Analysis
-
max time kernel
83s -
max time network
83s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
27-01-2024 18:10
Static task
static1
Behavioral task
behavioral1
Sample
jar-infection-scanner/JarInfectionScanner.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
jar-infection-scanner/JarInfectionScanner.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral3
Sample
jar-infection-scanner/baritone-api-forge-1.10.1.jar
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
jar-infection-scanner/baritone-api-forge-1.10.1.jar
Resource
win10v2004-20231215-en
General
-
Target
jar-infection-scanner/JarInfectionScanner.exe
-
Size
25KB
-
MD5
f953be311c44ef80366ec2acf8e2afdc
-
SHA1
215bc84d8d6d93b47e4c164d5eb9a65290f9a557
-
SHA256
94fbc2ed1a96f78ef82c8b452c2c445cb9d882eec2a8cdbe637595452e9e6980
-
SHA512
7a1be2551dfc0f3f82f3990607df12f6b796cd6ce16b53eb79e469bd5efc4b9bed674a5c16ff8ce65fb185264689d8471d5232ef8049e59f72b2581168926531
-
SSDEEP
384:asSxezDbi7bmT1xwjvdBmd5UEGLQP5fGfIYiPWsav8JN77hh3wJI8S:asSSSKRxdAGUgYiPz3hRwXS
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
flow ioc 85 camo.githubusercontent.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 52 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff JarInfectionScanner.exe Set value (data) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\MRUListEx = ffffffff JarInfectionScanner.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4 JarInfectionScanner.exe Set value (data) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 020000000000000001000000ffffffff JarInfectionScanner.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads" JarInfectionScanner.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU JarInfectionScanner.exe Set value (data) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 000000000200000001000000ffffffff JarInfectionScanner.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} JarInfectionScanner.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1" JarInfectionScanner.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" JarInfectionScanner.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings JarInfectionScanner.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2 JarInfectionScanner.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 JarInfectionScanner.exe Set value (data) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 JarInfectionScanner.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" JarInfectionScanner.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ JarInfectionScanner.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" JarInfectionScanner.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259} JarInfectionScanner.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg JarInfectionScanner.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3803511929-1339359695-2191195476-1000\{D4D6DF9D-09CB-4774-BDC0-76BCA6EDDAD8} msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" JarInfectionScanner.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" JarInfectionScanner.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell JarInfectionScanner.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" JarInfectionScanner.exe Set value (data) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 JarInfectionScanner.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ JarInfectionScanner.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" JarInfectionScanner.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell JarInfectionScanner.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 JarInfectionScanner.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" JarInfectionScanner.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295" JarInfectionScanner.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 JarInfectionScanner.exe Set value (data) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 JarInfectionScanner.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\NodeSlot = "4" JarInfectionScanner.exe Set value (data) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 JarInfectionScanner.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2 = 14002e80922b16d365937a46956b92703aca08af0000 JarInfectionScanner.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg JarInfectionScanner.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257" JarInfectionScanner.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" JarInfectionScanner.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4" JarInfectionScanner.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" JarInfectionScanner.exe Set value (data) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 JarInfectionScanner.exe Set value (data) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 020000000100000000000000ffffffff JarInfectionScanner.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags JarInfectionScanner.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" JarInfectionScanner.exe Set value (data) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff JarInfectionScanner.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" JarInfectionScanner.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell JarInfectionScanner.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" JarInfectionScanner.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Documents" JarInfectionScanner.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16" JarInfectionScanner.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1648 msedge.exe 1648 msedge.exe 5004 msedge.exe 5004 msedge.exe 396 identity_helper.exe 396 identity_helper.exe 5240 msedge.exe 5240 msedge.exe 1200 msedge.exe 1200 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4996 JarInfectionScanner.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs
pid Process 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
pid Process 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4996 JarInfectionScanner.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5004 wrote to memory of 1128 5004 msedge.exe 97 PID 5004 wrote to memory of 1128 5004 msedge.exe 97 PID 5004 wrote to memory of 4568 5004 msedge.exe 98 PID 5004 wrote to memory of 4568 5004 msedge.exe 98 PID 5004 wrote to memory of 4568 5004 msedge.exe 98 PID 5004 wrote to memory of 4568 5004 msedge.exe 98 PID 5004 wrote to memory of 4568 5004 msedge.exe 98 PID 5004 wrote to memory of 4568 5004 msedge.exe 98 PID 5004 wrote to memory of 4568 5004 msedge.exe 98 PID 5004 wrote to memory of 4568 5004 msedge.exe 98 PID 5004 wrote to memory of 4568 5004 msedge.exe 98 PID 5004 wrote to memory of 4568 5004 msedge.exe 98 PID 5004 wrote to memory of 4568 5004 msedge.exe 98 PID 5004 wrote to memory of 4568 5004 msedge.exe 98 PID 5004 wrote to memory of 4568 5004 msedge.exe 98 PID 5004 wrote to memory of 4568 5004 msedge.exe 98 PID 5004 wrote to memory of 4568 5004 msedge.exe 98 PID 5004 wrote to memory of 4568 5004 msedge.exe 98 PID 5004 wrote to memory of 4568 5004 msedge.exe 98 PID 5004 wrote to memory of 4568 5004 msedge.exe 98 PID 5004 wrote to memory of 4568 5004 msedge.exe 98 PID 5004 wrote to memory of 4568 5004 msedge.exe 98 PID 5004 wrote to memory of 4568 5004 msedge.exe 98 PID 5004 wrote to memory of 4568 5004 msedge.exe 98 PID 5004 wrote to memory of 4568 5004 msedge.exe 98 PID 5004 wrote to memory of 4568 5004 msedge.exe 98 PID 5004 wrote to memory of 4568 5004 msedge.exe 98 PID 5004 wrote to memory of 4568 5004 msedge.exe 98 PID 5004 wrote to memory of 4568 5004 msedge.exe 98 PID 5004 wrote to memory of 4568 5004 msedge.exe 98 PID 5004 wrote to memory of 4568 5004 msedge.exe 98 PID 5004 wrote to memory of 4568 5004 msedge.exe 98 PID 5004 wrote to memory of 4568 5004 msedge.exe 98 PID 5004 wrote to memory of 4568 5004 msedge.exe 98 PID 5004 wrote to memory of 4568 5004 msedge.exe 98 PID 5004 wrote to memory of 4568 5004 msedge.exe 98 PID 5004 wrote to memory of 4568 5004 msedge.exe 98 PID 5004 wrote to memory of 4568 5004 msedge.exe 98 PID 5004 wrote to memory of 4568 5004 msedge.exe 98 PID 5004 wrote to memory of 4568 5004 msedge.exe 98 PID 5004 wrote to memory of 4568 5004 msedge.exe 98 PID 5004 wrote to memory of 4568 5004 msedge.exe 98 PID 5004 wrote to memory of 1648 5004 msedge.exe 99 PID 5004 wrote to memory of 1648 5004 msedge.exe 99 PID 5004 wrote to memory of 1424 5004 msedge.exe 100 PID 5004 wrote to memory of 1424 5004 msedge.exe 100 PID 5004 wrote to memory of 1424 5004 msedge.exe 100 PID 5004 wrote to memory of 1424 5004 msedge.exe 100 PID 5004 wrote to memory of 1424 5004 msedge.exe 100 PID 5004 wrote to memory of 1424 5004 msedge.exe 100 PID 5004 wrote to memory of 1424 5004 msedge.exe 100 PID 5004 wrote to memory of 1424 5004 msedge.exe 100 PID 5004 wrote to memory of 1424 5004 msedge.exe 100 PID 5004 wrote to memory of 1424 5004 msedge.exe 100 PID 5004 wrote to memory of 1424 5004 msedge.exe 100 PID 5004 wrote to memory of 1424 5004 msedge.exe 100 PID 5004 wrote to memory of 1424 5004 msedge.exe 100 PID 5004 wrote to memory of 1424 5004 msedge.exe 100 PID 5004 wrote to memory of 1424 5004 msedge.exe 100 PID 5004 wrote to memory of 1424 5004 msedge.exe 100 PID 5004 wrote to memory of 1424 5004 msedge.exe 100 PID 5004 wrote to memory of 1424 5004 msedge.exe 100 PID 5004 wrote to memory of 1424 5004 msedge.exe 100 PID 5004 wrote to memory of 1424 5004 msedge.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\jar-infection-scanner\JarInfectionScanner.exe"C:\Users\Admin\AppData\Local\Temp\jar-infection-scanner\JarInfectionScanner.exe"1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4996
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffae55646f8,0x7ffae5564708,0x7ffae55647182⤵PID:1128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,8280873598472441120,16074115924265746751,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:22⤵PID:4568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,8280873598472441120,16074115924265746751,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,8280873598472441120,16074115924265746751,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:82⤵PID:1424
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8280873598472441120,16074115924265746751,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:12⤵PID:4944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8280873598472441120,16074115924265746751,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:12⤵PID:1692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8280873598472441120,16074115924265746751,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2888 /prefetch:12⤵PID:2408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8280873598472441120,16074115924265746751,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4248 /prefetch:12⤵PID:4576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,8280873598472441120,16074115924265746751,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3972 /prefetch:82⤵PID:2404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,8280873598472441120,16074115924265746751,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3972 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8280873598472441120,16074115924265746751,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:12⤵PID:628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8280873598472441120,16074115924265746751,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:12⤵PID:4320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8280873598472441120,16074115924265746751,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3956 /prefetch:12⤵PID:968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8280873598472441120,16074115924265746751,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4244 /prefetch:12⤵PID:2688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8280873598472441120,16074115924265746751,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:12⤵PID:3964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8280873598472441120,16074115924265746751,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:12⤵PID:4788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2136,8280873598472441120,16074115924265746751,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3576 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2136,8280873598472441120,16074115924265746751,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5916 /prefetch:82⤵PID:5232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8280873598472441120,16074115924265746751,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:12⤵PID:5568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8280873598472441120,16074115924265746751,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:12⤵PID:5672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8280873598472441120,16074115924265746751,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:12⤵PID:5724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,8280873598472441120,16074115924265746751,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6200 /prefetch:82⤵PID:5872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8280873598472441120,16074115924265746751,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6260 /prefetch:12⤵PID:5876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8280873598472441120,16074115924265746751,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:12⤵PID:4604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,8280873598472441120,16074115924265746751,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4248 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1200
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4844
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4188
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:6112
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD51386433ecc349475d39fb1e4f9e149a0
SHA1f04f71ac77cb30f1d04fd16d42852322a8b2680f
SHA256a7c79320a37d3516823f533e0ca73ed54fc4cdade9999b9827d06ea9f8916bbc
SHA512fcd5449c58ead25955d01739929c42ffc89b9007bc2c8779c05271f2d053be66e05414c410738c35572ef31811aff908e7fe3dd7a9cef33c27acb308a420280e
-
Filesize
59KB
MD5063fe934b18300c766e7279114db4b67
SHA1d7e71855cf6e8d1e7fbaa763223857f50cd1d4bd
SHA2568745914e0214bcd9d2e6a841f0679a81084ef3fc3d99125876bee26653f4253e
SHA5129d0dfc21306b3a56c2ecdf1265392271969e3765e161e117c8765125b34793e24458217cf6514b364f351f47e65baaaf5856be0d13406a789f844d6ba8c7075f
-
Filesize
140KB
MD574a677f2b142f1b6b4f8cde1c6d49b5e
SHA1ddd50d3de3b0c849de66d87dc6cafe5cf9fcd7b5
SHA256c8bd28fb081b3eb04ac62eec7224063aef869281e78d2070b961b2fad2238cd6
SHA51209715d3767d497ba71aa58f8f6d24e9c47e659f007fc597ed042449d03b15f98450ade90b8ffaa680504f37428823842dc4cd4fc8a1b1ec5a9e5f82e1a289997
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD546695ac1cadfb0cafed1b35f9544dc59
SHA1b4f148d54c322ef51360a6a08954c0999bdde3be
SHA2562f662d82b600dd9490114997b887d4d145c04a0421c9e8d17b67030a2ac8d37b
SHA512d559c08fa85341ea6e6dea99ebe08fe0b099828ad1d5dde34e25462de97532596395ab0cf4c57c95da7d1da46a5b3e2f3bce14126a07aa54e60fdac02491bdfc
-
Filesize
853B
MD529dd94e4b68d3bb11b7e98a270a1823c
SHA10968d12e00b0fa1159394f58a1c325357971b48b
SHA2564eb392386558ab0f84f21123a0b49f5a54e2d13267a61431aefda73b59e17191
SHA512bbdb103bbd34902200d1a65544f1559ff25c2b8e6136858bd530184dd602e2a1995c6aaae197f8ecf9af6cbbe5c21e93939a9f30fb61917eb75fa4b8a089e695
-
Filesize
5KB
MD5059b0115cded9298cb68bb30b443a468
SHA11bdb1049f761e3c33acefab5229c055bcaeb4acf
SHA25640b7caf50963f90d1b1fa353c45c9e12446c13957603cab9f5e62373e9a5ce7a
SHA512a505e494022ef01e4fce8a9f4e26a431e21c8b8b6e2571fcbe906fe9cf4a211a75c0ab4c86a1e587a6adfd95a89d3090f206a87672b2c96e1b448eb8abb75922
-
Filesize
5KB
MD5616c02864b80753c887608f8bfd2dadc
SHA1741169b2207bd93f8a459f889a07037d6c936d17
SHA256033a8b353b6a9303010e78559f28c89b711e95692ea4e8b9f85c16efdab7243e
SHA51212882ef763cf2fa3f6f7763c9f7da6ccfcfb899bdc5da8863004aaf38ee5e68d9ca873ae3bd3632b311d7252ae1921f8c50afe4f9918da1a736df54d807a663e
-
Filesize
6KB
MD59a3a930f6e2a1b45ee4d9dd396f015d6
SHA1d7c253898eb3ad9724e55bc0816d1d00ccc835db
SHA25645b256f8591df3711d9bd7a1b3d6e5b06721a1138db4ec8a771bfa71a57fe2f1
SHA512a1752a3f512cdbc950105ca84e656fc18df15fa31ee48c0796bfc07bc8bd8f04fc161481313f74da00deb1bae658345936be997fd89b0a5d718f68ecb82ad53d
-
Filesize
5KB
MD529c96048c6d62086977a9fb88ece4f05
SHA1a166f7a7fdc135acb4dfb205907bc1a6a053e063
SHA256ba94cae3b8a5018849378e7e10ea23d541021caab69b76bc458bae6b0b73b641
SHA512278cbbe1d9e91e5dac3532687de179a253928d532108edb0934404088685e648a2b0bc28831df60d3a8bb9541165960807fdfae31498342809798f9aaba949b8
-
Filesize
24KB
MD5e664066e3aa135f185ed1c194b9fa1f8
SHA1358ff3c6ad0580b8ae1e5ef2a89a4e597c2efdc5
SHA25686e595be48dbc768a52d7ea62116036c024093e1302aced8c29dd6a2d9935617
SHA51258710818b5f664006a5aa418da6c8cd3f709c2265bc161f81b9dfe6cdb8304fabaa4ce9deba419fe4281623feeeaa0321f481ae5855d347c6d8cf95968ee905e
-
Filesize
1KB
MD5cd9555ad0497b7859d04b431efcad16f
SHA1b8a1f325dcd26b7136183d113222e55a78fc9b57
SHA256da40e865de71a1a4fc859baeab11164877889b9cfa04e429c83ab06fe6558bf3
SHA51265854db4850bf4a7ffc1568afeff2501ca10ce435e57987162327895cad151cc7eb1639168943832b73fe4d98edbc85a9238bbec979cea0ad50d4ad86db6152b
-
Filesize
1KB
MD586421b493f06080c6b492a906bdce7bb
SHA1f0b90ddc5093f3414508c49872b7894114f47917
SHA25645c80e0dce1055f2dad9d3381dbf252f39f7e2625fc5c20854887e599d13529e
SHA51230c96a1f65903fe5ade215151eda3cb9d4487bcc1d8a55bb3df92206f768e672f218ad4dbc69afc09ea9b93a6b44ba4b006ac503a9a6883a17858c68372571e7
-
Filesize
1KB
MD58184bdc922cd5b099a615ab0e8681ee7
SHA142ec57b9cae2d33bfb6151b37b71f0cd3595bda6
SHA256b29c230f3bf239d76caefc54d069f3afa8dbc2805b5219f35a8e3211cf589ea5
SHA512087f5c020a2eecc19596d418b461221b069771eef6386ee452ba3e5e1033492ad40e9a9d0e096de7fdf9bb93d0eb47e7693cbadecdd278e7ec4a6089ccdbb378
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD517de7cb24325320bb96f2c47e9d7bc96
SHA105ef98d6e286bb5f192b931c8c68f0d327da73b8
SHA25683ab0bfa01973b38ffc877de1a069f2dd761fe5f1c1628f30f00d0900a48ea96
SHA512b8c2b2c72bc9364a83f0c2f1704832d86138c4f9bb522f8b0263ac6b14431631847954cb1385417a5d7e43dbf3d1421e133aa89dd7d669c16ad1bae37efed739
-
Filesize
10KB
MD54af290fd58dc31ef76cebf88e2cd3c2d
SHA1177651dd73bafe752f66f0c80cf639945f7b0ac4
SHA2567319b203940a83a4382ee54d2f66582c200232f516546293c6ee316bdd655a8b
SHA5129755a460a9016feff09be951c58e579c6e3847b1514eeba3bfa1b1bc20b1b11711247edb4cd4e81fbd2a9840f08bd56199531330e718c628e24051e501bf1e31
-
Filesize
11KB
MD5b17d93a7a6eb00d51a452e64745de73c
SHA184bf5d55bc265f796077145c5b89136a292ecdac
SHA25661457e5141244833874a31637d3280ffec2b7eb33e73d84fb26130416f71f026
SHA5126f9090439e84ff810fd71af88f0cd986cdf56be77bdfb21d58e926f0ed6b9de6e236adfec1ec19416142ec625f3d90d84728ab200be48d79e3444b1f30ffea71
-
Filesize
499KB
MD5f28c81f8696fec4aa3b0a187bcd2bf92
SHA163289f5c67b6ef410a835b2061bd7354c8c803a7
SHA2566c96bfbea83a6d201239cb56e213186ae8334d1426707b4516f53ea5bf42d3a2
SHA512c8214bbe45665526f70da9433f2714e9eea3ccfbca1572cfef81a59339dd546407069439625c20881069b154bf7ccc80e3512fcaf09067261b3a6eb14ccc78f4