Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
190s -
max time network
186s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03/10/2022, 16:37
Static task
static1
Behavioral task
behavioral1
Sample
b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe
Resource
win10v2004-20220812-en
General
-
Target
b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe
-
Size
655KB
-
MD5
04e66c511fdf2485df76cbc4a2cb14b0
-
SHA1
a669c062474a18e31f61dc00a4a3fcaf697b02e9
-
SHA256
b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9
-
SHA512
090c99782f65618ab0e9230846b2ab5dc1bcdf433d34819d6a819297bc6b173484259905427420241a965640bf584c4e66db68d7898c08aa5a04c37041235210
-
SSDEEP
12288:Jq+a9slb39XcI9TC9/1bfLkKKeXnehedVzQjRGf6DbLHAqujSIySgzJ2w7eQke:JqB9TtklkBTzQlGf6DbLHAqujSIcC6
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1436 Logo1_.exe 2784 b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\F: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\_desktop.ini Logo1_.exe File created C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\1033\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft.NET\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\cs\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\pa\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\_desktop.ini Logo1_.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ks_IN\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\amd64\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\1033\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe Logo1_.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECHO\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CAPSULES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\an\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\brx\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft.NET\ADOMD.NET\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\gu\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office 15\ClientX64\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ach\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\PlatformCapabilities\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BREEZE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\NETWORK\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\DESIGNER\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\cy\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Resources\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\as_IN\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ko\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\7-Zip\7zG.exe Logo1_.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe Logo1_.exe File opened for modification C:\Program Files\Internet Explorer\SIGNUP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Common AppData\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RICEPAPR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\7-Zip\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Internet Explorer\fr-FR\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe File created C:\Windows\Logo1_.exe b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Dll.dll Logo1_.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2236 b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe 2236 b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe 2236 b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe 2236 b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe 2236 b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe 2236 b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe 2236 b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe 2236 b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe 2236 b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe 2236 b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe 2236 b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe 2236 b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe 2236 b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe 2236 b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe 2236 b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe 2236 b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe 2236 b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe 2236 b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe 2236 b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe 2236 b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe 2236 b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe 2236 b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe 2236 b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe 2236 b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe 2236 b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe 2236 b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe 1436 Logo1_.exe 1436 Logo1_.exe 1436 Logo1_.exe 1436 Logo1_.exe 1436 Logo1_.exe 1436 Logo1_.exe 1436 Logo1_.exe 1436 Logo1_.exe 1436 Logo1_.exe 1436 Logo1_.exe 1436 Logo1_.exe 1436 Logo1_.exe 1436 Logo1_.exe 1436 Logo1_.exe 1436 Logo1_.exe 1436 Logo1_.exe 1436 Logo1_.exe 1436 Logo1_.exe 1436 Logo1_.exe 1436 Logo1_.exe 1436 Logo1_.exe 1436 Logo1_.exe 1436 Logo1_.exe 1436 Logo1_.exe 1436 Logo1_.exe 1436 Logo1_.exe 1436 Logo1_.exe 1436 Logo1_.exe 1436 Logo1_.exe 1436 Logo1_.exe 1436 Logo1_.exe 1436 Logo1_.exe 1436 Logo1_.exe 1436 Logo1_.exe 1436 Logo1_.exe 1436 Logo1_.exe 1436 Logo1_.exe 1436 Logo1_.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2784 b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe Token: SeImpersonatePrivilege 2784 b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2236 wrote to memory of 4760 2236 b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe 84 PID 2236 wrote to memory of 4760 2236 b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe 84 PID 2236 wrote to memory of 4760 2236 b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe 84 PID 4760 wrote to memory of 2776 4760 net.exe 86 PID 4760 wrote to memory of 2776 4760 net.exe 86 PID 4760 wrote to memory of 2776 4760 net.exe 86 PID 2236 wrote to memory of 4160 2236 b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe 87 PID 2236 wrote to memory of 4160 2236 b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe 87 PID 2236 wrote to memory of 4160 2236 b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe 87 PID 2236 wrote to memory of 1436 2236 b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe 88 PID 2236 wrote to memory of 1436 2236 b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe 88 PID 2236 wrote to memory of 1436 2236 b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe 88 PID 1436 wrote to memory of 3456 1436 Logo1_.exe 90 PID 1436 wrote to memory of 3456 1436 Logo1_.exe 90 PID 1436 wrote to memory of 3456 1436 Logo1_.exe 90 PID 3456 wrote to memory of 4868 3456 net.exe 92 PID 3456 wrote to memory of 4868 3456 net.exe 92 PID 3456 wrote to memory of 4868 3456 net.exe 92 PID 4160 wrote to memory of 2784 4160 cmd.exe 93 PID 4160 wrote to memory of 2784 4160 cmd.exe 93 PID 4160 wrote to memory of 2784 4160 cmd.exe 93 PID 1436 wrote to memory of 1772 1436 Logo1_.exe 94 PID 1436 wrote to memory of 1772 1436 Logo1_.exe 94 PID 1436 wrote to memory of 1772 1436 Logo1_.exe 94 PID 1772 wrote to memory of 648 1772 net.exe 96 PID 1772 wrote to memory of 648 1772 net.exe 96 PID 1772 wrote to memory of 648 1772 net.exe 96 PID 1436 wrote to memory of 2348 1436 Logo1_.exe 39 PID 1436 wrote to memory of 2348 1436 Logo1_.exe 39 PID 2784 wrote to memory of 3588 2784 b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe 99 PID 2784 wrote to memory of 3588 2784 b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe 99 PID 2784 wrote to memory of 3588 2784 b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe 99 PID 4948 wrote to memory of 4320 4948 explorer.exe 101 PID 4948 wrote to memory of 4320 4948 explorer.exe 101 PID 4320 wrote to memory of 980 4320 msedge.exe 103 PID 4320 wrote to memory of 980 4320 msedge.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe"C:\Users\Admin\AppData\Local\Temp\b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"2⤵
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"3⤵PID:2776
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a154D.bat2⤵
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Users\Admin\AppData\Local\Temp\b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe"C:\Users\Admin\AppData\Local\Temp\b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe" URL="http://down.360safe.com/setup.exe"4⤵PID:3588
-
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵PID:4868
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵PID:648
-
-
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:2348
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://down.360safe.com/setup.exe2⤵
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd7efa46f8,0x7ffd7efa4708,0x7ffd7efa47183⤵PID:980
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
722B
MD57912cbf465c3e8950ce613f336922db2
SHA1e64e3af97a60c5b7b6119ed35ddbf5579a0d4f36
SHA2569e3ab2e30442d6fe0daf9a43f0b0ce17a1dc08f1b4f228da7cce6da3451a00e2
SHA512c9608e01e1042416d4a269b0b864e733bfa8e2a381da000a768a8652ec2dd4cc2385ec816524aec38506951ff4e4811a558bff196507944b5e23d72233a20e02
-
C:\Users\Admin\AppData\Local\Temp\b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe
Filesize621KB
MD5b96935d921cb6665638ff00f1b6b8098
SHA1b71c40c76301a52e3d49b06ad3f99afffa178934
SHA256ca5b1c8f21cb3209e93636300391aba0693ad68957e997fe3ce85c0880eb1f93
SHA51240505dc52b697907a9ca9a196a156b751af43e75c97eb6d99835147bafd0561b25b8943ea421350bee5b6cc398b4d13159dfc0d500a4f5ce99130c9ca301e5e8
-
C:\Users\Admin\AppData\Local\Temp\b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe.exe
Filesize621KB
MD5b96935d921cb6665638ff00f1b6b8098
SHA1b71c40c76301a52e3d49b06ad3f99afffa178934
SHA256ca5b1c8f21cb3209e93636300391aba0693ad68957e997fe3ce85c0880eb1f93
SHA51240505dc52b697907a9ca9a196a156b751af43e75c97eb6d99835147bafd0561b25b8943ea421350bee5b6cc398b4d13159dfc0d500a4f5ce99130c9ca301e5e8
-
Filesize
33KB
MD5d3c9b20260fa9b0131b750f762f5d083
SHA1a41ae48d90e642b7ec53c03e2dcefe75ff9c523c
SHA25673bc4265b6f4825db9a7ee89cc589ffd01891b2878d7037da02a9bbdcfd6a33f
SHA512c69d28908697b802ab9c3997c5af54d3ee3d369bb4e349f9cee846418609715eea7251620f4e09f0e485ac6287d9650aee89c663da538577e46137378db88d64
-
Filesize
33KB
MD5d3c9b20260fa9b0131b750f762f5d083
SHA1a41ae48d90e642b7ec53c03e2dcefe75ff9c523c
SHA25673bc4265b6f4825db9a7ee89cc589ffd01891b2878d7037da02a9bbdcfd6a33f
SHA512c69d28908697b802ab9c3997c5af54d3ee3d369bb4e349f9cee846418609715eea7251620f4e09f0e485ac6287d9650aee89c663da538577e46137378db88d64
-
Filesize
33KB
MD5d3c9b20260fa9b0131b750f762f5d083
SHA1a41ae48d90e642b7ec53c03e2dcefe75ff9c523c
SHA25673bc4265b6f4825db9a7ee89cc589ffd01891b2878d7037da02a9bbdcfd6a33f
SHA512c69d28908697b802ab9c3997c5af54d3ee3d369bb4e349f9cee846418609715eea7251620f4e09f0e485ac6287d9650aee89c663da538577e46137378db88d64