Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
16/07/2024, 07:10
Behavioral task
behavioral1
Sample
4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe
-
Size
260KB
-
MD5
4d48147aff1bb8ab18255b32d11c29d7
-
SHA1
a13347c53a0d207a312a9be9f2ef9a6d5bae360c
-
SHA256
63845f087d2c1e6110e619d02bb8f893d6ac66394ba169a96883d821c9754652
-
SHA512
0d50f8e212210a9850f184f2d66e1a4b8b1d8f03f31968f4c22e52d897948300eb186316f3c4cef0324dc719706e69b548d087aa5393704de86f57147b2e4b70
-
SSDEEP
6144:sMaDN3jto7RcPJ1KOuNINpk0gniex+2LQKHKRI:sMahuNOpax+2L0I
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/4200-0-0x0000000000400000-0x0000000000442000-memory.dmp upx behavioral2/memory/4200-3-0x0000000000400000-0x0000000000442000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmplayer = "C:\\MessengerPlus\\mplayer2.exe" 4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "00000001" 4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Software\Microsoft\Internet Explorer\Download 4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no" 4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
pid Process 4200 4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe 4200 4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe 4200 4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe 4200 4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe 4200 4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe 4200 4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe 4200 4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe 4200 4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe 4200 4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe 4200 4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe 4200 4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe 4200 4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe 4200 4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe 4200 4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe 4200 4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe 4200 4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe 4200 4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe 4200 4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe 4200 4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe 4200 4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe 4200 4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe 4200 4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe 4200 4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe 4200 4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe 4200 4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe 4200 4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe 4200 4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe 4200 4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe 4200 4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe 4200 4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe 4200 4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe 4200 4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe 4200 4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe 4200 4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe 4200 4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe 4200 4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe 4200 4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe 4200 4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe 4792 msedge.exe 4792 msedge.exe 3260 msedge.exe 3260 msedge.exe 4244 identity_helper.exe 4244 identity_helper.exe 3652 msedge.exe 3652 msedge.exe 3652 msedge.exe 3652 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
pid Process 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 4484 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4484 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe 3260 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4200 4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4200 wrote to memory of 3260 4200 4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe 86 PID 4200 wrote to memory of 3260 4200 4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe 86 PID 3260 wrote to memory of 1468 3260 msedge.exe 87 PID 3260 wrote to memory of 1468 3260 msedge.exe 87 PID 3260 wrote to memory of 3532 3260 msedge.exe 88 PID 3260 wrote to memory of 3532 3260 msedge.exe 88 PID 3260 wrote to memory of 3532 3260 msedge.exe 88 PID 3260 wrote to memory of 3532 3260 msedge.exe 88 PID 3260 wrote to memory of 3532 3260 msedge.exe 88 PID 3260 wrote to memory of 3532 3260 msedge.exe 88 PID 3260 wrote to memory of 3532 3260 msedge.exe 88 PID 3260 wrote to memory of 3532 3260 msedge.exe 88 PID 3260 wrote to memory of 3532 3260 msedge.exe 88 PID 3260 wrote to memory of 3532 3260 msedge.exe 88 PID 3260 wrote to memory of 3532 3260 msedge.exe 88 PID 3260 wrote to memory of 3532 3260 msedge.exe 88 PID 3260 wrote to memory of 3532 3260 msedge.exe 88 PID 3260 wrote to memory of 3532 3260 msedge.exe 88 PID 3260 wrote to memory of 3532 3260 msedge.exe 88 PID 3260 wrote to memory of 3532 3260 msedge.exe 88 PID 3260 wrote to memory of 3532 3260 msedge.exe 88 PID 3260 wrote to memory of 3532 3260 msedge.exe 88 PID 3260 wrote to memory of 3532 3260 msedge.exe 88 PID 3260 wrote to memory of 3532 3260 msedge.exe 88 PID 3260 wrote to memory of 3532 3260 msedge.exe 88 PID 3260 wrote to memory of 3532 3260 msedge.exe 88 PID 3260 wrote to memory of 3532 3260 msedge.exe 88 PID 3260 wrote to memory of 3532 3260 msedge.exe 88 PID 3260 wrote to memory of 3532 3260 msedge.exe 88 PID 3260 wrote to memory of 3532 3260 msedge.exe 88 PID 3260 wrote to memory of 3532 3260 msedge.exe 88 PID 3260 wrote to memory of 3532 3260 msedge.exe 88 PID 3260 wrote to memory of 3532 3260 msedge.exe 88 PID 3260 wrote to memory of 3532 3260 msedge.exe 88 PID 3260 wrote to memory of 3532 3260 msedge.exe 88 PID 3260 wrote to memory of 3532 3260 msedge.exe 88 PID 3260 wrote to memory of 3532 3260 msedge.exe 88 PID 3260 wrote to memory of 3532 3260 msedge.exe 88 PID 3260 wrote to memory of 3532 3260 msedge.exe 88 PID 3260 wrote to memory of 3532 3260 msedge.exe 88 PID 3260 wrote to memory of 3532 3260 msedge.exe 88 PID 3260 wrote to memory of 3532 3260 msedge.exe 88 PID 3260 wrote to memory of 3532 3260 msedge.exe 88 PID 3260 wrote to memory of 3532 3260 msedge.exe 88 PID 3260 wrote to memory of 4792 3260 msedge.exe 89 PID 3260 wrote to memory of 4792 3260 msedge.exe 89 PID 3260 wrote to memory of 2972 3260 msedge.exe 90 PID 3260 wrote to memory of 2972 3260 msedge.exe 90 PID 3260 wrote to memory of 2972 3260 msedge.exe 90 PID 3260 wrote to memory of 2972 3260 msedge.exe 90 PID 3260 wrote to memory of 2972 3260 msedge.exe 90 PID 3260 wrote to memory of 2972 3260 msedge.exe 90 PID 3260 wrote to memory of 2972 3260 msedge.exe 90 PID 3260 wrote to memory of 2972 3260 msedge.exe 90 PID 3260 wrote to memory of 2972 3260 msedge.exe 90 PID 3260 wrote to memory of 2972 3260 msedge.exe 90 PID 3260 wrote to memory of 2972 3260 msedge.exe 90 PID 3260 wrote to memory of 2972 3260 msedge.exe 90 PID 3260 wrote to memory of 2972 3260 msedge.exe 90 PID 3260 wrote to memory of 2972 3260 msedge.exe 90 PID 3260 wrote to memory of 2972 3260 msedge.exe 90 PID 3260 wrote to memory of 2972 3260 msedge.exe 90 PID 3260 wrote to memory of 2972 3260 msedge.exe 90 PID 3260 wrote to memory of 2972 3260 msedge.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.youtube.com/watch?v=ZvizXaqutWM2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x40,0x108,0x7ffdb52e46f8,0x7ffdb52e4708,0x7ffdb52e47183⤵PID:1468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,3273027459356499971,8953145328236480989,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:23⤵PID:3532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,3273027459356499971,8953145328236480989,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2456 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:4792
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,3273027459356499971,8953145328236480989,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:83⤵PID:2972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3273027459356499971,8953145328236480989,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:13⤵PID:2940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3273027459356499971,8953145328236480989,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:13⤵PID:4316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3273027459356499971,8953145328236480989,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:13⤵PID:2696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3273027459356499971,8953145328236480989,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:13⤵PID:2896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2080,3273027459356499971,8953145328236480989,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5236 /prefetch:83⤵PID:5052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,3273027459356499971,8953145328236480989,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5912 /prefetch:83⤵PID:4212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,3273027459356499971,8953145328236480989,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5912 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:4244
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3273027459356499971,8953145328236480989,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:13⤵PID:2548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3273027459356499971,8953145328236480989,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:13⤵PID:3496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3273027459356499971,8953145328236480989,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:13⤵PID:2816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3273027459356499971,8953145328236480989,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:13⤵PID:2960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,3273027459356499971,8953145328236480989,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4624 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:3652
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1632
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2516
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:208
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x41c 0x5381⤵
- Suspicious use of AdjustPrivilegeToken
PID:4484
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD56c86c838cf1dc704d2be375f04e1e6c6
SHA1ad2911a13a3addc86cc46d4329b2b1621cbe7e35
SHA256dff0886331bb45ec7711af92ab10be76291fde729dff23ca3270c86fb6e606bb
SHA512a120248263919c687f09615fed56c7cac825c8c93c104488632cebc1abfa338c39ebdc191e5f0c45ff30f054f08d4c02d12b013de6322490197606ce0c0b4f37
-
Filesize
152B
MD527f3335bf37563e4537db3624ee378da
SHA157543abc3d97c2a2b251b446820894f4b0111aeb
SHA256494425284ba12ee2fb07890e268be7890b258e1b1e5ecfa4a4dbc3411ab93b1a
SHA5122bef861f9d2d916272f6014110fdee84afced515710c9d69b3c310f6bf41728d1b2d41fee3c86441ff96c08c7d474f9326e992b9164b9a3f13627f7d24d0c485
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize432B
MD55fb5d676766ac3990051cc692493a908
SHA1a801fb569ba98ba6a5025c421bcb892a6d1c5cb1
SHA25626467286d85045b74a321092bd67ba3f498babfdefa856b09ef6d1a46acbe82f
SHA512ed8ca0ea2d228c68495bf6018acf292bab78407b623e5db74aa79150586ffdd1d2b81ab8bb3798a069f96f5222a66a882c1227f40c886a0acc0b5a9ced25eb0c
-
Filesize
2KB
MD599375fde19a78fa7add84adb18285aa2
SHA11ea9b8dfcbce16bb6715af7cf880cb6f5c088274
SHA2568fcb6e8822637864380f6f12b51132fe23fc05a03cb65d586d50cedd323277fa
SHA512fa9b8f08966f595f85aadf7892616af38dcf79d46473df4008e40a6dd634a77005abe0eb58f7732e71138e665baeb506495c25b3814d68749e6aa045c0715957
-
Filesize
2KB
MD5bd8514340218b36c60cf93c65e979ba7
SHA120a4e1eb98989d0ce87bdec7aabc84db687ef385
SHA256daf2eaac47974f306516a9df5abca4fad53485d0dd707da33aede36b475c4d8b
SHA512f1978b1e62029dd3dbe57467d53138588a231553fa48ec5da2007ca28f2e100fac517279c705e0b679f36aafbea909ceee0941419710655e1b0f938c7c16338e
-
Filesize
6KB
MD5f00e271dd4458c91e9fcebcab30e0fd3
SHA144a11a73851e5b623bd28e7ba16d15f69caf6d0c
SHA2567cee7c1b2186fd3ad7ab2d200f936d883af1d438cac5db3826ce91d0fc34518c
SHA512b66c5478ea3be22167dee953cdae627234642cc82d87392537ced15b08f39506116fa73a7c3a7e3aff4a6e99c08f244c349022bbbc35d6492f2f9797273fe1c7
-
Filesize
6KB
MD5131b69338f2e2ac35db525cab82264fe
SHA11a445635a1c96576296c8c9b40a605e294c34a49
SHA256d75675626c91393b1d9f7420fec7a7fed2580dcacc6213a63dc1b8fbf5c5cae4
SHA512ffaa803eb8b5fd8f4dd2f0d2469e81a62b084edaf848f5706d945881dbb0cbca596d3ab7460a5bb9e784c18b82743197b3b787afef668ee4b73990339770ad04
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\042d7d01-46d9-47a7-811b-4d27e6e1e837\index-dir\the-real-index
Filesize2KB
MD5be2a043246b7fcccac163bff37b9ea08
SHA110c975e8f0258ff925335e98e8e9a61633c600a5
SHA25608da4332e860fba843960b828d34f5306eb27a8e3c68ff40345db17cad7c3253
SHA5126f48680a4b6143e5eaabd2aa156602f0eb26850e98836788de541ab80f0bb043784adafa5d8d624c439260c08d0c8680d6d049ac29d53140454d5082c489bcb0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\042d7d01-46d9-47a7-811b-4d27e6e1e837\index-dir\the-real-index~RFe57e83d.TMP
Filesize48B
MD5b16ec3467a2ac09a3d4e94d074c0c2c8
SHA128b4042353c21ddffdd0955fbddfd2cee6142baa
SHA256f81bbf4aae96d22b46c8558702f0046263895fbd33db3481cff87a161df00819
SHA512b2957b7c890ac9c592a7fa4ad3ac13d596d3de6ef5399dc8670fdd43e222fbc577262b4a9b35065702a7be6bb23369d0352f73b966c23943a2b9c444a7eb8550
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize146B
MD5200530acbaf8659fb4f0749e3c69c05f
SHA141580253af119469e451d7dba632b48d0ac6c32c
SHA25656a29e4b7a789fb50234661b8a200453ce84ecd329a6760b6f85e0a38f4ebf91
SHA5126bbf94167f4807074678c197d7b54f6d92857dbe5b1c409bd29f5e3ac3b2f75c19cd5558e566496ceeb625e80e68777dfeb4a7f1a11990e25956001f32654fad
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize82B
MD5c35f9cc465ddab8df90b626769dff606
SHA16762c3f06aae2b71960b0fa1a2590affd4cec9d4
SHA2567ecbd44b9f193c992846acfc6ac2caf2926c4fd9dd2552b0e3fb2c9abb3b6d61
SHA5128d408061d51219082dce6f7191c6f40996d81af06c9ad5a4721b3b24ebf3233865c37d98cca90d99d7a79aa9087df3981cc2e907a2e83ea85cc86ac4540f86e7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize84B
MD5c8363309aeae8c6acb50f7ba262ab922
SHA13b3ecd32081866561e06abdab8afe9430f34233d
SHA256e4da96d1d02b7fd1e5683e2585480fa95c404ed86d5d18d53c6fa87b926b35cd
SHA512cfee7978e6d36d8baf27fdc68e986323f4cbf17b43121a8f3c55c491e21a73c028f8143be4731c6f478636d3847fbfe3b3da3def3b625cfba5abf0219b50e276
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe5791d0.TMP
Filesize89B
MD5bbc4c02a4ddf5a785bcbe7c3d6f7e2b5
SHA14ae1db895da995dacba8c6a6589c71631130d43c
SHA25679e78147a8e2d3b4852bb3999026045b328b24a6ee88154727c98f082fc1773a
SHA512983adb76ad74a2878d9b7d250f45b527974a0051b3ef769e71a33d5acfb382818c4fbf83c52bdfd4b27d43ae5566d6d7129bbe9389bf9de93a283edd5946a437
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD5eeb6e8bbdd426e9de104d21f80509af8
SHA132843690907c2162f10a51b5272040ff82714300
SHA2561cf01ba4810b89f19041a7a935f38cd9f50df7c26dca2412006da9fc344be690
SHA5122944a3f297ccf8e2744755425bfdd0182f78b22538904980131774e84c331de5bcdc3bdecc9822a693848a6295245cb937ecb868b0f85bc09d209eba37d29910
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57e0bb.TMP
Filesize48B
MD58614f3be52704ef8adfabcd16a2bf051
SHA185eb442f82c3f7a68bbd1212f9113b10dca14725
SHA25619eac79fcf723bd0d202955524f9cc3eb964896dd4de31621ffc7303b298bc53
SHA5122371ac1fba99b575237acb1b95f11b7a67e76d44b3b2ea81bf99db2d73205aa5f04c4a7adc15f9997e050756fef88dbf1acaebb78932fd236ade39caad77489c
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD5b88f557b55f0ef6c3ee7ddc7f9652890
SHA11919d72c18475fc044c914510bd0148291261f0d
SHA2561cc755fc3e032f1aa86395e4c23b6d4722fc825aad00d69edc8da172d738b875
SHA5127e0fa47aeba0c8fe6caa7265455c0a830aa4090154885d1cd1168abf66878265bbdb432b1f3a95ad0d21a14efe83cb739944cf6853628ae9c2d17b07896242ed