C:\Users\Admin\Downloads\bob2.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5176
-
-
C:\Users\Admin\Downloads\bob2.exe"C:\Users\Admin\Downloads\bob2.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1492
-
-
C:\Users\Admin\Downloads\bob2.exe"C:\Users\Admin\Downloads\bob2.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4436
-
-
C:\Users\Admin\Downloads\bob2.exe"C:\Users\Admin\Downloads\bob2.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3428
-
-
C:\Users\Admin\Downloads\bob2.exe"C:\Users\Admin\Downloads\bob2.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2088
-
-
C:\Users\Admin\Downloads\bob2.exe"C:\Users\Admin\Downloads\bob2.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:8
-
-
C:\Users\Admin\Downloads\bob2.exe"C:\Users\Admin\Downloads\bob2.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5100
-
-
C:\Users\Admin\Downloads\bob2.exe"C:\Users\Admin\Downloads\bob2.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5928
-
-
C:\Users\Admin\Downloads\bob2.exe"C:\Users\Admin\Downloads\bob2.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1688
-
-
C:\Users\Admin\Downloads\bob2.exe"C:\Users\Admin\Downloads\bob2.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5024
-
-
C:\Users\Admin\Downloads\bob2.exe"C:\Users\Admin\Downloads\bob2.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2976
-
-
C:\Users\Admin\Downloads\bob2.exe"C:\Users\Admin\Downloads\bob2.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2036
-
-
C:\Users\Admin\Downloads\bob2.exe"C:\Users\Admin\Downloads\bob2.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2740
-
-
C:\Users\Admin\Downloads\bob2.exe"C:\Users\Admin\Downloads\bob2.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4736
-
-
C:\Users\Admin\Downloads\bob2.exe"C:\Users\Admin\Downloads\bob2.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1576
-
-
C:\Users\Admin\Downloads\bob2.exe"C:\Users\Admin\Downloads\bob2.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3508
-
-
C:\Users\Admin\Downloads\bob2.exe"C:\Users\Admin\Downloads\bob2.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1924
-
-
C:\Users\Admin\Downloads\bob2.exe"C:\Users\Admin\Downloads\bob2.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5280
-
-
C:\Users\Admin\Downloads\bob2.exe"C:\Users\Admin\Downloads\bob2.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4924
-
-
C:\Users\Admin\Downloads\bob2.exe"C:\Users\Admin\Downloads\bob2.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4152
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1872,1365910796873513055,7008270663083957577,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4856 /prefetch:82⤵PID:3460
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1872,1365910796873513055,7008270663083957577,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6476 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3520
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2860
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1264
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1416
-
C:\Users\Admin\Downloads\bob2.exe"C:\Users\Admin\Downloads\bob2.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2868
-
C:\Users\Admin\Downloads\bob2.exe"C:\Users\Admin\Downloads\bob2.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4692
-
C:\Users\Admin\Downloads\bob2.exe"C:\Users\Admin\Downloads\bob2.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1044
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b4e91d2e5f40d5e2586a86cf3bb4df24
SHA131920b3a41aa4400d4a0230a7622848789b38672
SHA2565d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210
SHA512968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319
-
Filesize
152B
MD5fdee96b970080ef7f5bfa5964075575e
SHA12c821998dc2674d291bfa83a4df46814f0c29ab4
SHA256a241023f360b300e56b2b0e1205b651e1244b222e1f55245ca2d06d3162a62f0
SHA51220875c3002323f5a9b1b71917d6bd4e4c718c9ca325c90335bd475ddcb25eac94cb3f29795fa6476d6d6e757622b8b0577f008eec2c739c2eec71d2e8b372cff
-
Filesize
152B
MD546e6ad711a84b5dc7b30b75297d64875
SHA18ca343bfab1e2c04e67b9b16b8e06ba463b4f485
SHA25677b51492a40a511e57e7a7ecf76715a2fd46533c0f0d0d5a758f0224e201c77f
SHA5128472710b638b0aeee4678f41ed2dff72b39b929b2802716c0c9f96db24c63096b94c9969575e4698f16e412f82668b5c9b5cb747e8a2219429dbb476a31d297e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize168B
MD5e3ed4ba1297b014dcb7f8511fe3e0530
SHA13884c52cdb9ed087ac0b8b474b956908a8939d36
SHA25677f1a61cf9b53cf780931ac44d2fd103146e1411cbd1182ea2ea7c1c927cf255
SHA5128885bbe57bdd620faa2f633c7495831c75b65f8d0e8ee947a75f6f4bb8edb30f4bcd95c911c3d7f3265059f9435ce0defe4de8e30cc8cd362015ee3560a6b64e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize144B
MD5a544fbb065246464a73398ff39b00db2
SHA10bdf44f26ee344c268d3c588083b1ab57b22db35
SHA256535ead647f6f1c551c2ffc685aa6b3d54c56914311afb33e4569d7c2cb905941
SHA512d84346cf6261e53948ba1ff671b967e2e265d28e72a7cd10d2d25f27ce20ac02a6d0e0eca3bb4b5a126b227d72688810063f840cd558331f015c0e99f6c92615
-
Filesize
391B
MD5b15ca352a2f208a7f0fcce0996404cb7
SHA1c4bbe66ab7d727e190e511b276b25a52d7d41df5
SHA25621f7392ea9180d4bfaa71f853089c07c2d2023604274f4ad8790ec7308343959
SHA512d00a1135f39eb765f53c55ec2e99683863c610404617e6c0fd41a1f4f7fffacb22ce22cc887ca4a70989491a643d764c2306c8a77302f5f98402278e3e466f85
-
Filesize
6KB
MD5bc7188a0ef73ab5fe391b1b5470a4bca
SHA1198fc5062a10907262a06d2989594866f3ffe986
SHA2568da6c35a22b521895f2e0c52a106b90f0c2a18803837f10b17451a4b5d74cde7
SHA51206f9cb42b6564e9ad63e8071a273a554929fb962f150ea05b1beadecd7144e9c88d889e1a686531d318bc9272b834cf418193e953b978843a066d0c28ff956ce
-
Filesize
6KB
MD54d16a58e8ac608462014207149553e04
SHA1b68b9cbf72bab7dec3317b51a1f480b9ee13303d
SHA256b6a8aed3050fdc36cd4c5914ad12132f75799359385644967600abf04fa8eda8
SHA5122dfb9a65c774512225993faebbae679c2d037c7ba3db7adeea8b10c7f17f5cc4ba926f9cb5f9ed32cc8ba1ccf39f9213d60c4ff3c01badc1206ed617f420f1d2
-
Filesize
370B
MD501444ed7d3e6bcfb01ba2d0a5bcec79f
SHA14e834222439b5fa506cfc964cbc3c6b08a27db97
SHA2566ff5856ab6cffa39341750b1f7c70b0d014adb3655e55ddf355427b6f0573b3f
SHA512503fdd98bfb444b50965038631ea3d4f567eb04d942220b59735a1f14ab88814546653894bf4c9e214519e27ddf3af3e537baace6d0b9e25c028dfc87b7ae745
-
Filesize
370B
MD5533034df20143be9376db5e78b0fe4d1
SHA1b37ae0f3e5332b93b8299ce32134e4b1e625a7e3
SHA2562d18899b4d720cc570cf33d06498e9c51d6b36aa60d5814920e2a407cf5a9c53
SHA51248344ae659ec9b5d9c339f0b33a9971e1d0cdb41f12782cb509fce96828fbee7bd7116c415697adeecd3da3870e679344d278867276fe503c716ed91532fca37
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\d2c1dd64-cbcf-4f93-a963-049fa05dd9de.tmp
Filesize5KB
MD593b687ea59babcb8f77653b3c47bbf9b
SHA15dda6f2b72503566d7273318e00636dd53c72487
SHA2564565f8c1e47a91dba689833abea157fe1d2bbc0ce3c014678fb682f25057423e
SHA51252e914a1f13b712e58449ef07f3e645b78750aff6a530e08114b0766e0f836102f5b0a575b286000d3c800ced5c017a1de5811ac4a861bdaf81dddafdb2727cc
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD5a93614d9da85c71dc92964d34bef401c
SHA14ef546f094eba0b9e63cb56fe9aadf6c4f661636
SHA256599e6738861f1cabe8a5a97ab7bae66e70a0020657c8e2ffad4446496a584988
SHA51209d6fd8a60c299084a6e2373396d9e7bbef51bc17cd7aa65bde1b0a033f1bb17fcd836ccb3aa40bf0cab6f3685983a5b78a6b3f2ec62b778369b677a0f63c1a5
-
Filesize
10KB
MD52ae53f2a1bcf222b6cd199a59b0dc870
SHA1a75cdba33ad07d79be67dbbd4d959c9c2b41f6f2
SHA256feadc877ad30a558c2010aa2dd80b6dfbc75ce7a56e2699bb0966bf592f2665d
SHA5127a310a112cb63e63ff5ca970005405b455de2e4167c84348ef106ae029869c3b9fffde2e5ca7da766363194ecc242255d689f2edf404009ae976d9a1b3e911b8
-
Filesize
3.2MB
MD5a6005cad9c1a27bdc0aa0f7a929c9fed
SHA12f688f56561602360090c9f4c8af4258e1379945
SHA2567f1ceb51892c3e0962511304b8450051d4c06ad91e8c594f2e8de0ef3570c8fa
SHA51213798d566b5d4b715073e42ec596232684b8ed4722686f95ede58d38ed8fc39f7065a9f45173c5edda31f6d07d97894f9697ca7266943cbe01b98b012f77d48b
-
Filesize
58B
MD5f328e184c322cba91dc3c014fe2ef3e9
SHA12aab1f0a70009051dcc87350e0f3b079da02fbb2
SHA256fe25e31061b432c3a3fdd8f797c6dadad253e83dfb305ee997a7302cd70b618d
SHA512e59501b550ea64155d134ae832812004ec298a44519eb03183542599174b7691be3225f6fa5064d45ed7ec81f0a93721eb8f401d7e2a49c4b91a70ded006c97e