Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
23/08/2023, 23:48
Static task
static1
Behavioral task
behavioral1
Sample
b46d1aca634e5b41eea59a7988007d715aa96eb1449eabd683bfff0b9d686b2d.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
b46d1aca634e5b41eea59a7988007d715aa96eb1449eabd683bfff0b9d686b2d.exe
Resource
win10v2004-20230703-en
General
-
Target
b46d1aca634e5b41eea59a7988007d715aa96eb1449eabd683bfff0b9d686b2d.exe
-
Size
623KB
-
MD5
3f904012111af03ae22495fbeef33362
-
SHA1
5f4f665e42329824daf0f72def4b887e78b1d6ae
-
SHA256
b46d1aca634e5b41eea59a7988007d715aa96eb1449eabd683bfff0b9d686b2d
-
SHA512
e2460e9824f687a1003c3dbd81a49c142db1c5a5f54456df1847a65e0b056ed22254933d397394465988880480cb5c92aca5b0958e9235bec7beb4ec1458994b
-
SSDEEP
6144:aVfjmNoQt6XCjrKk096f1S8CRUnj7Z29PRUi4r:U7+1t6yjrKk096f1Kwi4r
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2660 Logo1_.exe 1832 b46d1aca634e5b41eea59a7988007d715aa96eb1449eabd683bfff0b9d686b2d.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.UI.Xaml\Assets\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fr-ma\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ro-ro\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\klist.exe Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\gu\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ru-ru\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\ja-jp\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\en-gb\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Internet Explorer\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.2.2_2.2.27328.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\uz\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fi-fi\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ia\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\cs-cz\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ru-ru\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\de-de\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ar-ae\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\zh-tw\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ko-kr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewpoints\Light\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\Simple\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fr-fr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\zh-cn\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ru-ru\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\pt-br\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\ssvagent.exe Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Resources\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pl-pl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sk-sk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Internet Explorer\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_2019.125.2243.0_neutral_~_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\es-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ar-ae\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\uk-ua\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\plugins\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\nb-no\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\pt-br\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\eu-es\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe b46d1aca634e5b41eea59a7988007d715aa96eb1449eabd683bfff0b9d686b2d.exe File created C:\Windows\Logo1_.exe b46d1aca634e5b41eea59a7988007d715aa96eb1449eabd683bfff0b9d686b2d.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 33 IoCs
pid Process 2660 Logo1_.exe 2660 Logo1_.exe 2660 Logo1_.exe 2660 Logo1_.exe 2660 Logo1_.exe 2660 Logo1_.exe 2660 Logo1_.exe 2660 Logo1_.exe 2660 Logo1_.exe 2660 Logo1_.exe 2660 Logo1_.exe 2660 Logo1_.exe 2660 Logo1_.exe 2660 Logo1_.exe 2660 Logo1_.exe 2660 Logo1_.exe 2660 Logo1_.exe 2660 Logo1_.exe 2660 Logo1_.exe 2660 Logo1_.exe 2528 msedge.exe 2528 msedge.exe 4500 msedge.exe 4500 msedge.exe 5112 identity_helper.exe 5112 identity_helper.exe 1496 msedge.exe 1496 msedge.exe 1496 msedge.exe 1496 msedge.exe 1496 msedge.exe 1496 msedge.exe 1496 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4160 wrote to memory of 3676 4160 b46d1aca634e5b41eea59a7988007d715aa96eb1449eabd683bfff0b9d686b2d.exe 82 PID 4160 wrote to memory of 3676 4160 b46d1aca634e5b41eea59a7988007d715aa96eb1449eabd683bfff0b9d686b2d.exe 82 PID 4160 wrote to memory of 3676 4160 b46d1aca634e5b41eea59a7988007d715aa96eb1449eabd683bfff0b9d686b2d.exe 82 PID 4160 wrote to memory of 2660 4160 b46d1aca634e5b41eea59a7988007d715aa96eb1449eabd683bfff0b9d686b2d.exe 84 PID 4160 wrote to memory of 2660 4160 b46d1aca634e5b41eea59a7988007d715aa96eb1449eabd683bfff0b9d686b2d.exe 84 PID 4160 wrote to memory of 2660 4160 b46d1aca634e5b41eea59a7988007d715aa96eb1449eabd683bfff0b9d686b2d.exe 84 PID 2660 wrote to memory of 1896 2660 Logo1_.exe 85 PID 2660 wrote to memory of 1896 2660 Logo1_.exe 85 PID 2660 wrote to memory of 1896 2660 Logo1_.exe 85 PID 1896 wrote to memory of 3456 1896 net.exe 87 PID 1896 wrote to memory of 3456 1896 net.exe 87 PID 1896 wrote to memory of 3456 1896 net.exe 87 PID 3676 wrote to memory of 1832 3676 cmd.exe 88 PID 3676 wrote to memory of 1832 3676 cmd.exe 88 PID 3676 wrote to memory of 1832 3676 cmd.exe 88 PID 2660 wrote to memory of 3152 2660 Logo1_.exe 55 PID 2660 wrote to memory of 3152 2660 Logo1_.exe 55 PID 1832 wrote to memory of 4500 1832 b46d1aca634e5b41eea59a7988007d715aa96eb1449eabd683bfff0b9d686b2d.exe 94 PID 1832 wrote to memory of 4500 1832 b46d1aca634e5b41eea59a7988007d715aa96eb1449eabd683bfff0b9d686b2d.exe 94 PID 4500 wrote to memory of 1972 4500 msedge.exe 95 PID 4500 wrote to memory of 1972 4500 msedge.exe 95 PID 4500 wrote to memory of 3828 4500 msedge.exe 96 PID 4500 wrote to memory of 3828 4500 msedge.exe 96 PID 4500 wrote to memory of 3828 4500 msedge.exe 96 PID 4500 wrote to memory of 3828 4500 msedge.exe 96 PID 4500 wrote to memory of 3828 4500 msedge.exe 96 PID 4500 wrote to memory of 3828 4500 msedge.exe 96 PID 4500 wrote to memory of 3828 4500 msedge.exe 96 PID 4500 wrote to memory of 3828 4500 msedge.exe 96 PID 4500 wrote to memory of 3828 4500 msedge.exe 96 PID 4500 wrote to memory of 3828 4500 msedge.exe 96 PID 4500 wrote to memory of 3828 4500 msedge.exe 96 PID 4500 wrote to memory of 3828 4500 msedge.exe 96 PID 4500 wrote to memory of 3828 4500 msedge.exe 96 PID 4500 wrote to memory of 3828 4500 msedge.exe 96 PID 4500 wrote to memory of 3828 4500 msedge.exe 96 PID 4500 wrote to memory of 3828 4500 msedge.exe 96 PID 4500 wrote to memory of 3828 4500 msedge.exe 96 PID 4500 wrote to memory of 3828 4500 msedge.exe 96 PID 4500 wrote to memory of 3828 4500 msedge.exe 96 PID 4500 wrote to memory of 3828 4500 msedge.exe 96 PID 4500 wrote to memory of 3828 4500 msedge.exe 96 PID 4500 wrote to memory of 3828 4500 msedge.exe 96 PID 4500 wrote to memory of 3828 4500 msedge.exe 96 PID 4500 wrote to memory of 3828 4500 msedge.exe 96 PID 4500 wrote to memory of 3828 4500 msedge.exe 96 PID 4500 wrote to memory of 3828 4500 msedge.exe 96 PID 4500 wrote to memory of 3828 4500 msedge.exe 96 PID 4500 wrote to memory of 3828 4500 msedge.exe 96 PID 4500 wrote to memory of 3828 4500 msedge.exe 96 PID 4500 wrote to memory of 3828 4500 msedge.exe 96 PID 4500 wrote to memory of 3828 4500 msedge.exe 96 PID 4500 wrote to memory of 3828 4500 msedge.exe 96 PID 4500 wrote to memory of 3828 4500 msedge.exe 96 PID 4500 wrote to memory of 3828 4500 msedge.exe 96 PID 4500 wrote to memory of 3828 4500 msedge.exe 96 PID 4500 wrote to memory of 3828 4500 msedge.exe 96 PID 4500 wrote to memory of 3828 4500 msedge.exe 96 PID 4500 wrote to memory of 3828 4500 msedge.exe 96 PID 4500 wrote to memory of 3828 4500 msedge.exe 96 PID 4500 wrote to memory of 3828 4500 msedge.exe 96 PID 4500 wrote to memory of 2528 4500 msedge.exe 97 PID 4500 wrote to memory of 2528 4500 msedge.exe 97 PID 4500 wrote to memory of 1180 4500 msedge.exe 98
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3152
-
C:\Users\Admin\AppData\Local\Temp\b46d1aca634e5b41eea59a7988007d715aa96eb1449eabd683bfff0b9d686b2d.exe"C:\Users\Admin\AppData\Local\Temp\b46d1aca634e5b41eea59a7988007d715aa96eb1449eabd683bfff0b9d686b2d.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD3DA.bat3⤵
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Users\Admin\AppData\Local\Temp\b46d1aca634e5b41eea59a7988007d715aa96eb1449eabd683bfff0b9d686b2d.exe"C:\Users\Admin\AppData\Local\Temp\b46d1aca634e5b41eea59a7988007d715aa96eb1449eabd683bfff0b9d686b2d.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://pc.weixin.qq.com/5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffed3d946f8,0x7ffed3d94708,0x7ffed3d947186⤵PID:1972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,8849797298013671779,364514065513063765,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:26⤵PID:3828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,8849797298013671779,364514065513063765,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:36⤵
- Suspicious behavior: EnumeratesProcesses
PID:2528
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,8849797298013671779,364514065513063765,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2932 /prefetch:86⤵PID:1180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8849797298013671779,364514065513063765,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3540 /prefetch:16⤵PID:1312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8849797298013671779,364514065513063765,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3580 /prefetch:16⤵PID:4596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8849797298013671779,364514065513063765,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:16⤵PID:3912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,8849797298013671779,364514065513063765,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 /prefetch:86⤵PID:3740
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,8849797298013671779,364514065513063765,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 /prefetch:86⤵
- Suspicious behavior: EnumeratesProcesses
PID:5112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8849797298013671779,364514065513063765,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:16⤵PID:3348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8849797298013671779,364514065513063765,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:16⤵PID:3540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8849797298013671779,364514065513063765,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:16⤵PID:2760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8849797298013671779,364514065513063765,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:16⤵PID:3120
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,8849797298013671779,364514065513063765,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3152 /prefetch:26⤵
- Suspicious behavior: EnumeratesProcesses
PID:1496
-
-
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:3456
-
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3500
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5056
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD5c95de867eae6f63d4b88f646f5c5ce41
SHA15bc5aced580247634f7efe528c13366439500577
SHA256f9beead09a4c506ba35cb3b7bbdf1092e6758cc1ab94824ad51b377a5c1d0273
SHA512c1752ba054e5c8952b8d608d6f473c9d9a5f54359032c3bd0d8d4bacda2f1361ac1be3fb199dd5c1098169ba55e5d00b1e1c30b6932f5768deb3b378e70474f3
-
Filesize
612KB
MD565e552ece63686721c53b66c27e1fe22
SHA1bbf99bec7283dfef45e53b189129d456d4c76581
SHA25603ed7876f41dfd9f115e35dd01bbb3d49d3d937bcc4a293b4565327ba113dd73
SHA51290f61aaf31df16aece0521201f73982ad4b37f43825a7a0371e34fda773fe27f923d85e7ce0270609dd5c6a613d7600d8087b427646fa9ff1bc0e328f687a7cd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize72B
MD5b29e6ec2a5932be4724cb93b5b1cb287
SHA1ae130d06e719f0c6fba728dc29407d78f797719e
SHA2562903b4955aa0c1c0e6058e333b07d0f024c7a187a0620d73b508900963a38390
SHA5129c854f0e396c66d5419bacabbe92165a76c8b638f15c44634740194ac142313b94dbc6bf0fe5a1fba2538e1196e87571720a0076b49ca932c4b4d18e5842644b
-
Filesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
Filesize
189B
MD5c063919e7c7382bda77a8916da03d559
SHA1f67f83ce3b2ceb7d8390f851697779f7fdf23d18
SHA256e241c784ecae2e0a23b44103cfe34898bbd552626c98467015dbe8deb9f862d4
SHA5123bacfb5c2d4e01ddf61d3aa08fce8d7ed5437037139bf015f03a80b761bb739b3fafab3e23996cbdfe4b1984a5ab3f80ab66a49001918dafaecca8376ed13a4d
-
Filesize
5KB
MD59e46a215ce3df27aeadf509cb9e9d00b
SHA11b2907a7daead08e23d4c21f499cab95e2594c2e
SHA2563dd8acef9cfe4710e50d743615bba56556868f69d9b8747596e9bed64b2c7452
SHA5127a242e3e5dbe674bc37baf53723f0ba9609710f3fdb48062be724470ebf0b349a8010923125197ea39fa349d6b054c0c0f52d80df18d1276bb0d28a71ef76df0
-
Filesize
5KB
MD595a192a02fcfb99c5fad7c36f5953229
SHA1e18d55689a11346f150eae3cffcad90a7244a952
SHA256efb2bb18d370d65f642f6ea61dbf34a0c818554143a21840234e6697b46347d2
SHA512739efbf2a8f3f2513e6db894b5f145c5b63f39209ba476e3c4b07486e64d0e92dfe5dfa56e95be6096012f10665ace9d6c5d64e5174b741da0d446829e555087
-
Filesize
24KB
MD5ca36933e6dea7aa507a272121b34fdbb
SHA13b4741ca0308b345de5ecf6c3565b1dbacb0fb86
SHA256fd14449eb781c58e6e7196a384caf25cba0c59ebdba3b10f8ca0ecfd0c076b5d
SHA5125a9b186ecf085765caee97a2910008dda926ce412001042e165184083a52fb5fb70f05ca781cd2f7740ecbd938895c77c5aa0f9eb8d812b92f412f336212720e
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
12KB
MD53232f3769abbd1fcfd4fe6d5f97540fe
SHA14d3868671d6e29165bad41b913c5c66aea133538
SHA2567cb136ede5dcf0289d96bcd28dcf30a7242f936085c6a3984f40c3cc24cd3fd1
SHA512c97a4b52e8ee6ebb4a8c7851cc9fded1e0d58c24af2843a5e82c4f452049b04563c18913cd213abaf585aa27cd844f0ec3ec767f47a7753c250794736677c1ec
-
Filesize
722B
MD555e8a3ac86395b319d86d92d2a87bc9c
SHA18ebe832c98f50ae3af9b4c38e2fbb2b182f7f0d8
SHA256e72f2dd93e468c778497c7c206038efdfbaee1ad7b9ee6220bfb8bb05d39664c
SHA5127fb1d80a2af686436748228a323a2f2ee6c86e3fe5a3be77b6b42605d44281b075ebd3c0961b81dcf6f90cf048c81855189a6a8db362111763c186f3cb40c98f
-
C:\Users\Admin\AppData\Local\Temp\b46d1aca634e5b41eea59a7988007d715aa96eb1449eabd683bfff0b9d686b2d.exe
Filesize596KB
MD5edb2b8b3092a88af851bc559c23ff061
SHA178829606624dcc6770c3b6737466f2f5625bc171
SHA2568c72d6aafd3d0359d70a59fae538ecf74b2b48a356587c2ceef9e7be5b8f377b
SHA51203d15c1bcd068cfbd9829f2eff5ec94065b3b6a2024ac47526e7ccd348fa223ae2c75c721ec77ab48c2f1ffa96ecd5542d9a939d481bb69a209e5616770df0e8
-
C:\Users\Admin\AppData\Local\Temp\b46d1aca634e5b41eea59a7988007d715aa96eb1449eabd683bfff0b9d686b2d.exe.exe
Filesize596KB
MD5edb2b8b3092a88af851bc559c23ff061
SHA178829606624dcc6770c3b6737466f2f5625bc171
SHA2568c72d6aafd3d0359d70a59fae538ecf74b2b48a356587c2ceef9e7be5b8f377b
SHA51203d15c1bcd068cfbd9829f2eff5ec94065b3b6a2024ac47526e7ccd348fa223ae2c75c721ec77ab48c2f1ffa96ecd5542d9a939d481bb69a209e5616770df0e8
-
Filesize
26KB
MD5faaa1287ab2f03dda558a8c036df9a3a
SHA1ebce114a13f3f73d9470669b12256745b67d5963
SHA2563bb531515b6756e9a2015af551948e1809fc59c00eaa9e21fbe882944ef17d00
SHA5127e203707ce20eebbfe64ebe6cd41034e7bfa5f99db34ec8a553068c5da12971ed0d153f926e5172ba2c5e7460037fe7240d48bde36f7fbdc3688f2257aaad414
-
Filesize
26KB
MD5faaa1287ab2f03dda558a8c036df9a3a
SHA1ebce114a13f3f73d9470669b12256745b67d5963
SHA2563bb531515b6756e9a2015af551948e1809fc59c00eaa9e21fbe882944ef17d00
SHA5127e203707ce20eebbfe64ebe6cd41034e7bfa5f99db34ec8a553068c5da12971ed0d153f926e5172ba2c5e7460037fe7240d48bde36f7fbdc3688f2257aaad414
-
Filesize
26KB
MD5faaa1287ab2f03dda558a8c036df9a3a
SHA1ebce114a13f3f73d9470669b12256745b67d5963
SHA2563bb531515b6756e9a2015af551948e1809fc59c00eaa9e21fbe882944ef17d00
SHA5127e203707ce20eebbfe64ebe6cd41034e7bfa5f99db34ec8a553068c5da12971ed0d153f926e5172ba2c5e7460037fe7240d48bde36f7fbdc3688f2257aaad414
-
Filesize
9B
MD54a4922bdf377baedb0460540a7e52405
SHA182789c7c3ee038da34ac62e38ddde0fe667d52ac
SHA256589848447b17adf03dfa9db6e17b5ec00d1fabf203fa496bae29ed64764a052f
SHA512fe635f97709f5f3df9290c6c53a374351481f13aa45105f48fe3709c15532313eb4d032eed20f2a278b9837c84bba9ba7a7fa2d83cd2a1e3adc0bc930d40c2a1