Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
20/04/2024, 19:19
Static task
static1
Behavioral task
behavioral1
Sample
504dceb0fd1e1144dcab0899ab891aa7e89778cbdb6296e750c7054addb30726.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
504dceb0fd1e1144dcab0899ab891aa7e89778cbdb6296e750c7054addb30726.exe
Resource
win10v2004-20240412-en
General
-
Target
504dceb0fd1e1144dcab0899ab891aa7e89778cbdb6296e750c7054addb30726.exe
-
Size
673KB
-
MD5
eef95824599c1dbe16300e150ad781ea
-
SHA1
1e1dfd666565885fba88c805aacaffe62075cbe7
-
SHA256
504dceb0fd1e1144dcab0899ab891aa7e89778cbdb6296e750c7054addb30726
-
SHA512
a3d5d4557e8fc068a137ae7fd01feb304cc5d937c91b9b200908e70e522a5997876a1a0c347db26671cc2d53a928320da7b1ba60bbed756de420942d87c9da12
-
SSDEEP
6144:iTVfjmNintDDE565kzLGKlMy7j6soGtLEKyyK29PRgVIR:ip7+intHE565kzLGnAj9XLESn0VK
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4388 Logo1_.exe 3284 504dceb0fd1e1144dcab0899ab891aa7e89778cbdb6296e750c7054addb30726.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fi-fi\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\host\fxr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\YourPhone.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\de-de\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ca-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ro-ro\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\am_ET\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\de-de\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\pt-br\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\uk-ua\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\pl-pl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hr-hr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ru-ru\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\hr-hr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\zh-cn\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\hr-hr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Mail\wabmig.exe Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\es-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\root\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\cs-cz\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\it-it\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\es-es\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk-1.8\jre\legal\javafx\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\vi\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\gui\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sl-si\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\es-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\ja-jp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\tr-tr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\cs-cz\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\Comprehensive\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\da-dk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\de-de\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\cs-cz\_desktop.ini Logo1_.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\da-dk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ja-jp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ko-kr\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre-1.8\lib\management\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\Diagnostics\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fr-ma\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\da-dk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sl-si\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe 504dceb0fd1e1144dcab0899ab891aa7e89778cbdb6296e750c7054addb30726.exe File created C:\Windows\Logo1_.exe 504dceb0fd1e1144dcab0899ab891aa7e89778cbdb6296e750c7054addb30726.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 4388 Logo1_.exe 4388 Logo1_.exe 4388 Logo1_.exe 4388 Logo1_.exe 4388 Logo1_.exe 4388 Logo1_.exe 4388 Logo1_.exe 4388 Logo1_.exe 4388 Logo1_.exe 4388 Logo1_.exe 4388 Logo1_.exe 4388 Logo1_.exe 4388 Logo1_.exe 4388 Logo1_.exe 4388 Logo1_.exe 4388 Logo1_.exe 4388 Logo1_.exe 4388 Logo1_.exe 4388 Logo1_.exe 4388 Logo1_.exe 3236 msedge.exe 3236 msedge.exe 3988 msedge.exe 3988 msedge.exe 3432 identity_helper.exe 3432 identity_helper.exe 468 msedge.exe 468 msedge.exe 468 msedge.exe 468 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4076 wrote to memory of 1312 4076 504dceb0fd1e1144dcab0899ab891aa7e89778cbdb6296e750c7054addb30726.exe 84 PID 4076 wrote to memory of 1312 4076 504dceb0fd1e1144dcab0899ab891aa7e89778cbdb6296e750c7054addb30726.exe 84 PID 4076 wrote to memory of 1312 4076 504dceb0fd1e1144dcab0899ab891aa7e89778cbdb6296e750c7054addb30726.exe 84 PID 4076 wrote to memory of 4388 4076 504dceb0fd1e1144dcab0899ab891aa7e89778cbdb6296e750c7054addb30726.exe 85 PID 4076 wrote to memory of 4388 4076 504dceb0fd1e1144dcab0899ab891aa7e89778cbdb6296e750c7054addb30726.exe 85 PID 4076 wrote to memory of 4388 4076 504dceb0fd1e1144dcab0899ab891aa7e89778cbdb6296e750c7054addb30726.exe 85 PID 4388 wrote to memory of 2944 4388 Logo1_.exe 86 PID 4388 wrote to memory of 2944 4388 Logo1_.exe 86 PID 4388 wrote to memory of 2944 4388 Logo1_.exe 86 PID 2944 wrote to memory of 3936 2944 net.exe 89 PID 2944 wrote to memory of 3936 2944 net.exe 89 PID 2944 wrote to memory of 3936 2944 net.exe 89 PID 1312 wrote to memory of 3284 1312 cmd.exe 90 PID 1312 wrote to memory of 3284 1312 cmd.exe 90 PID 4388 wrote to memory of 3420 4388 Logo1_.exe 56 PID 4388 wrote to memory of 3420 4388 Logo1_.exe 56 PID 3284 wrote to memory of 3988 3284 504dceb0fd1e1144dcab0899ab891aa7e89778cbdb6296e750c7054addb30726.exe 95 PID 3284 wrote to memory of 3988 3284 504dceb0fd1e1144dcab0899ab891aa7e89778cbdb6296e750c7054addb30726.exe 95 PID 3988 wrote to memory of 4412 3988 msedge.exe 96 PID 3988 wrote to memory of 4412 3988 msedge.exe 96 PID 3988 wrote to memory of 2064 3988 msedge.exe 97 PID 3988 wrote to memory of 2064 3988 msedge.exe 97 PID 3988 wrote to memory of 2064 3988 msedge.exe 97 PID 3988 wrote to memory of 2064 3988 msedge.exe 97 PID 3988 wrote to memory of 2064 3988 msedge.exe 97 PID 3988 wrote to memory of 2064 3988 msedge.exe 97 PID 3988 wrote to memory of 2064 3988 msedge.exe 97 PID 3988 wrote to memory of 2064 3988 msedge.exe 97 PID 3988 wrote to memory of 2064 3988 msedge.exe 97 PID 3988 wrote to memory of 2064 3988 msedge.exe 97 PID 3988 wrote to memory of 2064 3988 msedge.exe 97 PID 3988 wrote to memory of 2064 3988 msedge.exe 97 PID 3988 wrote to memory of 2064 3988 msedge.exe 97 PID 3988 wrote to memory of 2064 3988 msedge.exe 97 PID 3988 wrote to memory of 2064 3988 msedge.exe 97 PID 3988 wrote to memory of 2064 3988 msedge.exe 97 PID 3988 wrote to memory of 2064 3988 msedge.exe 97 PID 3988 wrote to memory of 2064 3988 msedge.exe 97 PID 3988 wrote to memory of 2064 3988 msedge.exe 97 PID 3988 wrote to memory of 2064 3988 msedge.exe 97 PID 3988 wrote to memory of 2064 3988 msedge.exe 97 PID 3988 wrote to memory of 2064 3988 msedge.exe 97 PID 3988 wrote to memory of 2064 3988 msedge.exe 97 PID 3988 wrote to memory of 2064 3988 msedge.exe 97 PID 3988 wrote to memory of 2064 3988 msedge.exe 97 PID 3988 wrote to memory of 2064 3988 msedge.exe 97 PID 3988 wrote to memory of 2064 3988 msedge.exe 97 PID 3988 wrote to memory of 2064 3988 msedge.exe 97 PID 3988 wrote to memory of 2064 3988 msedge.exe 97 PID 3988 wrote to memory of 2064 3988 msedge.exe 97 PID 3988 wrote to memory of 2064 3988 msedge.exe 97 PID 3988 wrote to memory of 2064 3988 msedge.exe 97 PID 3988 wrote to memory of 2064 3988 msedge.exe 97 PID 3988 wrote to memory of 2064 3988 msedge.exe 97 PID 3988 wrote to memory of 2064 3988 msedge.exe 97 PID 3988 wrote to memory of 2064 3988 msedge.exe 97 PID 3988 wrote to memory of 2064 3988 msedge.exe 97 PID 3988 wrote to memory of 2064 3988 msedge.exe 97 PID 3988 wrote to memory of 2064 3988 msedge.exe 97 PID 3988 wrote to memory of 2064 3988 msedge.exe 97 PID 3988 wrote to memory of 3236 3988 msedge.exe 98 PID 3988 wrote to memory of 3236 3988 msedge.exe 98 PID 3988 wrote to memory of 3668 3988 msedge.exe 99 PID 3988 wrote to memory of 3668 3988 msedge.exe 99
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3420
-
C:\Users\Admin\AppData\Local\Temp\504dceb0fd1e1144dcab0899ab891aa7e89778cbdb6296e750c7054addb30726.exe"C:\Users\Admin\AppData\Local\Temp\504dceb0fd1e1144dcab0899ab891aa7e89778cbdb6296e750c7054addb30726.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3316.bat3⤵
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Users\Admin\AppData\Local\Temp\504dceb0fd1e1144dcab0899ab891aa7e89778cbdb6296e750c7054addb30726.exe"C:\Users\Admin\AppData\Local\Temp\504dceb0fd1e1144dcab0899ab891aa7e89778cbdb6296e750c7054addb30726.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://pc.weixin.qq.com/5⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffebb346f8,0x7fffebb34708,0x7fffebb347186⤵PID:4412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,10153162159281300170,13268896861285302219,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:26⤵PID:2064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,10153162159281300170,13268896861285302219,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2464 /prefetch:36⤵
- Suspicious behavior: EnumeratesProcesses
PID:3236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,10153162159281300170,13268896861285302219,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:86⤵PID:3668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,10153162159281300170,13268896861285302219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:16⤵PID:628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,10153162159281300170,13268896861285302219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:16⤵PID:4912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,10153162159281300170,13268896861285302219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3860 /prefetch:16⤵PID:3240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,10153162159281300170,13268896861285302219,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 /prefetch:86⤵PID:1988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,10153162159281300170,13268896861285302219,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 /prefetch:86⤵
- Suspicious behavior: EnumeratesProcesses
PID:3432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,10153162159281300170,13268896861285302219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:16⤵PID:2168
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,10153162159281300170,13268896861285302219,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3592 /prefetch:16⤵PID:2408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,10153162159281300170,13268896861285302219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:16⤵PID:3464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,10153162159281300170,13268896861285302219,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:16⤵PID:3832
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,10153162159281300170,13268896861285302219,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5628 /prefetch:26⤵
- Suspicious behavior: EnumeratesProcesses
PID:468
-
-
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:3936
-
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4200
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1988
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD588a7dac99617788a3f6e9e10f9ac447d
SHA1c2adfcd7118facbf99366d28337665ce802baa1b
SHA256284e0eb238a30fda222ad9ecd9f3dc0acd6aef33027562e0fa878e17d54a8d0b
SHA5126fb722713b705434816e30bdd3e26a68553bf4ba184ca6d59e47e61dbfc2ae4b72833a573e5a263f33f183e0ad6f2ab3c7e0b6e84cacd49d08d5921f3ef1e156
-
Filesize
570KB
MD5722cf9e5bd73f652f0b9a4ec4ad5b98f
SHA12248f77bb2eae70eb326a1810cc29290c183f214
SHA256603e85971f1fbad5d3ebddfe2b29226b657637ef52c51428143c9c9e6ea16f62
SHA512244a333d1b800ef588ab504d8a2d6044781d5003ad3be20ae5209674bf2084d958eb6ee4c37995662d871a75edf3119b69ddc989583da42ab60d7415869b2e07
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize636KB
MD52500f702e2b9632127c14e4eaae5d424
SHA18726fef12958265214eeb58001c995629834b13a
SHA25682e5b0001f025ca3b8409c98e4fb06c119c68de1e4ef60a156360cb4ef61d19c
SHA512f420c62fa1f6897f51dd7a0f0e910fb54ad14d51973a2d4840eeea0448c860bf83493fb1c07be65f731efc39e19f8a99886c8cfd058cee482fe52d255a33a55c
-
Filesize
152B
MD548cff1baabb24706967de3b0d6869906
SHA1b0cd54f587cd4c88e60556347930cb76991e6734
SHA256f6b5fbc610a71b3914753feb2bd4475a7c77d0d785cc36255bf93b3fe3ccb775
SHA512fd0c848f3f9de81aca81af999262f96ea4c1cd1d1f32d304f56c7382f3b1bb604e5fbe9f209ad6e4b38988d92357ef82e9668806d0727f2856c7dc1f07aae2b6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize72B
MD590e503421d1bc6c47de756dfbe7a1400
SHA14a47b32f491094044afa39b3d2a1930fc2d0cd34
SHA25678075c2007b065b8feb6e64e30986eb6bb5e008a23ed227f00334217a3cd986c
SHA512ef44b17d66267c5c9a4cfef0ee04e9f2b6b828a2872f266004f3a7b08b32a18f9e50d5293694944236568ea748b1e13cd42dd0f2d9d6aec98fe4144bd9a3c3a2
-
Filesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
Filesize
189B
MD5c063919e7c7382bda77a8916da03d559
SHA1f67f83ce3b2ceb7d8390f851697779f7fdf23d18
SHA256e241c784ecae2e0a23b44103cfe34898bbd552626c98467015dbe8deb9f862d4
SHA5123bacfb5c2d4e01ddf61d3aa08fce8d7ed5437037139bf015f03a80b761bb739b3fafab3e23996cbdfe4b1984a5ab3f80ab66a49001918dafaecca8376ed13a4d
-
Filesize
6KB
MD598efa786db01eb4b81a8021424ccbb51
SHA1880484b8370ff312ec888da71353c68ed672e9e5
SHA256fcb30777313b67b6611ff97041543059575c50132843ec9b40172be640a89116
SHA5125f44a1b21fc1e4c74bad4d21630a7b6de816ab866c822eacee12f68090df1977333bbf3bf422e43dd4c0041ee3759c06031d770c0c39b64f1e70b548fe579c4a
-
Filesize
6KB
MD5abcc5468055615c4ed1be7c7b9773777
SHA1a73d9cd0f53e2f086f7ef75d1c514a94751a96bb
SHA256d7d7207a840442b2007e51ed991b3454c885877da90120e138d1fe0fcf5c62cf
SHA512b71c1954c2d1ac240964982b664294b108abdb8381d88459285ed7a4bb1bdbba2430eb4c437d7c636321e5b3c1da31ccde16507180213407857c1c559f746ae5
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD570283cf096edba0f36d6db593a17b886
SHA119fdaf0b3972ac23a668d450935fdde0a0ae962f
SHA256d714202a9143148705d842c5cd7e700cc7a928709b04c4040ac88ef6a57039d3
SHA51283e4765e57a4e27eda1ff104ea83fbdaeed99d6afd566768a9d89bf6ec856f53356e7c38088d380ea525d2438b0a2fa486eab623af25b19a369a13622deb441e
-
Filesize
722B
MD5cadfc3d569dc53fe73be5e4767fc85fd
SHA15908157bbd60a0e6297d7242b20cc07b6590be8b
SHA256f32d02cf2bb1badc9f99b4c8a66f7c14b59096ed22f42c2e1be8775829c653ef
SHA512303b0d810ee1e40c22ba59fe17fe302deea5475e0d31251828cab9f66a25326a0d7f7cc2f41d5e717dbcd8a7f947ad5309b4d2e5d8bddaafe2aafbb86be36f7a
-
C:\Users\Admin\AppData\Local\Temp\504dceb0fd1e1144dcab0899ab891aa7e89778cbdb6296e750c7054addb30726.exe.exe
Filesize647KB
MD54b7610b2ba975260a7b5dc7c75dbcf1c
SHA1499bdffa3bf2e1bb491f779038fe00c7b490b006
SHA256fa6547b900576cd637233033849f2467aa37c0b93b5e0daef977a90e6c242d58
SHA5124f95407d83c781bd2a07286ce8c94531ffe7609bec62532d08760f0c2be63333f8d44bc5132cb386c0f018bff64667f4ee521e98cfee274738c0b533bcb9c507
-
Filesize
26KB
MD5033f832ce1346b7839ab0114b7d46349
SHA1339553f046186e54c91ea18765bfef551701f37b
SHA256771a6d5ca90b397c56e449ed8c2966364db1f6774dca74b74fe0f6eed8db4226
SHA512e6a2ac92e6cac4774e5d3f8438388dacbc8359f60c40a6c76574d87de6da4ae65e06008c1d060f1c50a2804d432981105e71cb89a8ba65c2b1095da9eb951858
-
Filesize
9B
MD527729a3995958245e2d6799df42e26e7
SHA1dfe386f53277c8387b50122f3fda9bc2467815ba
SHA2569313041e89d4585b2606afa4809b101e7e8a2c944d063a28c796b0c0f070b5f1
SHA512ba9157cea7ca5c01b52e2a4a758f4e12e018990e49f1ece5fa6d83423f37a0a4dd5246d9b01e5e212d5e8c36a66a8d0e2645bc73753671295965a855a5028ec6