Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
05/04/2024, 13:47
Behavioral task
behavioral1
Sample
d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
-
Size
232KB
-
MD5
d5671add722cdca65ce15f29600eec47
-
SHA1
bc417c926569205a12204446b966d72ca199e73c
-
SHA256
df112e32296232cbbee9e0da6b4d40659604b654de9f65500c97a7576c0a0060
-
SHA512
78be8ed94fd2e18280a9f8fa43b85569f98548901b7f924f9b49e72576b9cfbf4a34b8c74124381615549f940e2ac9f36f969cb142c8c9475dd665e42aecff65
-
SSDEEP
3072:h7//9yazxLySP4/LN/PCeSuwz2b4g3+40cLxucVyQU7g7a7/gt9+JzCTL8BbRSCc:hM3SPsZ/Pe2b/3EcLxuHF0mU9vA
Malware Config
Signatures
-
Drops file in Drivers directory 3 IoCs
description ioc Process File created C:\WINDOWS\SysWOW64\drivers\gmreadme.txt d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\drivers\afunix.sys d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\drivers\gm.dls d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe -
Manipulates Digital Signatures 1 IoCs
Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.
description ioc Process File created C:\WINDOWS\SysWOW64\wintrust.dll d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe -
resource yara_rule behavioral2/memory/3292-0-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral2/memory/3292-9-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral2/files/0x000100000001da9f-15.dat upx behavioral2/memory/3292-23-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral2/memory/3292-97-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral2/memory/3292-111-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral2/memory/3292-591-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral2/memory/3292-1035-0x0000000000400000-0x000000000040A000-memory.dmp upx -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\WINDOWS\SysWOW64\clusapi.dll d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\ieui.dll d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\OpenWith.exe d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\riched32.dll d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\autofmt.exe d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\dskquoui.dll d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\HdcpHandler.dll d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\joy.cpl d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\Magnification.dll d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\replace.exe d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\certca.dll d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\djctq.rs d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\kerberos.dll d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\wlanutil.dll d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\KBDMON.DLL d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\ncpa.cpl d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\cryptsp.dll d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\iashlpr.dll d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\inetmib1.dll d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\ir50_qcoriginal.dll d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\KBDCHER.DLL d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\KBDINHIN.DLL d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\StructuredQuery.dll d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\dialer.exe d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\dmxmlhelputils.dll d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\KBDINTAM.DLL d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File opened for modification C:\WINDOWS\SysWOW64\mfc100enu.dll d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\WF.msc d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\WinSCard.dll d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\atl.dll d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\elshyph.dll d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\HelpPaneProxy.dll d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\KBDTIPRD.DLL d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\LockAppBroker.dll d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\MSNP.ax d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\Clipc.dll d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\dpwsockx.dll d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\jscript9.dll d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\KBDFA.DLL d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\KBDUS.DLL d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\Windows.Internal.UI.Logon.ProxyStub.dll d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\dbnmpntw.dll d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\KBDOSM.DLL d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\netplwiz.dll d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\iepeers.dll d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\KBDINGUJ.DLL d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\sxshared.dll d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\sysprtj.sep d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\ContentDeliveryManager.Utilities.dll d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\onexui.dll d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\useractivitybroker.dll d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\WEB.rs d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\tracerpt.exe d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\DefaultDeviceManager.dll d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\dimsjob.dll d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\fdWCN.dll d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File opened for modification C:\WINDOWS\SysWOW64\mfc110kor.dll d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\MP3DMOD.DLL d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\netiohlp.dll d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\wdscore.dll d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\xboxgipsynthetic.dll d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\KBDMAORI.DLL d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\mfcore.dll d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\MosStorage.dll d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe -
Drops file in Windows directory 22 IoCs
description ioc Process File created C:\WINDOWS\write.exe d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\bfsvc.exe d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\explorer.exe d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\HelpPane.exe d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\notepad.exe d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File opened for modification C:\WINDOWS\PFRO.log d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\WMSysPr9.prx d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\mib.bin d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File opened for modification C:\WINDOWS\Professional.xml d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File opened for modification C:\WINDOWS\setupact.log d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\twain_32.dll d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\hh.exe d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File opened for modification C:\WINDOWS\setuperr.log d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\splwow64.exe d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File opened for modification C:\WINDOWS\system.ini d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File opened for modification C:\WINDOWS\WindowsUpdate.log d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File opened for modification C:\WINDOWS\DtcInstall.log d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File opened for modification C:\WINDOWS\lsasetup.log d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\sysmon.exe d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File opened for modification C:\WINDOWS\SysmonDrv.sys d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File opened for modification C:\WINDOWS\win.ini d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe File created C:\WINDOWS\winhlp32.exe d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4576 msedge.exe 4576 msedge.exe 5068 msedge.exe 5068 msedge.exe 2936 identity_helper.exe 2936 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
pid Process 5068 msedge.exe 5068 msedge.exe 5068 msedge.exe 5068 msedge.exe 5068 msedge.exe 5068 msedge.exe 5068 msedge.exe 5068 msedge.exe 5068 msedge.exe 5068 msedge.exe 5068 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 5068 msedge.exe 5068 msedge.exe 5068 msedge.exe 5068 msedge.exe 5068 msedge.exe 5068 msedge.exe 5068 msedge.exe 5068 msedge.exe 5068 msedge.exe 5068 msedge.exe 5068 msedge.exe 5068 msedge.exe 5068 msedge.exe 5068 msedge.exe 5068 msedge.exe 5068 msedge.exe 5068 msedge.exe 5068 msedge.exe 5068 msedge.exe 5068 msedge.exe 5068 msedge.exe 5068 msedge.exe 5068 msedge.exe 5068 msedge.exe 5068 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 5068 msedge.exe 5068 msedge.exe 5068 msedge.exe 5068 msedge.exe 5068 msedge.exe 5068 msedge.exe 5068 msedge.exe 5068 msedge.exe 5068 msedge.exe 5068 msedge.exe 5068 msedge.exe 5068 msedge.exe 5068 msedge.exe 5068 msedge.exe 5068 msedge.exe 5068 msedge.exe 5068 msedge.exe 5068 msedge.exe 5068 msedge.exe 5068 msedge.exe 5068 msedge.exe 5068 msedge.exe 5068 msedge.exe 5068 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3292 wrote to memory of 5068 3292 d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe 96 PID 3292 wrote to memory of 5068 3292 d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe 96 PID 5068 wrote to memory of 3196 5068 msedge.exe 97 PID 5068 wrote to memory of 3196 5068 msedge.exe 97 PID 5068 wrote to memory of 4404 5068 msedge.exe 98 PID 5068 wrote to memory of 4404 5068 msedge.exe 98 PID 5068 wrote to memory of 4404 5068 msedge.exe 98 PID 5068 wrote to memory of 4404 5068 msedge.exe 98 PID 5068 wrote to memory of 4404 5068 msedge.exe 98 PID 5068 wrote to memory of 4404 5068 msedge.exe 98 PID 5068 wrote to memory of 4404 5068 msedge.exe 98 PID 5068 wrote to memory of 4404 5068 msedge.exe 98 PID 5068 wrote to memory of 4404 5068 msedge.exe 98 PID 5068 wrote to memory of 4404 5068 msedge.exe 98 PID 5068 wrote to memory of 4404 5068 msedge.exe 98 PID 5068 wrote to memory of 4404 5068 msedge.exe 98 PID 5068 wrote to memory of 4404 5068 msedge.exe 98 PID 5068 wrote to memory of 4404 5068 msedge.exe 98 PID 5068 wrote to memory of 4404 5068 msedge.exe 98 PID 5068 wrote to memory of 4404 5068 msedge.exe 98 PID 5068 wrote to memory of 4404 5068 msedge.exe 98 PID 5068 wrote to memory of 4404 5068 msedge.exe 98 PID 5068 wrote to memory of 4404 5068 msedge.exe 98 PID 5068 wrote to memory of 4404 5068 msedge.exe 98 PID 5068 wrote to memory of 4404 5068 msedge.exe 98 PID 5068 wrote to memory of 4404 5068 msedge.exe 98 PID 5068 wrote to memory of 4404 5068 msedge.exe 98 PID 5068 wrote to memory of 4404 5068 msedge.exe 98 PID 5068 wrote to memory of 4404 5068 msedge.exe 98 PID 5068 wrote to memory of 4404 5068 msedge.exe 98 PID 5068 wrote to memory of 4404 5068 msedge.exe 98 PID 5068 wrote to memory of 4404 5068 msedge.exe 98 PID 5068 wrote to memory of 4404 5068 msedge.exe 98 PID 5068 wrote to memory of 4404 5068 msedge.exe 98 PID 5068 wrote to memory of 4404 5068 msedge.exe 98 PID 5068 wrote to memory of 4404 5068 msedge.exe 98 PID 5068 wrote to memory of 4404 5068 msedge.exe 98 PID 5068 wrote to memory of 4404 5068 msedge.exe 98 PID 5068 wrote to memory of 4404 5068 msedge.exe 98 PID 5068 wrote to memory of 4404 5068 msedge.exe 98 PID 5068 wrote to memory of 4404 5068 msedge.exe 98 PID 5068 wrote to memory of 4404 5068 msedge.exe 98 PID 5068 wrote to memory of 4404 5068 msedge.exe 98 PID 5068 wrote to memory of 4404 5068 msedge.exe 98 PID 5068 wrote to memory of 4576 5068 msedge.exe 99 PID 5068 wrote to memory of 4576 5068 msedge.exe 99 PID 5068 wrote to memory of 3224 5068 msedge.exe 100 PID 5068 wrote to memory of 3224 5068 msedge.exe 100 PID 5068 wrote to memory of 3224 5068 msedge.exe 100 PID 5068 wrote to memory of 3224 5068 msedge.exe 100 PID 5068 wrote to memory of 3224 5068 msedge.exe 100 PID 5068 wrote to memory of 3224 5068 msedge.exe 100 PID 5068 wrote to memory of 3224 5068 msedge.exe 100 PID 5068 wrote to memory of 3224 5068 msedge.exe 100 PID 5068 wrote to memory of 3224 5068 msedge.exe 100 PID 5068 wrote to memory of 3224 5068 msedge.exe 100 PID 5068 wrote to memory of 3224 5068 msedge.exe 100 PID 5068 wrote to memory of 3224 5068 msedge.exe 100 PID 5068 wrote to memory of 3224 5068 msedge.exe 100 PID 5068 wrote to memory of 3224 5068 msedge.exe 100 PID 5068 wrote to memory of 3224 5068 msedge.exe 100 PID 5068 wrote to memory of 3224 5068 msedge.exe 100 PID 5068 wrote to memory of 3224 5068 msedge.exe 100 PID 5068 wrote to memory of 3224 5068 msedge.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe"1⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.freeav.com/2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcfe0946f8,0x7ffcfe094708,0x7ffcfe0947183⤵PID:3196
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,7831899035857370423,112283535968569017,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:23⤵PID:4404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,7831899035857370423,112283535968569017,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:4576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,7831899035857370423,112283535968569017,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:83⤵PID:3224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7831899035857370423,112283535968569017,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:13⤵PID:1968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7831899035857370423,112283535968569017,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:13⤵PID:2248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7831899035857370423,112283535968569017,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:13⤵PID:3552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2136,7831899035857370423,112283535968569017,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3944 /prefetch:83⤵PID:1556
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,7831899035857370423,112283535968569017,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5624 /prefetch:83⤵PID:1676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,7831899035857370423,112283535968569017,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5624 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:2936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7831899035857370423,112283535968569017,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:13⤵PID:3092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7831899035857370423,112283535968569017,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:13⤵PID:2684
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7831899035857370423,112283535968569017,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:13⤵PID:2292
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7831899035857370423,112283535968569017,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:13⤵PID:4408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7831899035857370423,112283535968569017,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=212 /prefetch:13⤵PID:4144
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7831899035857370423,112283535968569017,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:13⤵PID:4292
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7831899035857370423,112283535968569017,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4144 /prefetch:13⤵PID:5056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7831899035857370423,112283535968569017,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:13⤵PID:3508
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.antispyware.com/2⤵PID:4244
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcfe0946f8,0x7ffcfe094708,0x7ffcfe0947183⤵PID:3252
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2680
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4612
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2f8 0x3d81⤵PID:4268
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD51e3dc6a82a2cb341f7c9feeaf53f466f
SHA1915decb72e1f86e14114f14ac9bfd9ba198fdfce
SHA256a56135007f4dadf6606bc237cb75ff5ff77326ba093dff30d6881ce9a04a114c
SHA5120a5223e8cecce77613b1c02535c79b3795e5ad89fc0a934e9795e488712e02b527413109ad1f94bbd4eb35dd07b86dd6e9f4b57d4d7c8a0a57ec3f7f76c7890a
-
Filesize
152B
MD536bb45cb1262fcfcab1e3e7960784eaa
SHA1ab0e15841b027632c9e1b0a47d3dec42162fc637
SHA2567c6b0de6f9b4c3ca1f5d6af23c3380f849825af00b58420b76c72b62cfae44ae
SHA51202c54c919f8cf3fc28f5f965fe1755955636d7d89b5f0504a02fcd9d94de8c50e046c7c2d6cf349fabde03b0fbbcc61df6e9968f2af237106bf7edd697e07456
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize336B
MD5a2bb060ead2c86daf186d283edf951dc
SHA1074e76eb8690e48388eabd18501d5efcbb7b2295
SHA256302931d3cbc458090c5715bc4f7b130fe9488c29f100f7630288903159342b4b
SHA512af6722ff18f04020a405e56745a1ef1cf543898eac13ecccdb9f02c1eedaedc9193051f0054ae6200b794a4fd39f008afb41f2ffc086482926ac04549fc83132
-
Filesize
1KB
MD51a3aada8fb1135fe3ea0adb0bc3584fc
SHA1fba5a74bf6b488897a218d23b2671b14d31f24f0
SHA256e850afa6cdad65d0e2b447eb9ee5dc3243fc6759fd62894144c2ab50221869d8
SHA512e7e09d587e402f86eefc9c2581fa524586d03e2f9c02bfde46ca72046011960982fb4fd6c33af6dc55b0f1accc21266b969617171f8396675226802419a7407b
-
Filesize
6KB
MD5b7459f0e8f4556e18628358b6b450f2c
SHA10bc9dceea486b007a0b3849a0fd8442e9d900552
SHA2561564d26ab271b5f89b0b4f2560a50927c980e4e1d3a1548d0b5d004c61b1f8de
SHA5126899cf6267cdb14b988c28ab8c5a8f88ca2c92252bd767ed89ef3104d5e63111d338259a2c23fc9d91390c75005185c957663cf8342f13e4a5bd9391d6036427
-
Filesize
6KB
MD58c1aecc70555a24b0a7f1ec90f757415
SHA19f0fd97c80cf6d27571a53aaec8d80c00ffe1390
SHA256c51e4112a82cb42013a0c88336705a449da34a5f326548c7d54f52719b14ce00
SHA51273d400c873c1f761cfd5a8539b3296b41660cc572d9bc57af9869c6a9c9bfef33a5a108f991843733f4e3aa0cf27150f81f23fbe00150a78cd0c75d1cade7fa3
-
Filesize
6KB
MD5e09574231d684cfd2ff32ea312e3d123
SHA1d643395bb1feac96d1e6ff531b6d26fb0a15dac3
SHA2566dd9169612d94c5995d87e0717e19be56f0a0e42b26437b8081d1c30c8e016d6
SHA512cfa7c6953a473d0a44d121515011922e657993eedd8bdff097c3b01e61ec5c3e1c3919ec629756b9695767bb6560517235f40e3185410426441d0914e9a0aaf9
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5e521f54ac1c22c2bd8c28067c2442650
SHA15ffb4fc6b9a11f90d1ab46a0b3231ccc18fd5918
SHA256a50b5d58fc6ec5d79171eacaee1e219fa3ffc473913fb58a07633cf636592409
SHA512ecd56a169dd9f2252a370bb9c2be740eafbb582605a0e65e9b199cd6994460ede4555df86a6541b7cf9bc6c6356bbb67884b9c106bccd01bdb5bb7ddb57e6e36
-
Filesize
28KB
MD5e220119657526d523f076fbdf3a549e3
SHA1e6054638fe14818105d6cb6abddf43e33b83aba3
SHA2566fc4890e1420179175cbdf0c6b16efe1eee5fb30d872500324f4a026abf2336a
SHA512e5417081b3edaa51eae9f0d8e41345b760392a4e0d4a55e791435f0e0f74a9a48b195f864b89d68b26ca1fd38ef7658805f91a2018ac21521a475ed4a64b7301
-
Filesize
204KB
MD5568db59e343347b08312bf077fbd6cea
SHA16eb77e29fe2bd40a95b4a240d0b5aa785923a3df
SHA25653d5e6c5e1af54323ab728d46d0ef47d378c0bc812ca4f2a1c5d8375eda24d03
SHA5128bc9468b1cdb923317ee67da251530b108686d6dd1399826772f6c2e3e48a3ca502a7d5104cbb7aa004d37d14b20bd0c6ccb16fe8e6b2a364411ccc6fd5a3de4