Overview
overview
10Static
static
10@_136 @828...SM.exe
windows7-x64
7@_136 @828...SM.exe
windows10-2004-x64
7TrashMalwa...in.exe
windows7-x64
8TrashMalwa...in.exe
windows10-2004-x64
8AdStRkJ.exe
windows7-x64
8AdStRkJ.exe
windows10-2004-x64
8Anatralier.exe
windows7-x64
7Anatralier.exe
windows10-2004-x64
7TrashMalwa...er.exe
windows7-x64
3TrashMalwa...er.exe
windows10-2004-x64
8TrashMalwa...nk.exe
windows7-x64
8TrashMalwa...nk.exe
windows10-2004-x64
8TrashMalwa...oN.bat
windows7-x64
8TrashMalwa...oN.bat
windows10-2004-x64
8TrashMalwa...zz.exe
windows7-x64
6TrashMalwa...zz.exe
windows10-2004-x64
6TrashMalwa...de.exe
windows7-x64
7TrashMalwa...de.exe
windows10-2004-x64
7TrashMalwa...20.exe
windows7-x64
4TrashMalwa...20.exe
windows10-2004-x64
7TrashMalwa...ll.exe
windows7-x64
7TrashMalwa...ll.exe
windows10-2004-x64
7TrashMalwa...le.exe
windows7-x64
8TrashMalwa...le.exe
windows10-2004-x64
8TrashMalwa...oe.bat
windows7-x64
8TrashMalwa...oe.bat
windows10-2004-x64
8TrashMalwa....0.exe
windows7-x64
6TrashMalwa....0.exe
windows10-2004-x64
7TrashMalwa....0.exe
windows7-x64
8TrashMalwa....0.exe
windows10-2004-x64
7TrashMalwa....0.exe
windows7-x64
7TrashMalwa....0.exe
windows10-2004-x64
7Analysis
-
max time kernel
144s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02-03-2024 20:26
Behavioral task
behavioral1
Sample
@_136 @828#-138389J-SJFJDSM.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
@_136 @828#-138389J-SJFJDSM.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
TrashMalwares-main/AcidRain.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
TrashMalwares-main/AcidRain.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
AdStRkJ.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
AdStRkJ.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
Anatralier.exe
Resource
win7-20240215-en
Behavioral task
behavioral8
Sample
Anatralier.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
TrashMalwares-main/Antivirus_Installer.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
TrashMalwares-main/Antivirus_Installer.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
TrashMalwares-main/Dro trojan. Virus prank.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
TrashMalwares-main/Dro trojan. Virus prank.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
TrashMalwares-main/FaZoN.bat
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
TrashMalwares-main/FaZoN.bat
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
TrashMalwares-main/Fizz.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
TrashMalwares-main/Fizz.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
TrashMalwares-main/Ginxide.exe
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
TrashMalwares-main/Ginxide.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
TrashMalwares-main/Install Windows20.exe
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
TrashMalwares-main/Install Windows20.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
TrashMalwares-main/MS-RickRoll.exe
Resource
win7-20240220-en
Behavioral task
behavioral22
Sample
TrashMalwares-main/MS-RickRoll.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
TrashMalwares-main/MercuryXhoffle.exe
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
TrashMalwares-main/MercuryXhoffle.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral25
Sample
TrashMalwares-main/NetPakoe.bat
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
TrashMalwares-main/NetPakoe.bat
Resource
win10v2004-20240226-en
Behavioral task
behavioral27
Sample
TrashMalwares-main/NetPakoe3.0.exe
Resource
win7-20240221-en
Behavioral task
behavioral28
Sample
TrashMalwares-main/NetPakoe3.0.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral29
Sample
TrashMalwares-main/NoEscape8.0.exe
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
TrashMalwares-main/NoEscape8.0.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral31
Sample
TrashMalwares-main/PC shaking v4.0.exe
Resource
win7-20240220-en
Behavioral task
behavioral32
Sample
TrashMalwares-main/PC shaking v4.0.exe
Resource
win10v2004-20240226-en
General
-
Target
TrashMalwares-main/Dro trojan. Virus prank.exe
-
Size
1.8MB
-
MD5
af483a4c67d358dd807194ef89484f1e
-
SHA1
4aefb5884e289fb85af3f5a5bec344b738073603
-
SHA256
480ca2097e13abb1444b69b0d984961702f8ee8122fc0f0acc5bff217d253854
-
SHA512
e5739841097828a7789e7a3317a0efa1ce4c109490df1d1ce62e559fa555affc7aee69d389bb50d5dbb4bf5d1d87d94a22cf4a5b9a0e3d7da3b48813c1c75917
-
SSDEEP
49152:ysNjxEmz1dG6HOMlDTsBQL/difgzGSe5Wa6IQ:yYymicDT2C/EfyuUl
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exeR_O_13-27.exeDro trojan. Virus prank.exeSTART.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation R_O_13-27.exe Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation Dro trojan. Virus prank.exe Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation START.exe Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 9 IoCs
Processes:
START.exeKiller.exeShaking_horizontally.exeR_O_13-27.exeDraw_cursor.exeError_icons.exeInversion_and_oil.exeNew_Names.exeShaking_horizontally.exepid process 4156 START.exe 2920 Killer.exe 2588 Shaking_horizontally.exe 2060 R_O_13-27.exe 980 Draw_cursor.exe 3612 Error_icons.exe 4644 Inversion_and_oil.exe 4876 New_Names.exe 5096 Shaking_horizontally.exe -
Loads dropped DLL 8 IoCs
Processes:
START.exeKiller.exeShaking_horizontally.exeR_O_13-27.exeDraw_cursor.exeError_icons.exeInversion_and_oil.exeShaking_horizontally.exepid process 4156 START.exe 2920 Killer.exe 2588 Shaking_horizontally.exe 2060 R_O_13-27.exe 980 Draw_cursor.exe 3612 Error_icons.exe 4644 Inversion_and_oil.exe 5096 Shaking_horizontally.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2584 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Kills process with taskkill 6 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 3348 taskkill.exe 2144 taskkill.exe 3332 taskkill.exe 2032 taskkill.exe 4020 taskkill.exe 1352 taskkill.exe -
Modifies registry class 1 IoCs
Processes:
START.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings START.exe -
Runs regedit.exe 1 IoCs
Processes:
regedit.exepid process 3844 regedit.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exepid process 3020 msedge.exe 3020 msedge.exe 4940 msedge.exe 4940 msedge.exe 2432 identity_helper.exe 2432 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 4020 taskkill.exe Token: SeDebugPrivilege 1352 taskkill.exe Token: SeDebugPrivilege 3348 taskkill.exe Token: SeDebugPrivilege 2144 taskkill.exe Token: SeDebugPrivilege 3332 taskkill.exe Token: SeDebugPrivilege 2032 taskkill.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
Processes:
WScript.exemsedge.exepid process 392 WScript.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Dro trojan. Virus prank.exeSTART.exeWScript.execmd.exeWScript.execmd.exeR_O_13-27.exedescription pid process target process PID 2432 wrote to memory of 4156 2432 Dro trojan. Virus prank.exe START.exe PID 2432 wrote to memory of 4156 2432 Dro trojan. Virus prank.exe START.exe PID 2432 wrote to memory of 4156 2432 Dro trojan. Virus prank.exe START.exe PID 4156 wrote to memory of 1324 4156 START.exe WScript.exe PID 4156 wrote to memory of 1324 4156 START.exe WScript.exe PID 4156 wrote to memory of 1324 4156 START.exe WScript.exe PID 4156 wrote to memory of 2920 4156 START.exe Killer.exe PID 4156 wrote to memory of 2920 4156 START.exe Killer.exe PID 4156 wrote to memory of 2920 4156 START.exe Killer.exe PID 1324 wrote to memory of 3968 1324 WScript.exe cmd.exe PID 1324 wrote to memory of 3968 1324 WScript.exe cmd.exe PID 1324 wrote to memory of 3968 1324 WScript.exe cmd.exe PID 3968 wrote to memory of 2440 3968 cmd.exe reg.exe PID 3968 wrote to memory of 2440 3968 cmd.exe reg.exe PID 3968 wrote to memory of 2440 3968 cmd.exe reg.exe PID 3968 wrote to memory of 4020 3968 cmd.exe taskkill.exe PID 3968 wrote to memory of 4020 3968 cmd.exe taskkill.exe PID 3968 wrote to memory of 4020 3968 cmd.exe taskkill.exe PID 3968 wrote to memory of 1352 3968 cmd.exe taskkill.exe PID 3968 wrote to memory of 1352 3968 cmd.exe taskkill.exe PID 3968 wrote to memory of 1352 3968 cmd.exe taskkill.exe PID 3968 wrote to memory of 3348 3968 cmd.exe taskkill.exe PID 3968 wrote to memory of 3348 3968 cmd.exe taskkill.exe PID 3968 wrote to memory of 3348 3968 cmd.exe taskkill.exe PID 3968 wrote to memory of 2144 3968 cmd.exe taskkill.exe PID 3968 wrote to memory of 2144 3968 cmd.exe taskkill.exe PID 3968 wrote to memory of 2144 3968 cmd.exe taskkill.exe PID 3968 wrote to memory of 3332 3968 cmd.exe taskkill.exe PID 3968 wrote to memory of 3332 3968 cmd.exe taskkill.exe PID 3968 wrote to memory of 3332 3968 cmd.exe taskkill.exe PID 3968 wrote to memory of 3612 3968 cmd.exe reg.exe PID 3968 wrote to memory of 3612 3968 cmd.exe reg.exe PID 3968 wrote to memory of 3612 3968 cmd.exe reg.exe PID 4156 wrote to memory of 392 4156 START.exe WScript.exe PID 4156 wrote to memory of 392 4156 START.exe WScript.exe PID 4156 wrote to memory of 392 4156 START.exe WScript.exe PID 4156 wrote to memory of 1972 4156 START.exe WScript.exe PID 4156 wrote to memory of 1972 4156 START.exe WScript.exe PID 4156 wrote to memory of 1972 4156 START.exe WScript.exe PID 1972 wrote to memory of 3408 1972 WScript.exe cmd.exe PID 1972 wrote to memory of 3408 1972 WScript.exe cmd.exe PID 1972 wrote to memory of 3408 1972 WScript.exe cmd.exe PID 3408 wrote to memory of 2588 3408 cmd.exe Shaking_horizontally.exe PID 3408 wrote to memory of 2588 3408 cmd.exe Shaking_horizontally.exe PID 3408 wrote to memory of 2588 3408 cmd.exe Shaking_horizontally.exe PID 3408 wrote to memory of 2584 3408 cmd.exe timeout.exe PID 3408 wrote to memory of 2584 3408 cmd.exe timeout.exe PID 3408 wrote to memory of 2584 3408 cmd.exe timeout.exe PID 3408 wrote to memory of 2032 3408 cmd.exe taskkill.exe PID 3408 wrote to memory of 2032 3408 cmd.exe taskkill.exe PID 3408 wrote to memory of 2032 3408 cmd.exe taskkill.exe PID 4156 wrote to memory of 2060 4156 START.exe R_O_13-27.exe PID 4156 wrote to memory of 2060 4156 START.exe R_O_13-27.exe PID 4156 wrote to memory of 2060 4156 START.exe R_O_13-27.exe PID 2060 wrote to memory of 2464 2060 R_O_13-27.exe notepad.exe PID 2060 wrote to memory of 2464 2060 R_O_13-27.exe notepad.exe PID 2060 wrote to memory of 2464 2060 R_O_13-27.exe notepad.exe PID 2060 wrote to memory of 3844 2060 R_O_13-27.exe regedit.exe PID 2060 wrote to memory of 3844 2060 R_O_13-27.exe regedit.exe PID 2060 wrote to memory of 3844 2060 R_O_13-27.exe regedit.exe PID 4156 wrote to memory of 980 4156 START.exe Draw_cursor.exe PID 4156 wrote to memory of 980 4156 START.exe Draw_cursor.exe PID 4156 wrote to memory of 980 4156 START.exe Draw_cursor.exe PID 2060 wrote to memory of 3548 2060 R_O_13-27.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\Dro trojan. Virus prank.exe"C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\Dro trojan. Virus prank.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Users\Admin\AppData\Local\Temp\START.exe"C:\Users\Admin\AppData\Local\Temp\START.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4156 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ZbDz.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZbDz.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /f /v "DisableTaskMgr" /t REG_DWORD /d 15⤵PID:2440
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM Taskmgr.exe /F5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4020
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM Taskmgr.exe /F5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1352
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM Taskmgr.exe /F5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3348
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM Taskmgr.exe /F5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2144
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM Taskmgr.exe /F5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3332
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /f /v "DisableTaskMgr" /t REG_DWORD /d 15⤵PID:3612
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Killer.exe"C:\Users\Admin\AppData\Local\Temp\Killer.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2920
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Collapse_all.js"3⤵
- Suspicious use of FindShellTrayWindow
PID:392
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SHK.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SHK.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Users\Admin\AppData\Local\Temp\Shaking_horizontally.exeShaking_horizontally.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2588
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15⤵
- Delays execution with timeout.exe
PID:2584
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM Shaking_horizontally.exe /F5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2032
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\R_O_13-27.exe"C:\Users\Admin\AppData\Local\Temp\R_O_13-27.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe"4⤵PID:2464
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe"4⤵
- Runs regedit.exe
PID:3844
-
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe"4⤵PID:3548
-
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe"4⤵PID:884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://neave.tv/4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4940 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff897b846f8,0x7ff897b84708,0x7ff897b847185⤵PID:2584
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2004,9670295908326733669,3400531076929216796,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1844 /prefetch:25⤵PID:1680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2004,9670295908326733669,3400531076929216796,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1844 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:3020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2004,9670295908326733669,3400531076929216796,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2920 /prefetch:85⤵PID:2328
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,9670295908326733669,3400531076929216796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:15⤵PID:4268
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,9670295908326733669,3400531076929216796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:15⤵PID:3108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,9670295908326733669,3400531076929216796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:15⤵PID:2236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2004,9670295908326733669,3400531076929216796,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3540 /prefetch:85⤵PID:3120
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2004,9670295908326733669,3400531076929216796,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3540 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:2432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,9670295908326733669,3400531076929216796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4060 /prefetch:15⤵PID:2904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,9670295908326733669,3400531076929216796,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3088 /prefetch:15⤵PID:3148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,9670295908326733669,3400531076929216796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:15⤵PID:2516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,9670295908326733669,3400531076929216796,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:15⤵PID:1224
-
-
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe"4⤵PID:3524
-
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe"4⤵PID:2904
-
-
-
C:\Users\Admin\AppData\Local\Temp\Draw_cursor.exe"C:\Users\Admin\AppData\Local\Temp\Draw_cursor.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:980
-
-
C:\Users\Admin\AppData\Local\Temp\Error_icons.exe"C:\Users\Admin\AppData\Local\Temp\Error_icons.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3612
-
-
C:\Users\Admin\AppData\Local\Temp\Inversion_and_oil.exe"C:\Users\Admin\AppData\Local\Temp\Inversion_and_oil.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4644
-
-
C:\Users\Admin\AppData\Local\Temp\New_Names.exe"C:\Users\Admin\AppData\Local\Temp\New_Names.exe"3⤵
- Executes dropped EXE
PID:4876
-
-
C:\Users\Admin\AppData\Local\Temp\Shaking_horizontally.exe"C:\Users\Admin\AppData\Local\Temp\Shaking_horizontally.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5096
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4808
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4456
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD51eb86108cb8f5a956fdf48efbd5d06fe
SHA17b2b299f753798e4891df2d9cbf30f94b39ef924
SHA2561b53367e0041d54af89e7dd59733231f5da1393c551ed2b943c89166c0baca40
SHA512e2a661437688a4a01a6eb3b2bd7979ecf96b806f5a487d39354a7f0d44cb693a3b1c2cf6b1247b04e4106cc816105e982569572042bdddb3cd5bec23b4fce29d
-
Filesize
152B
MD5f35bb0615bb9816f562b83304e456294
SHA11049e2bd3e1bbb4cea572467d7c4a96648659cb4
SHA25605e80abd624454e5b860a08f40ddf33d672c3fed319aac180b7de5754bc07b71
SHA512db9100f3e324e74a9c58c7d9f50c25eaa4c6c4553c93bab9b80c6f7bef777db04111ebcd679f94015203b240fe9f4f371cae0d4290ec891a4173c746ff4b11c1
-
Filesize
6KB
MD5bc9d8be2e42384192149e0e87b69b02f
SHA1d4296e6ca6d9ff008f2c16d8ea03e98854544ac3
SHA256599e467ce73a549198a24814f304bc2ec8018cf54c789789a049399ff3ea0a7e
SHA5120f561256f5a5be9b81718ad1a566239e2b296f3a32064f0352b48f226013842fb2d3a55ed0086c325130d8aee0cfb0ed66bcb6c9c52f1591edbcbdedc6944c70
-
Filesize
6KB
MD5166d22894e297b9754dfe0668cd1f667
SHA11e5b6d54d2382039bdfb1b67d3d9a5874473cd8e
SHA256d52a5a60e5cc00da16975119d72b28a4948d9bff9ddec114efdd49c126382b42
SHA512276eb84495182be248699e9c8fbb2196de81269778806e52ede806212ca0abfcfe320c808b14f3dd81a9b099bdf67652361a664d4074f8cfc53390be6087092c
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD509c29ec24437bf13a1de6d0993ec7092
SHA17d11fec61b9db61974052c7585adefc63a17b420
SHA2567fe06033b73300a800c45d2d74760b2c24c8c60147416439f27f8cfad015fd5e
SHA5127f89881d6309e72f57c27c2de802dea927e6f326230fdbb559335b58554dcca52ef07d34c28dd31138db55324b3888ba56d3b263fc78e0b542c7d05e3ff1077c
-
Filesize
11KB
MD5d92e4da4faae0e867d59569edf2d87b7
SHA13e2a6fa09e2367869dd662c69e2ad2c1ea129f93
SHA25644bc65e3fc9de1cd5c75728ab9917927ad7bf1868db8a98103dc98523a55dc3a
SHA5121b94ef986a964997f76fb97d7ab7b21daf4f5c9292200b9742b7e6a602b9b57f32c346ad982368484e4e29fdb37f8287014c10736b04d65be93e76887e359d99
-
Filesize
58B
MD5f60e1a46f1e7301a7eb36f723cdec4b3
SHA15e46742927659e3fb0cef6c67542cb5ec2b0926d
SHA2565fdab6a87288b929290f603f813a254efa019d8fe6c73d8757ebc543ba6949eb
SHA512945f7f053700cf18a80553e09c3d64c8481aeb70d871dd00106bf66fcb33b4360b4412cb4bf9391e4dfd8e6df92d11ffe896bee6f864bdbdddedc1877714ee16
-
Filesize
27KB
MD54f5d56501b68860d79846d1c4a567459
SHA1548a514797c85e982a0f636030a18566895efaaa
SHA2560df880855797fb52bcaac0e11074869ed409b9daaabfe8939ecd4039962292cd
SHA5125efc549dcef528f0f5b09758ce18686106781788c0e78467d02fb12b7b138c0ca301d68e81305e7053f5471fa6c9c192d6bad81067fe70803e237b8dbf7d1f41
-
Filesize
27KB
MD5d9c07b7bc1a4df56ecb73941aafa2d78
SHA19d64ca9262852e3ee4b5e098e2762401364e80e8
SHA256506b80e8f8551e29fa1e93082fefc99ce6613ad7abae895d61bdda92f4dce8c3
SHA512ca282eedf7851df48e0ae001684ca4400b6a43e14893610972496e7c4c7002c508b95278896176ef4d49d371d95b6cc759609313a833bcdbc010a064cb28170f
-
Filesize
27KB
MD57cfd733ea3aedb94f04013881f8a9f14
SHA194642432fd416ec32f1cd17dfd9b23922432dcea
SHA256fceb50190c036057c6386387ed115b83a9fec153332b80be4d891cb9ef8f624a
SHA5128c2b83a6aa96bed630e950cb66cd3a50e4789f303b9f2f3f2f6043f16a3a26d7dc9a56aa43cb3af0e548b207d5a228b88eaacb0b1872fc8abd4e1191f465e323
-
Filesize
186KB
MD532c1a77891071523637345563fcda855
SHA1d582fa0290b7c04c99ded56c8ebc6e45df981300
SHA256c8cb8941b2ebe27ba69600b8cb5725b9630fb631bd7c7e88dea9eebd8bd3bef3
SHA51261c6e7eddb5d8e880952c0fec6382082cbd33d0463ac556527598aaa6cf9bdb3755f395639d28be1a0cf4efa9f699cfdae06ecb5068b5f43b08b65354580704a
-
Filesize
1.4MB
MD5440e9fd9824b8e97d3ca2f34bd1bfbd1
SHA16852b2c592b3794da114d6ac5ea9d083317bf5af
SHA256eddaa890ac6470692f76eee9586c06d727a1caf7a242170ab1a3947523927396
SHA512b458a0838159367727a63e417bba7c12b196f4d4af56703fe77ddcb2c28c3b6aab1d62335c513398f92c225f204e32b437fb49316b7c2b537c1cf877653c2ef8
-
Filesize
389KB
MD5dd799cfa99ea38299f32a744b4a9864c
SHA1850457eea90f64bb760d078008f17799f8eb4843
SHA256f9f469026252b2c7084755430c9b0d8939a8547b23a5bb32371102d7a3578ed1
SHA5129c74976ea217276bf5b291d629aa21ace989a45697748cb449eeba8d8c846e77e7ab66c1b701243ceb207db364d1abc376950c6b5f4cb92db068922ae41dcef3
-
Filesize
27KB
MD57c3647e86215919ec06437d9a5fce95d
SHA17bc1a0582e03bd9d7ee5ba1d66268d800d66c596
SHA25639e30df6628702de8a548ff031383c360dfc63a9399169bb93838f7eef57a6ed
SHA512d0a4991ad1cff73dbd0425e9f7190101f27811daa622c0fa5ba620566a9f95caae4430b0386a6ea9a7575a56931a45ca821f5274f8d2798c73d5154c8fe7e33d
-
Filesize
94B
MD5ab921b5b6a2b7232c8d2fd2f0dc78790
SHA1fe0c9c4e5255f903bf9b006f27a913f39a115a54
SHA256dfd827c3e9bb39c84ca90001a7718c55458145fcf035b4dba1001b201422a8da
SHA51247d8ded63fd55f4490d0cd64c8f688fc5bb5814018a09e46f1eae0e36228589f4097f88f2f42e92d02cc068fd3e807aae219a4c4162474a561b3767331e8f98e
-
Filesize
115B
MD52643272752b857cbc69d843d92ff4879
SHA110f1f87652b5747dd37ed141734e5af39af19ef2
SHA25653c3cd2ed0f6184b2cf0304acfbef726c3415528c903c69a86f3f9405b52179c
SHA5123e7d2548ccbe96599b94a585c6a02e2ee2820ac6a8aec1ede270c8089623c3c41fd779fdf5a93b2cd1b9fca3ef2d2b915703f3438c7abd6e27f5a59626f01282
-
Filesize
28KB
MD5b9e9b7fbd019b7e09e77bdec78ade264
SHA10cdeda0e10d1f754d2171596d82e97e347089e01
SHA256227e8953a11d22ea948fe3b2426753a435993336ae1f49a6fe3c1dd0b70bf3b7
SHA512d2e5dadb63d0ff75e48504720186483877ecde0354fe56d88255a079c116eef5b5c59eaef6ccc99217acce5d5755fd0a50fcf93b115f9408962535a572960a85
-
Filesize
27KB
MD5d2404ad25ee623edb58a175d4bb0c7a1
SHA14ca3589e630abebffe46782f5941f6253001bea9
SHA25635ee2069ddde1c079b1890eafd7041f59eb5170063f3f308b0b808dcc24623ce
SHA51226758e01881ccbfa5f124fb8fa15e1712d228ea1aa9e552dd5020436f55e4e83d450128e799aff829e6215eacfcb284133fdf3ca952696cadfe061477b8d0b8c
-
Filesize
375B
MD590716ec6d805a3e478c0a26477138efd
SHA1ceae2264e1c3c6a0bf715cf54237c3f763cd5799
SHA256f185b92c729b011a051d2d8775eee998da9e71ba6156a8da81b0fc1b25c90a77
SHA512fbda3613b691e83299077b1378aa845ab59befd61bc177e54b950f55c857c8e2b208012c026c24489f354c88404172ba25d7584f1b825ccd6880598bcc65cc56
-
Filesize
116B
MD58a25126b21c1f849b719999cb5d85e11
SHA1714fb5a246721c3117868c2229e7598ef7dfb2eb
SHA2568ee9f21dd968d66fb71be502c6f2b96f3e0ee1954a4bcf2e7fffa45477fb7f38
SHA5128ea3d56e58410e369c42f6e16381ee802c8df58ee7f60ab937a19417e9a86f6877241ee7472df898bb85765d0bd3a5df2a58f97c717f5da8d32e7c8acf638c84
-
Filesize
261KB
MD5c1fe947747fb29df287c1566dfd3a5c0
SHA14f8243eb1bf6a06a13c7a375131b1476b9140adf
SHA2563872ecdffe108283e4356280010355f857fc5dafa3e18b50021ec1acc51c4c57
SHA512f180d5c8513d223853747540936cc63caa67ab2c85985b8a646d3689722a161b5b82e5e898d0c839ea41b1fed23f689b9e1da15b81b6712742d476854f6d4e9d
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e