Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10410897f368...44.exe
windows7-x64
10410897f368...44.exe
windows10-2004-x64
1041234e0118...f5.exe
windows7-x64
1041234e0118...f5.exe
windows10-2004-x64
10412f4448e9...bb.exe
windows7-x64
10412f4448e9...bb.exe
windows10-2004-x64
10414a1d4000...6f.exe
windows7-x64
1414a1d4000...6f.exe
windows10-2004-x64
1414cb3c4ac...da.exe
windows7-x64
3414cb3c4ac...da.exe
windows10-2004-x64
3414f523f34...3b.exe
windows7-x64
10414f523f34...3b.exe
windows10-2004-x64
10415b778406...d0.exe
windows7-x64
10415b778406...d0.exe
windows10-2004-x64
104175909fcd...67.exe
windows7-x64
74175909fcd...67.exe
windows10-2004-x64
7417e4b0837...74.exe
windows7-x64
10417e4b0837...74.exe
windows10-2004-x64
104189a83a9b...b4.exe
windows7-x64
14189a83a9b...b4.exe
windows10-2004-x64
1041c0c0017e...70.exe
windows7-x64
1041c0c0017e...70.exe
windows10-2004-x64
1041dc6460e6...c8.exe
windows7-x64
1041dc6460e6...c8.exe
windows10-2004-x64
104202cc1a54...c1.exe
windows7-x64
104202cc1a54...c1.exe
windows10-2004-x64
104227543d6c...7e.exe
windows7-x64
104227543d6c...7e.exe
windows10-2004-x64
10424fdd0325...46.exe
windows7-x64
10424fdd0325...46.exe
windows10-2004-x64
104255dacb36...cd.exe
windows7-x64
104255dacb36...cd.exe
windows10-2004-x64
7Analysis
-
max time kernel
25s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
22/03/2025, 06:10 UTC
Behavioral task
behavioral1
Sample
410897f36809104096c8b600eb3a0444.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
410897f36809104096c8b600eb3a0444.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral3
Sample
41234e0118ba1cfc06b88d347f3a53f5.exe
Resource
win7-20250207-en
Behavioral task
behavioral4
Sample
41234e0118ba1cfc06b88d347f3a53f5.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral5
Sample
412f4448e99979a1ce810cdf392b6abb.exe
Resource
win7-20240729-en
Behavioral task
behavioral6
Sample
412f4448e99979a1ce810cdf392b6abb.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral7
Sample
414a1d40006fffeb00666df68e3457f2db0ca7e9045535cc5de3c88c9e7fcc6f.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
414a1d40006fffeb00666df68e3457f2db0ca7e9045535cc5de3c88c9e7fcc6f.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral9
Sample
414cb3c4ac2d42889d7c55565afc0f57d2a0e9f7a186b5d5d8e5118fd3f976da.exe
Resource
win7-20250207-en
Behavioral task
behavioral10
Sample
414cb3c4ac2d42889d7c55565afc0f57d2a0e9f7a186b5d5d8e5118fd3f976da.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral11
Sample
414f523f34e87006f31ca4b703886d3b.exe
Resource
win7-20250207-en
Behavioral task
behavioral12
Sample
414f523f34e87006f31ca4b703886d3b.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral13
Sample
415b778406bbdc705f1962ded94e90d0.exe
Resource
win7-20241023-en
Behavioral task
behavioral14
Sample
415b778406bbdc705f1962ded94e90d0.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral15
Sample
4175909fcd35882461a1cfd784f7c967.exe
Resource
win7-20241023-en
Behavioral task
behavioral16
Sample
4175909fcd35882461a1cfd784f7c967.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral17
Sample
417e4b08378988e057831e5c3a74fd18014fc5fe2402e8aa3746e020a467ce74.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
417e4b08378988e057831e5c3a74fd18014fc5fe2402e8aa3746e020a467ce74.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral19
Sample
4189a83a9b95038e6e32f05b4c69f3b4.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
4189a83a9b95038e6e32f05b4c69f3b4.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral21
Sample
41c0c0017e07c3984ced9121a820b070.exe
Resource
win7-20241023-en
Behavioral task
behavioral22
Sample
41c0c0017e07c3984ced9121a820b070.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral23
Sample
41dc6460e6f99bd865a3456e9c0348c8.exe
Resource
win7-20241023-en
Behavioral task
behavioral24
Sample
41dc6460e6f99bd865a3456e9c0348c8.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral25
Sample
4202cc1a54d458c6b3a7579733cc35c1.exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
4202cc1a54d458c6b3a7579733cc35c1.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral27
Sample
4227543d6caf9c96a1ecdceb233e7a0b225f1dcb7baf02087183829d55361f7e.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
4227543d6caf9c96a1ecdceb233e7a0b225f1dcb7baf02087183829d55361f7e.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral29
Sample
424fdd032528ca656b1513d1ca79a17116a6770be9d2f05a4e203c95d0b4dd46.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
424fdd032528ca656b1513d1ca79a17116a6770be9d2f05a4e203c95d0b4dd46.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral31
Sample
4255dacb3601f46615055d9d23a538cd.exe
Resource
win7-20241023-en
Behavioral task
behavioral32
Sample
4255dacb3601f46615055d9d23a538cd.exe
Resource
win10v2004-20250314-en
General
-
Target
4255dacb3601f46615055d9d23a538cd.exe
-
Size
43KB
-
MD5
4255dacb3601f46615055d9d23a538cd
-
SHA1
ec34d0c3dc3116f32eee59fc6b84ea0be8030529
-
SHA256
47dacc41ba9109e87ed4b26564fd6c20b4dfd7c457d0b5b2a32bf45b132da3df
-
SHA512
084feb9bf61e3641ade20c5c2c2049ec5d4ba1ce85ed5dcbd16c16b4d2dda1c15bdc86ba5ecf86d54676dd5efbe12c147e1e5dba87d29df64aba11a640b15505
-
SSDEEP
384:eZyDwNU1SoycwJmz0ZmhYYNE4OmMbycXzRpO9D9O5UE5QzwBlpJNakkjh/TzF7p0:kXqglcwJZQE/RycX3vQO+dK+L
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation 4255dacb3601f46615055d9d23a538cd.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.exe appdate.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.exe appdate.exe -
Executes dropped EXE 1 IoCs
pid Process 528 appdate.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "\"C:\\Users\\Admin\\AppData\\Roaming\\appdate.exe\" .." appdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "\"C:\\Users\\Admin\\AppData\\Roaming\\appdate.exe\" .." appdate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language appdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4255dacb3601f46615055d9d23a538cd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4948 schtasks.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 5360 4255dacb3601f46615055d9d23a538cd.exe 528 appdate.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 528 appdate.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 5360 wrote to memory of 528 5360 4255dacb3601f46615055d9d23a538cd.exe 89 PID 5360 wrote to memory of 528 5360 4255dacb3601f46615055d9d23a538cd.exe 89 PID 5360 wrote to memory of 528 5360 4255dacb3601f46615055d9d23a538cd.exe 89 PID 528 wrote to memory of 4948 528 appdate.exe 90 PID 528 wrote to memory of 4948 528 appdate.exe 90 PID 528 wrote to memory of 4948 528 appdate.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\4255dacb3601f46615055d9d23a538cd.exe"C:\Users\Admin\AppData\Local\Temp\4255dacb3601f46615055d9d23a538cd.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:5360 -
C:\Users\Admin\AppData\Roaming\appdate.exe"C:\Users\Admin\AppData\Roaming\appdate.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4948
-
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe1⤵PID:4784
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe1⤵PID:5300
Network
-
Remote address:8.8.8.8:53Requestg.bing.comIN AResponseg.bing.comIN CNAMEg-bing-com.ax-0001.ax-msedge.netg-bing-com.ax-0001.ax-msedge.netIN CNAMEax-0001.ax-msedge.netax-0001.ax-msedge.netIN A150.171.28.10ax-0001.ax-msedge.netIN A150.171.27.10
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=dc9e69fcd867404f963f34b164ae1b1b&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid=Remote address:150.171.28.10:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=dc9e69fcd867404f963f34b164ae1b1b&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=0E65FA1C0DC763EA3A9EEFAB0C7C6288; domain=.bing.com; expires=Thu, 16-Apr-2026 06:17:00 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 378105AB0BDB4E3A8DF8DC0C29AABBC6 Ref B: LON04EDGE0808 Ref C: 2025-03-22T06:17:00Z
date: Sat, 22 Mar 2025 06:16:59 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=dc9e69fcd867404f963f34b164ae1b1b&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid=Remote address:150.171.28.10:443RequestGET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=dc9e69fcd867404f963f34b164ae1b1b&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=0E65FA1C0DC763EA3A9EEFAB0C7C6288
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=hiUaEJjG_KFx_mbSzwhfYvH5ntEwcT7G4XPmUdDUeAw; domain=.bing.com; expires=Thu, 16-Apr-2026 06:17:00 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 58760F9CA8614CD1A64629F545E2A504 Ref B: LON04EDGE0808 Ref C: 2025-03-22T06:17:00Z
date: Sat, 22 Mar 2025 06:16:59 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=dc9e69fcd867404f963f34b164ae1b1b&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid=Remote address:150.171.28.10:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=dc9e69fcd867404f963f34b164ae1b1b&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=0E65FA1C0DC763EA3A9EEFAB0C7C6288; MSPTC=hiUaEJjG_KFx_mbSzwhfYvH5ntEwcT7G4XPmUdDUeAw
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 4D8388DF4DCA4079BDA1A3404EC824C3 Ref B: LON04EDGE0808 Ref C: 2025-03-22T06:17:00Z
date: Sat, 22 Mar 2025 06:16:59 GMT
-
Remote address:8.8.8.8:53Request3bada.ddns.netIN AResponse3bada.ddns.netIN A41.238.181.69
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN AResponsetse1.mm.bing.netIN CNAMEmm-mm.bing.net.trafficmanager.netmm-mm.bing.net.trafficmanager.netIN CNAMEax-0001.ax-msedge.netax-0001.ax-msedge.netIN A150.171.27.10ax-0001.ax-msedge.netIN A150.171.28.10
-
Remote address:8.8.8.8:53Requestc.pki.googIN AResponsec.pki.googIN CNAMEpki-goog.l.google.compki-goog.l.google.comIN A142.250.180.3
-
Remote address:142.250.180.3:80RequestGET /r/r1.crl HTTP/1.1
Cache-Control: max-age = 3000
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMT
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog
ResponseHTTP/1.1 304 Not Modified
Expires: Sat, 22 Mar 2025 06:49:32 GMT
Age: 1099
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Cache-Control: public, max-age=3000
Vary: Accept-Encoding
-
Remote address:8.8.8.8:53Request3bada.ddns.netIN AResponse3bada.ddns.netIN A41.238.181.69
-
150.171.28.10:443https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=dc9e69fcd867404f963f34b164ae1b1b&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid=tls, http22.1kB 11.0kB 24 21
HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=dc9e69fcd867404f963f34b164ae1b1b&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=dc9e69fcd867404f963f34b164ae1b1b&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=dc9e69fcd867404f963f34b164ae1b1b&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid=HTTP Response
204 -
260 B 5
-
260 B 5
-
1.1kB 6.8kB 13 10
-
140.3kB 4.1MB 2988 2978
-
1.4kB 6.8kB 15 10
-
1.1kB 6.8kB 13 10
-
1.1kB 6.9kB 13 11
-
476 B 395 B 6 4
HTTP Request
GET http://c.pki.goog/r/r1.crlHTTP Response
304 -
260 B 5
-
260 B 5
-
260 B 5
-
208 B 4
-
56 B 148 B 1 1
DNS Request
g.bing.com
DNS Response
150.171.28.10150.171.27.10
-
60 B 76 B 1 1
DNS Request
3bada.ddns.net
DNS Response
41.238.181.69
-
62 B 170 B 1 1
DNS Request
tse1.mm.bing.net
DNS Response
150.171.27.10150.171.28.10
-
56 B 107 B 1 1
DNS Request
c.pki.goog
DNS Response
142.250.180.3
-
60 B 76 B 1 1
DNS Request
3bada.ddns.net
DNS Response
41.238.181.69
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
408B
MD542157868488d3ef98c00e3fa12f064be
SHA1aad391be9ac3f6ce1ced49583690486a5f4186fb
SHA256b9520170e84597186ba5cc223b9c2773f70d0cda088950bae2182e3b2237995c
SHA5128f4a4bd63ceefc34158ea23f3a73dcc2848eeacdba8355d1251a96b4e0c18e2f3b0c4939be359f874f81fe4ee63283b8be43a70fe2dbaa2e64784333d10a2471
-
Filesize
43KB
MD54255dacb3601f46615055d9d23a538cd
SHA1ec34d0c3dc3116f32eee59fc6b84ea0be8030529
SHA25647dacc41ba9109e87ed4b26564fd6c20b4dfd7c457d0b5b2a32bf45b132da3df
SHA512084feb9bf61e3641ade20c5c2c2049ec5d4ba1ce85ed5dcbd16c16b4d2dda1c15bdc86ba5ecf86d54676dd5efbe12c147e1e5dba87d29df64aba11a640b15505