Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
74s -
max time network
75s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
05/10/2024, 21:40
Static task
static1
Behavioral task
behavioral1
Sample
injector.bat
Resource
win11-20240802-en
General
-
Target
injector.bat
-
Size
737B
-
MD5
1221e75df68bfb8831e5908dd016cb53
-
SHA1
f77c8397c97f7396f83c897dd285f645618ab490
-
SHA256
b37679f69723fa5c6ef006bdb6464e6fbcb55df4f9d29206f9476fd6fb946abc
-
SHA512
2f7a2878d39e1b51b4df90cacad543746583e8413b42b4cba261e8ab97488f73e15abb8edf0193e0376d6e09144a420d55f8ca58a38a1dd25bf85b418bc04ea7
Malware Config
Signatures
-
System Time Discovery 1 TTPs 9 IoCs
Adversary may gather the system time and/or time zone settings from a local or remote system.
pid Process 4332 certutil.exe 5104 certutil.exe 4368 certutil.exe 1772 certutil.exe 2928 certutil.exe 3960 certutil.exe 2484 certutil.exe 944 certutil.exe 4120 certutil.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 9 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: AddClipboardFormatListener 4 IoCs
pid Process 1452 WINWORD.EXE 1452 WINWORD.EXE 1004 vlc.exe 2080 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4336 msedge.exe 4336 msedge.exe 4736 msedge.exe 4736 msedge.exe 4752 msedge.exe 4752 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1004 vlc.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe -
Suspicious use of FindShellTrayWindow 40 IoCs
pid Process 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 1004 vlc.exe 1004 vlc.exe 1004 vlc.exe 1004 vlc.exe 1004 vlc.exe 1004 vlc.exe 1004 vlc.exe 1004 vlc.exe 1004 vlc.exe 1004 vlc.exe 1004 vlc.exe 1004 vlc.exe 1004 vlc.exe 1004 vlc.exe -
Suspicious use of SendNotifyMessage 25 IoCs
pid Process 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 1004 vlc.exe 1004 vlc.exe 1004 vlc.exe 1004 vlc.exe 1004 vlc.exe 1004 vlc.exe 1004 vlc.exe 1004 vlc.exe 1004 vlc.exe 1004 vlc.exe 1004 vlc.exe 1004 vlc.exe 1004 vlc.exe -
Suspicious use of SetWindowsHookEx 22 IoCs
pid Process 1452 WINWORD.EXE 1452 WINWORD.EXE 1452 WINWORD.EXE 1452 WINWORD.EXE 1452 WINWORD.EXE 1452 WINWORD.EXE 1452 WINWORD.EXE 1576 OpenWith.exe 1004 vlc.exe 2080 EXCEL.EXE 2080 EXCEL.EXE 2080 EXCEL.EXE 2080 EXCEL.EXE 2080 EXCEL.EXE 2080 EXCEL.EXE 2080 EXCEL.EXE 2080 EXCEL.EXE 2080 EXCEL.EXE 2080 EXCEL.EXE 2080 EXCEL.EXE 2080 EXCEL.EXE 2080 EXCEL.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1768 wrote to memory of 2172 1768 cmd.exe 79 PID 1768 wrote to memory of 2172 1768 cmd.exe 79 PID 1768 wrote to memory of 688 1768 cmd.exe 80 PID 1768 wrote to memory of 688 1768 cmd.exe 80 PID 1768 wrote to memory of 1696 1768 cmd.exe 81 PID 1768 wrote to memory of 1696 1768 cmd.exe 81 PID 1768 wrote to memory of 4976 1768 cmd.exe 82 PID 1768 wrote to memory of 4976 1768 cmd.exe 82 PID 1768 wrote to memory of 2952 1768 cmd.exe 83 PID 1768 wrote to memory of 2952 1768 cmd.exe 83 PID 1768 wrote to memory of 2996 1768 cmd.exe 84 PID 1768 wrote to memory of 2996 1768 cmd.exe 84 PID 1768 wrote to memory of 3992 1768 cmd.exe 85 PID 1768 wrote to memory of 3992 1768 cmd.exe 85 PID 1768 wrote to memory of 4000 1768 cmd.exe 86 PID 1768 wrote to memory of 4000 1768 cmd.exe 86 PID 1768 wrote to memory of 1552 1768 cmd.exe 87 PID 1768 wrote to memory of 1552 1768 cmd.exe 87 PID 1768 wrote to memory of 3004 1768 cmd.exe 88 PID 1768 wrote to memory of 3004 1768 cmd.exe 88 PID 1768 wrote to memory of 2384 1768 cmd.exe 89 PID 1768 wrote to memory of 2384 1768 cmd.exe 89 PID 1768 wrote to memory of 3796 1768 cmd.exe 90 PID 1768 wrote to memory of 3796 1768 cmd.exe 90 PID 1768 wrote to memory of 3068 1768 cmd.exe 91 PID 1768 wrote to memory of 3068 1768 cmd.exe 91 PID 1768 wrote to memory of 4468 1768 cmd.exe 92 PID 1768 wrote to memory of 4468 1768 cmd.exe 92 PID 1768 wrote to memory of 1356 1768 cmd.exe 93 PID 1768 wrote to memory of 1356 1768 cmd.exe 93 PID 1768 wrote to memory of 4732 1768 cmd.exe 94 PID 1768 wrote to memory of 4732 1768 cmd.exe 94 PID 1768 wrote to memory of 1184 1768 cmd.exe 95 PID 1768 wrote to memory of 1184 1768 cmd.exe 95 PID 1768 wrote to memory of 4332 1768 cmd.exe 96 PID 1768 wrote to memory of 4332 1768 cmd.exe 96 PID 1768 wrote to memory of 2484 1768 cmd.exe 97 PID 1768 wrote to memory of 2484 1768 cmd.exe 97 PID 1768 wrote to memory of 5104 1768 cmd.exe 98 PID 1768 wrote to memory of 5104 1768 cmd.exe 98 PID 1768 wrote to memory of 5028 1768 cmd.exe 99 PID 1768 wrote to memory of 5028 1768 cmd.exe 99 PID 1768 wrote to memory of 4724 1768 cmd.exe 100 PID 1768 wrote to memory of 4724 1768 cmd.exe 100 PID 1768 wrote to memory of 944 1768 cmd.exe 101 PID 1768 wrote to memory of 944 1768 cmd.exe 101 PID 1768 wrote to memory of 4120 1768 cmd.exe 102 PID 1768 wrote to memory of 4120 1768 cmd.exe 102 PID 1768 wrote to memory of 4368 1768 cmd.exe 103 PID 1768 wrote to memory of 4368 1768 cmd.exe 103 PID 1768 wrote to memory of 5092 1768 cmd.exe 104 PID 1768 wrote to memory of 5092 1768 cmd.exe 104 PID 1768 wrote to memory of 2096 1768 cmd.exe 105 PID 1768 wrote to memory of 2096 1768 cmd.exe 105 PID 1768 wrote to memory of 1772 1768 cmd.exe 106 PID 1768 wrote to memory of 1772 1768 cmd.exe 106 PID 1768 wrote to memory of 2928 1768 cmd.exe 107 PID 1768 wrote to memory of 2928 1768 cmd.exe 107 PID 1768 wrote to memory of 3960 1768 cmd.exe 108 PID 1768 wrote to memory of 3960 1768 cmd.exe 108 PID 1768 wrote to memory of 2868 1768 cmd.exe 109 PID 1768 wrote to memory of 2868 1768 cmd.exe 109 PID 1768 wrote to memory of 3404 1768 cmd.exe 110 PID 1768 wrote to memory of 3404 1768 cmd.exe 110 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\injector.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\system32\certutil.execertutil -encode "C:\Users\Admin\AppData\Local\Temp\.ses" "C:\Users\Admin\AppData\Local\Temp\.ses.encrypted"2⤵PID:2172
-
-
C:\Windows\system32\certutil.execertutil -encode "C:\Users\Admin\AppData\Local\Temp\AdobeSFX.log" "C:\Users\Admin\AppData\Local\Temp\AdobeSFX.log.encrypted"2⤵PID:688
-
-
C:\Windows\system32\certutil.execertutil -encode "C:\Users\Admin\AppData\Local\Temp\aria-debug-324.log" "C:\Users\Admin\AppData\Local\Temp\aria-debug-324.log.encrypted"2⤵PID:1696
-
-
C:\Windows\system32\certutil.execertutil -encode "C:\Users\Admin\AppData\Local\Temp\BroadcastMsg_1722612663.txt" "C:\Users\Admin\AppData\Local\Temp\BroadcastMsg_1722612663.txt.encrypted"2⤵PID:4976
-
-
C:\Windows\system32\certutil.execertutil -encode "C:\Users\Admin\AppData\Local\Temp\chrome_installer.log" "C:\Users\Admin\AppData\Local\Temp\chrome_installer.log.encrypted"2⤵PID:2952
-
-
C:\Windows\system32\certutil.execertutil -encode "C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt" "C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt.encrypted"2⤵PID:2996
-
-
C:\Windows\system32\certutil.execertutil -encode "C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI2E64.txt" "C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI2E64.txt.encrypted"2⤵PID:3992
-
-
C:\Windows\system32\certutil.execertutil -encode "C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI2E81.txt" "C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI2E81.txt.encrypted"2⤵PID:4000
-
-
C:\Windows\system32\certutil.execertutil -encode "C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI2E64.txt" "C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI2E64.txt.encrypted"2⤵PID:1552
-
-
C:\Windows\system32\certutil.execertutil -encode "C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI2E81.txt" "C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI2E81.txt.encrypted"2⤵PID:3004
-
-
C:\Windows\system32\certutil.execertutil -encode "C:\Users\Admin\AppData\Local\Temp\JavaDeployReg.log" "C:\Users\Admin\AppData\Local\Temp\JavaDeployReg.log.encrypted"2⤵PID:2384
-
-
C:\Windows\system32\certutil.execertutil -encode "C:\Users\Admin\AppData\Local\Temp\jawshtml.html" "C:\Users\Admin\AppData\Local\Temp\jawshtml.html.encrypted"2⤵PID:3796
-
-
C:\Windows\system32\certutil.execertutil -encode "C:\Users\Admin\AppData\Local\Temp\jusched.log" "C:\Users\Admin\AppData\Local\Temp\jusched.log.encrypted"2⤵PID:3068
-
-
C:\Windows\system32\certutil.execertutil -encode "C:\Users\Admin\AppData\Local\Temp\LIRNGFNA-20240802-1531.log" "C:\Users\Admin\AppData\Local\Temp\LIRNGFNA-20240802-1531.log.encrypted"2⤵PID:4468
-
-
C:\Windows\system32\certutil.execertutil -encode "C:\Users\Admin\AppData\Local\Temp\LIRNGFNA-20240802-1531a.log" "C:\Users\Admin\AppData\Local\Temp\LIRNGFNA-20240802-1531a.log.encrypted"2⤵PID:1356
-
-
C:\Windows\system32\certutil.execertutil -encode "C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20240802_152703676.html" "C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20240802_152703676.html.encrypted"2⤵PID:4732
-
-
C:\Windows\system32\certutil.execertutil -encode "C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20240802152727.log" "C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20240802152727.log.encrypted"2⤵PID:1184
-
-
C:\Windows\system32\certutil.execertutil -encode "C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20240802152727_000_dotnet_runtime_6.0.27_win_x64.msi.log" "C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20240802152727_000_dotnet_runtime_6.0.27_win_x64.msi.log.encrypted"2⤵
- System Time Discovery
PID:4332
-
-
C:\Windows\system32\certutil.execertutil -encode "C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20240802152727_001_dotnet_hostfxr_6.0.27_win_x64.msi.log" "C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20240802152727_001_dotnet_hostfxr_6.0.27_win_x64.msi.log.encrypted"2⤵
- System Time Discovery
PID:2484
-
-
C:\Windows\system32\certutil.execertutil -encode "C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20240802152727_002_dotnet_host_6.0.27_win_x64.msi.log" "C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20240802152727_002_dotnet_host_6.0.27_win_x64.msi.log.encrypted"2⤵
- System Time Discovery
PID:5104
-
-
C:\Windows\system32\certutil.execertutil -encode "C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20240802152727_003_windowsdesktop_runtime_6.0.27_win_x64.msi.log" "C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20240802152727_003_windowsdesktop_runtime_6.0.27_win_x64.msi.log.encrypted"2⤵PID:5028
-
-
C:\Windows\system32\certutil.execertutil -encode "C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20240802152750.log" "C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20240802152750.log.encrypted"2⤵PID:4724
-
-
C:\Windows\system32\certutil.execertutil -encode "C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20240802152750_000_dotnet_runtime_7.0.16_win_x64.msi.log" "C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20240802152750_000_dotnet_runtime_7.0.16_win_x64.msi.log.encrypted"2⤵
- System Time Discovery
PID:944
-
-
C:\Windows\system32\certutil.execertutil -encode "C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20240802152750_001_dotnet_hostfxr_7.0.16_win_x64.msi.log" "C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20240802152750_001_dotnet_hostfxr_7.0.16_win_x64.msi.log.encrypted"2⤵
- System Time Discovery
PID:4120
-
-
C:\Windows\system32\certutil.execertutil -encode "C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20240802152750_002_dotnet_host_7.0.16_win_x64.msi.log" "C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20240802152750_002_dotnet_host_7.0.16_win_x64.msi.log.encrypted"2⤵
- System Time Discovery
PID:4368
-
-
C:\Windows\system32\certutil.execertutil -encode "C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20240802152750_003_windowsdesktop_runtime_7.0.16_win_x64.msi.log" "C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20240802152750_003_windowsdesktop_runtime_7.0.16_win_x64.msi.log.encrypted"2⤵PID:5092
-
-
C:\Windows\system32\certutil.execertutil -encode "C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20240802152814.log" "C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20240802152814.log.encrypted"2⤵PID:2096
-
-
C:\Windows\system32\certutil.execertutil -encode "C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20240802152814_000_dotnet_runtime_8.0.2_win_x64.msi.log" "C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20240802152814_000_dotnet_runtime_8.0.2_win_x64.msi.log.encrypted"2⤵
- System Time Discovery
PID:1772
-
-
C:\Windows\system32\certutil.execertutil -encode "C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20240802152814_001_dotnet_hostfxr_8.0.2_win_x64.msi.log" "C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20240802152814_001_dotnet_hostfxr_8.0.2_win_x64.msi.log.encrypted"2⤵
- System Time Discovery
PID:2928
-
-
C:\Windows\system32\certutil.execertutil -encode "C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20240802152814_002_dotnet_host_8.0.2_win_x64.msi.log" "C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20240802152814_002_dotnet_host_8.0.2_win_x64.msi.log.encrypted"2⤵
- System Time Discovery
PID:3960
-
-
C:\Windows\system32\certutil.execertutil -encode "C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20240802152814_003_windowsdesktop_runtime_8.0.2_win_x64.msi.log" "C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20240802152814_003_windowsdesktop_runtime_8.0.2_win_x64.msi.log.encrypted"2⤵PID:2868
-
-
C:\Windows\system32\certutil.execertutil -encode "C:\Users\Admin\AppData\Local\Temp\msedge_installer.log" "C:\Users\Admin\AppData\Local\Temp\msedge_installer.log.encrypted"2⤵PID:3404
-
-
C:\Windows\system32\certutil.execertutil -encode "C:\Users\Admin\AppData\Local\Temp\wct5B5E.tmp" "C:\Users\Admin\AppData\Local\Temp\wct5B5E.tmp.encrypted"2⤵PID:4020
-
-
C:\Windows\system32\certutil.execertutil -encode "C:\Users\Admin\AppData\Local\Temp\wctAD85.tmp" "C:\Users\Admin\AppData\Local\Temp\wctAD85.tmp.encrypted"2⤵PID:2820
-
-
C:\Windows\system32\certutil.execertutil -encode "C:\Users\Admin\AppData\Local\Temp\wctB0B3.tmp" "C:\Users\Admin\AppData\Local\Temp\wctB0B3.tmp.encrypted"2⤵PID:4824
-
-
C:\Windows\system32\certutil.execertutil -encode "C:\Users\Admin\AppData\Local\Temp\wctBE7F.tmp" "C:\Users\Admin\AppData\Local\Temp\wctBE7F.tmp.encrypted"2⤵PID:4588
-
-
C:\Windows\system32\certutil.execertutil -encode "C:\Users\Admin\AppData\Local\Temp\wctCB00.tmp" "C:\Users\Admin\AppData\Local\Temp\wctCB00.tmp.encrypted"2⤵PID:2884
-
-
C:\Windows\system32\certutil.execertutil -encode "C:\Users\Admin\AppData\Local\Temp\wctEC25.tmp" "C:\Users\Admin\AppData\Local\Temp\wctEC25.tmp.encrypted"2⤵PID:4172
-
-
C:\Windows\system32\certutil.execertutil -encode "C:\Users\Admin\AppData\Local\Temp\wmsetup.log" "C:\Users\Admin\AppData\Local\Temp\wmsetup.log.encrypted"2⤵PID:992
-
-
C:\Windows\system32\certutil.execertutil -encode "C:\Users\Admin\AppData\Local\Temp\{CD6BD643-5578-438E-8874-C9BE0980F6C1} - OProcSessId.dat" "C:\Users\Admin\AppData\Local\Temp\{CD6BD643-5578-438E-8874-C9BE0980F6C1} - OProcSessId.dat.encrypted"2⤵PID:1812
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4736 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc11903cb8,0x7ffc11903cc8,0x7ffc11903cd82⤵PID:1196
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1632,6185712030873427165,5548258654983507881,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1864 /prefetch:22⤵PID:1912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1632,6185712030873427165,5548258654983507881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4336
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1632,6185712030873427165,5548258654983507881,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2616 /prefetch:82⤵PID:1500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1632,6185712030873427165,5548258654983507881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:12⤵PID:2352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1632,6185712030873427165,5548258654983507881,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:12⤵PID:4880
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1632,6185712030873427165,5548258654983507881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4552 /prefetch:12⤵PID:3220
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1632,6185712030873427165,5548258654983507881,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4580 /prefetch:12⤵PID:688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,6185712030873427165,5548258654983507881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3396 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4752
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1004
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5012
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3404
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\CompareUnprotect.docm" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1452
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1576
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\LockLimit.aif"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1004
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /n "C:\Users\Admin\Downloads\ResizeExpand.xlt"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2080
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
Filesize471B
MD5dabd0b88527d99b0dd0673e25276d2b6
SHA158e76468b9b16ac5803c941f4235ce49eb9fd167
SHA256e933ec83c2ff499ecf39b9d5dd01a8b14add2040d8703dc2dc7e098b482bc950
SHA5128cb7de367c252aaf3426c9c82575fa80fe9c21f94bb70eddfed1ce575e0e28886677c3ec6ebbfe589a1499296d980512fba09b0e3c909854771c6f86360acdc0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
Filesize420B
MD530c8e65008cd05c0c556af448c3d4beb
SHA1f10b60e1c54dda2ca034a83508be2a93814ebda1
SHA256fda94d35a06e5fb84ccbeda7f70727161917ea8be13cb72bb5223f784aca11e0
SHA512b5a4288223a8516e0912beb3c1b184731f668bb772be740be0a47b48d1eda862bf72ab2a265d3d591b840a845ff8f9a93272ad7a8b216c4fd8c0ac40562d935a
-
Filesize
10KB
MD57ab9b1f0d74290bc0966a691268ff8da
SHA1d91f47e5e20f69f85897f13a4f6c1b396e25ff2e
SHA2566592b2811ed7f2203d0a1fcf337e9b131c5a97e3d4768070a586ad8c010c5186
SHA512f85f844e55e629be1c0996e7e0a67d3d72d689ee0e8d4ca36ac2606beeb5c3ccf4948bbe71789b8e2abef122b4045dc062abccecd61ad99dc71d46ffeba301ef
-
Filesize
152B
MD5058032c530b52781582253cb245aa731
SHA17ca26280e1bfefe40e53e64345a0d795b5303fab
SHA2561c3a7192c514ef0d2a8cf9115cfb44137ca98ec6daa4f68595e2be695c7ed67e
SHA51277fa3cdcd53255e7213bb99980049e11d6a2160f8130c84bd16b35ba9e821a4e51716371526ec799a5b4927234af99e0958283d78c0799777ab4dfda031f874f
-
Filesize
152B
MD5a8276eab0f8f0c0bb325b5b8c329f64f
SHA18ce681e4056936ca8ccd6f487e7cd7cccbae538b
SHA256847f60e288d327496b72dbe1e7aa1470a99bf27c0a07548b6a386a6188cd72da
SHA51242f91bf90e92220d0731fa4279cc5773d5e9057a9587f311bee0b3f7f266ddceca367bd0ee7f1438c3606598553a2372316258c05e506315e4e11760c8f13918
-
Filesize
5KB
MD5f47ba88cb309d51086f6529e9d7d4eeb
SHA12721f3ce17bca4a78d026cc5d259a62863bd4c33
SHA2565ec02d652a47802548cc9ea3c778a3ef94afacaf004e61903fc0c2d2e7c7bba1
SHA512ce1dd9dee0ad357caecf1c5d51cf07fa491504b302d977102270c81af308876b9a6dc504e71e24149810c4e557d5e0c4a5ba860e4397c32635a0839e27d52b61
-
Filesize
5KB
MD585bd985ac356e9758d2430ef7e8ff22b
SHA1f4f0147cf94593cfac6aeeb02e2f138719f9f3d6
SHA25657fc732e29141117c49284b84d9192af94a6ae143883764967fd943e0d1ccb16
SHA51261fb1a002b7e3942601e42eacfe62288cbca9012c22d94a01249de65f23fa20e777aef31b72ce810d3a9ca54cc5fafb3e2cad3bdf58bc7b73b1a00d12a671244
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\8F76A4E5-400C-46E6-BA97-4AA8699A59C5
Filesize172KB
MD55673e3ea99c6f5fa82e49088f226c78c
SHA15e2eb4d36f197004f0dcafc7b5b13db8e5533002
SHA256816e1d40cc1051c01799d34b9eb2a6c7eeb642a4d6089fd92a778b91101df12a
SHA512f25141b60f42a5c7ef643cfd56adcab227fdab99729fb4eb25ef355282c5147e8888a45ae8e0f5cfdd935212c238bfcd6f130a528130c05853e6929368240c1a
-
Filesize
87KB
MD595addea41ced3f2f400f7a3cb21903c8
SHA11140235df208406cf62de3c7167040e4bf080f1d
SHA256452ca45ee03b4b88c9b37d3c92cd25b0d811c0693b410863dd010dce277f2d88
SHA5123603d483de82381696bec98f2b3182cf9dcf091bf1e8cb84a009837ba2bcb15726a989e2848d94f257cc55d03af5d03d333f60f266d0813ce0ee810f788eba67