Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
27/07/2024, 01:31
Static task
static1
Behavioral task
behavioral1
Sample
768f867471ca6a6e234b182175edc733_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
768f867471ca6a6e234b182175edc733_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
768f867471ca6a6e234b182175edc733_JaffaCakes118.exe
-
Size
140KB
-
MD5
768f867471ca6a6e234b182175edc733
-
SHA1
07c5b7ef3e1606d15115890b5d07803f5d81e11b
-
SHA256
f3dbc037a91be139f33f7cd49d37e546cb58b7debf315fd3dee431b42daf73b4
-
SHA512
9f00fdc7d8a93e496c05a462fd241ebbabfb46d737bd188b2ce4eafb1009c20f02a4a256f9d32e54793e4c7d95d836ead5d23afecbf42d9aa13f38f0320ae6a6
-
SSDEEP
1536:O/+1z/tt6HurQ1I8Nzuek6IrqbOHQ9ocjjjb64Sh0NlL6C753u4vj7cmaMQyHXTN:OG1OHutQu0P6c7L75+4vXaM98qKnIfq
Malware Config
Signatures
-
Modifies firewall policy service 3 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List 768f867471ca6a6e234b182175edc733_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile 768f867471ca6a6e234b182175edc733_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications 768f867471ca6a6e234b182175edc733_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\768f867471ca6a6e234b182175edc733_JaffaCakes118.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\768f867471ca6a6e234b182175edc733_JaffaCakes118.exe:*:Enabled:Windows System Devices Manager" 768f867471ca6a6e234b182175edc733_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\768f867471ca6a6e234b182175edc733_JaffaCakes118.exe = "c:\\windows\\csrss.exe:*:Enabled:Windows System Devices Manager" 768f867471ca6a6e234b182175edc733_JaffaCakes118.exe -
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 400 netsh.exe 4536 netsh.exe -
Executes dropped EXE 2 IoCs
pid Process 1908 csrss.exe 4916 csrss.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System Devices Manager = "c:\\windows\\csrss.exe" 768f867471ca6a6e234b182175edc733_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows System Devices Manager = "c:\\windows\\csrss.exe" 768f867471ca6a6e234b182175edc733_JaffaCakes118.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4260 set thread context of 3252 4260 768f867471ca6a6e234b182175edc733_JaffaCakes118.exe 84 PID 1908 set thread context of 4916 1908 csrss.exe 88 -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification \??\c:\windows\csrss.exe 768f867471ca6a6e234b182175edc733_JaffaCakes118.exe File created \??\c:\windows\csrss.exe 768f867471ca6a6e234b182175edc733_JaffaCakes118.exe File opened for modification \??\c:\windows\ndl.dl csrss.exe File opened for modification \??\c:\windows\ntdl.dl csrss.exe File opened for modification \??\c:\windows\csrss.exe csrss.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1764 sc.exe 1100 sc.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 768f867471ca6a6e234b182175edc733_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 768f867471ca6a6e234b182175edc733_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 4916 csrss.exe 4916 csrss.exe 4176 msedge.exe 4176 msedge.exe 4716 msedge.exe 4716 msedge.exe 2836 identity_helper.exe 2836 identity_helper.exe 5972 msedge.exe 5972 msedge.exe 5972 msedge.exe 5972 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
pid Process 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4260 wrote to memory of 3252 4260 768f867471ca6a6e234b182175edc733_JaffaCakes118.exe 84 PID 4260 wrote to memory of 3252 4260 768f867471ca6a6e234b182175edc733_JaffaCakes118.exe 84 PID 4260 wrote to memory of 3252 4260 768f867471ca6a6e234b182175edc733_JaffaCakes118.exe 84 PID 4260 wrote to memory of 3252 4260 768f867471ca6a6e234b182175edc733_JaffaCakes118.exe 84 PID 4260 wrote to memory of 3252 4260 768f867471ca6a6e234b182175edc733_JaffaCakes118.exe 84 PID 4260 wrote to memory of 3252 4260 768f867471ca6a6e234b182175edc733_JaffaCakes118.exe 84 PID 4260 wrote to memory of 3252 4260 768f867471ca6a6e234b182175edc733_JaffaCakes118.exe 84 PID 4260 wrote to memory of 3252 4260 768f867471ca6a6e234b182175edc733_JaffaCakes118.exe 84 PID 3252 wrote to memory of 4536 3252 768f867471ca6a6e234b182175edc733_JaffaCakes118.exe 85 PID 3252 wrote to memory of 4536 3252 768f867471ca6a6e234b182175edc733_JaffaCakes118.exe 85 PID 3252 wrote to memory of 4536 3252 768f867471ca6a6e234b182175edc733_JaffaCakes118.exe 85 PID 3252 wrote to memory of 1908 3252 768f867471ca6a6e234b182175edc733_JaffaCakes118.exe 86 PID 3252 wrote to memory of 1908 3252 768f867471ca6a6e234b182175edc733_JaffaCakes118.exe 86 PID 3252 wrote to memory of 1908 3252 768f867471ca6a6e234b182175edc733_JaffaCakes118.exe 86 PID 1908 wrote to memory of 4916 1908 csrss.exe 88 PID 1908 wrote to memory of 4916 1908 csrss.exe 88 PID 1908 wrote to memory of 4916 1908 csrss.exe 88 PID 1908 wrote to memory of 4916 1908 csrss.exe 88 PID 1908 wrote to memory of 4916 1908 csrss.exe 88 PID 1908 wrote to memory of 4916 1908 csrss.exe 88 PID 1908 wrote to memory of 4916 1908 csrss.exe 88 PID 1908 wrote to memory of 4916 1908 csrss.exe 88 PID 3252 wrote to memory of 2676 3252 768f867471ca6a6e234b182175edc733_JaffaCakes118.exe 89 PID 3252 wrote to memory of 2676 3252 768f867471ca6a6e234b182175edc733_JaffaCakes118.exe 89 PID 3252 wrote to memory of 2676 3252 768f867471ca6a6e234b182175edc733_JaffaCakes118.exe 89 PID 4916 wrote to memory of 400 4916 csrss.exe 90 PID 4916 wrote to memory of 400 4916 csrss.exe 90 PID 4916 wrote to memory of 400 4916 csrss.exe 90 PID 4916 wrote to memory of 1988 4916 csrss.exe 91 PID 4916 wrote to memory of 1988 4916 csrss.exe 91 PID 4916 wrote to memory of 1988 4916 csrss.exe 91 PID 4916 wrote to memory of 4476 4916 csrss.exe 92 PID 4916 wrote to memory of 4476 4916 csrss.exe 92 PID 4916 wrote to memory of 4476 4916 csrss.exe 92 PID 4916 wrote to memory of 1764 4916 csrss.exe 93 PID 4916 wrote to memory of 1764 4916 csrss.exe 93 PID 4916 wrote to memory of 1764 4916 csrss.exe 93 PID 4916 wrote to memory of 1100 4916 csrss.exe 94 PID 4916 wrote to memory of 1100 4916 csrss.exe 94 PID 4916 wrote to memory of 1100 4916 csrss.exe 94 PID 1988 wrote to memory of 3612 1988 net.exe 99 PID 1988 wrote to memory of 3612 1988 net.exe 99 PID 1988 wrote to memory of 3612 1988 net.exe 99 PID 4476 wrote to memory of 396 4476 net.exe 101 PID 4476 wrote to memory of 396 4476 net.exe 101 PID 4476 wrote to memory of 396 4476 net.exe 101 PID 548 wrote to memory of 4716 548 explorer.exe 102 PID 548 wrote to memory of 4716 548 explorer.exe 102 PID 4716 wrote to memory of 1964 4716 msedge.exe 104 PID 4716 wrote to memory of 1964 4716 msedge.exe 104 PID 4716 wrote to memory of 1932 4716 msedge.exe 105 PID 4716 wrote to memory of 1932 4716 msedge.exe 105 PID 4716 wrote to memory of 1932 4716 msedge.exe 105 PID 4716 wrote to memory of 1932 4716 msedge.exe 105 PID 4716 wrote to memory of 1932 4716 msedge.exe 105 PID 4716 wrote to memory of 1932 4716 msedge.exe 105 PID 4716 wrote to memory of 1932 4716 msedge.exe 105 PID 4716 wrote to memory of 1932 4716 msedge.exe 105 PID 4716 wrote to memory of 1932 4716 msedge.exe 105 PID 4716 wrote to memory of 1932 4716 msedge.exe 105 PID 4716 wrote to memory of 1932 4716 msedge.exe 105 PID 4716 wrote to memory of 1932 4716 msedge.exe 105 PID 4716 wrote to memory of 1932 4716 msedge.exe 105 PID 4716 wrote to memory of 1932 4716 msedge.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\768f867471ca6a6e234b182175edc733_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\768f867471ca6a6e234b182175edc733_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Users\Admin\AppData\Local\Temp\768f867471ca6a6e234b182175edc733_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\768f867471ca6a6e234b182175edc733_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram 1.exe 1 ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4536
-
-
\??\c:\windows\csrss.exe"c:\windows\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1908 -
\??\c:\windows\csrss.exe"c:\windows\csrss.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram 1.exe 1 ENABLE5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:400
-
-
C:\Windows\SysWOW64\net.exenet stop wuauserv5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv6⤵
- System Location Discovery: System Language Discovery
PID:3612
-
-
-
C:\Windows\SysWOW64\net.exenet stop MsMpSvc5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MsMpSvc6⤵
- System Location Discovery: System Language Discovery
PID:396
-
-
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled5⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:1764
-
-
C:\Windows\SysWOW64\sc.exesc config MsMpSvc start= disabled5⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:1100
-
-
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe http://browseusers.myspace.com/Browse/Browse.aspx3⤵
- System Location Discovery: System Language Discovery
PID:2676
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://browseusers.myspace.com/Browse/Browse.aspx2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcef5946f8,0x7ffcef594708,0x7ffcef5947183⤵PID:1964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,4603382871910245215,5392053356454485419,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:23⤵PID:1932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,4603382871910245215,5392053356454485419,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:4176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,4603382871910245215,5392053356454485419,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:83⤵PID:3960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4603382871910245215,5392053356454485419,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:13⤵PID:1004
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4603382871910245215,5392053356454485419,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:13⤵PID:2192
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4603382871910245215,5392053356454485419,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:13⤵PID:5092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4603382871910245215,5392053356454485419,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:13⤵PID:948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4603382871910245215,5392053356454485419,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:13⤵PID:388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,4603382871910245215,5392053356454485419,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3528 /prefetch:83⤵PID:4564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,4603382871910245215,5392053356454485419,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3528 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:2836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4603382871910245215,5392053356454485419,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:13⤵PID:840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4603382871910245215,5392053356454485419,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:13⤵PID:848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4603382871910245215,5392053356454485419,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:13⤵PID:5240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4603382871910245215,5392053356454485419,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:13⤵PID:5248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,4603382871910245215,5392053356454485419,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4776 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:5972
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3620
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4944
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD59622e603d436ca747f3a4407a6ca952e
SHA1297d9aed5337a8a7290ea436b61458c372b1d497
SHA256ace0e47e358fba0831b508cd23949a503ae0e6a5c857859e720d1b6479ff2261
SHA512f774c5c44f0fcdfb45847626f6808076dccabfbcb8a37d00329ec792e2901dc59636ef15c95d84d0080272571542d43b473ce11c2209ac251bee13bd611b200a
-
Filesize
152B
MD504b60a51907d399f3685e03094b603cb
SHA1228d18888782f4e66ca207c1a073560e0a4cc6e7
SHA25687a9d9f1bd99313295b2ce703580b9d37c3a68b9b33026fdda4c2530f562e6a3
SHA5122a8e3da94eaf0a6c4a2f29da6fec2796ba6a13cad6425bb650349a60eb3204643fc2fd1ab425f0251610cb9cce65e7dba459388b4e00c12ba3434a1798855c91
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize240B
MD5a4158a1ae60483f032e407c5591ee2dc
SHA18a287dc6d0e1a8c0204199bc00ec6eb23730b84a
SHA256bdbe351ad8e0750391f1a7f03132ba673e9f83ff56ef65aed60237cd0b63f82d
SHA5122de92e800013bea8d604589762e786873d4aa1e3e8b48d4004069bed26cdd5ff94b93a10999413a01b1b112d1ca17093a44172cdf38ecbff30e21860d002b4c4
-
Filesize
1KB
MD521ba3ad189d726f30608e85fc35b1696
SHA1a22e63f82f067b38cadaf5b8aab446b6b3eee0ab
SHA25619944ebf08bed046e6d905508fe5b3a393e1c894a40c81290f54fb3c51f63b88
SHA512f2d43d1c9551f86f60a89cc47306d44b8663302fea2c33a01a23e76c3c60dc7725939149ba375141c1ff7aba9b9d0840b03dfc983b8341e79eee282f1c11f2a5
-
Filesize
5KB
MD569300124b23cb8854bb19f24e9cc4343
SHA1d7580ab5aa3060291a612fbe914beb82eb6c5d35
SHA25663b602213a8114e10cf9f0f25b2a1ea6c8249468a99492997a05cafeadb43bdb
SHA512cff7aee2bdb895a9afeff62fa4fc099a9389daae5336fbcf4e86ba11783a65780e47e7235133e1ece729df86f24f27af676f4bfef6f8e6f0f4955c8fae5ba368
-
Filesize
7KB
MD54a4a3b522782181446636fd3cca69faf
SHA1258b93979cba2ffc538a91604b7efab8f1e54752
SHA25665ccedfc9a7a8302e31f19c186fc554a1d4b74aab8ee78f0e3187ce24b462dcd
SHA5128407c6211aef5e3ce6361f360518560cf7030c6d371f255168527c26804c5c20c44d140a1d7c2b65fd782c369919152a4bf0d99ecec8f11afc945f9da63760e4
-
Filesize
7KB
MD5bff14467976491741fa455aeccfc3e60
SHA1c3e2cd3f7fe1795578cec8f8b2b7520748fc0450
SHA2567913aaf7ac9dd957952c84c1398dbaa7be9c076ec57fa87908ccd1d7cdbad26e
SHA5120f936de2188f6df95b6dda062418dce69eb0a0a7a5057cfa57d1833dd6a3ebc8a884a845f9139f7b2e090d2c7936f78092f293ddb449b7c68cd586c8303abb4e
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD5ae796df9c9141ccfd02c2f4522be963b
SHA10194e5abaaa16006d3095d61f2edb43641f78e56
SHA256e0cfee9a30b03e6fa7b50e663bdb0afcc07e3f8156fe1068139ca5ea2ca10129
SHA5124482ae693d6c00544ace6f32e40cbaad79cbe1c196e719819fd6df0611011de02fa2775a7c93ea884de374412a64d859638091d1c26666fc8c988bdd353fefe9
-
Filesize
140KB
MD5768f867471ca6a6e234b182175edc733
SHA107c5b7ef3e1606d15115890b5d07803f5d81e11b
SHA256f3dbc037a91be139f33f7cd49d37e546cb58b7debf315fd3dee431b42daf73b4
SHA5129f00fdc7d8a93e496c05a462fd241ebbabfb46d737bd188b2ce4eafb1009c20f02a4a256f9d32e54793e4c7d95d836ead5d23afecbf42d9aa13f38f0320ae6a6