Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
12/08/2024, 11:57
Static task
static1
Behavioral task
behavioral1
Sample
8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe
-
Size
229KB
-
MD5
8ea62755d4e84d11a74d5d935d51c919
-
SHA1
09241eb73c594a5e7da9824ac46de7b5e97e2f45
-
SHA256
148c1c94ec622ade72d4b8f8c248ce3b27c39b5cd9f02c079c9c9860345ac8ba
-
SHA512
79a97742ceb3f6cf71abd4c79f6c2f36809d4d1a43b3daa5484b1eee50d2b1cf08c8ba918a3da32d8179be0a9e3f7830f2549cb1202a31352efc7b28408537d5
-
SSDEEP
3072:42cX0J6zhizgq1r6BXUmMn8oJv7DW3q7JjZdwR7enKJ7/Hqt:bJ6zO1GBXfa7JER7e27/Hy
Malware Config
Signatures
-
Modifies firewall policy service 3 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile 8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications 8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe:*:Enabled:NVIDIA driver monitor" 8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe = "C:\\Windows\\nvsvc32.exe:*:Enabled:NVIDIA driver monitor" 8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List 8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe -
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 4184 netsh.exe 1552 netsh.exe -
Executes dropped EXE 2 IoCs
pid Process 3916 nvsvc32.exe 2612 nvsvc32.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NVIDIA driver monitor = "C:\\Windows\\nvsvc32.exe" 8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NVIDIA driver monitor = "C:\\Windows\\nvsvc32.exe" 8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4708 set thread context of 4532 4708 8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe 90 PID 3916 set thread context of 2612 3916 nvsvc32.exe 98 -
Drops file in Windows directory 7 IoCs
description ioc Process File opened for modification C:\Windows\nvsvc32.exb 8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe File opened for modification C:\Windows\nvsvc32.exe 8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe File created C:\Windows\nvsvc32.exe 8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe File opened for modification C:\Windows\mdll.dl nvsvc32.exe File opened for modification C:\Windows\mtdll.dl nvsvc32.exe File opened for modification C:\Windows\nvsvc32.exe nvsvc32.exe File created C:\Windows\nvsvc32.exb 8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2840 sc.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nvsvc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nvsvc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 4972 msedge.exe 4972 msedge.exe 4696 msedge.exe 4696 msedge.exe 2292 identity_helper.exe 2292 identity_helper.exe 1860 msedge.exe 1860 msedge.exe 1860 msedge.exe 1860 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
pid Process 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe 4696 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4708 wrote to memory of 3192 4708 8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe 87 PID 4708 wrote to memory of 3192 4708 8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe 87 PID 4708 wrote to memory of 3192 4708 8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe 87 PID 3192 wrote to memory of 2904 3192 net.exe 89 PID 3192 wrote to memory of 2904 3192 net.exe 89 PID 3192 wrote to memory of 2904 3192 net.exe 89 PID 4708 wrote to memory of 4532 4708 8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe 90 PID 4708 wrote to memory of 4532 4708 8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe 90 PID 4708 wrote to memory of 4532 4708 8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe 90 PID 4708 wrote to memory of 4532 4708 8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe 90 PID 4708 wrote to memory of 4532 4708 8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe 90 PID 4708 wrote to memory of 4532 4708 8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe 90 PID 4708 wrote to memory of 4532 4708 8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe 90 PID 4708 wrote to memory of 4532 4708 8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe 90 PID 4532 wrote to memory of 4184 4532 8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe 91 PID 4532 wrote to memory of 4184 4532 8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe 91 PID 4532 wrote to memory of 4184 4532 8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe 91 PID 4532 wrote to memory of 3916 4532 8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe 93 PID 4532 wrote to memory of 3916 4532 8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe 93 PID 4532 wrote to memory of 3916 4532 8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe 93 PID 3916 wrote to memory of 4012 3916 nvsvc32.exe 95 PID 3916 wrote to memory of 4012 3916 nvsvc32.exe 95 PID 3916 wrote to memory of 4012 3916 nvsvc32.exe 95 PID 4532 wrote to memory of 3568 4532 8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe 94 PID 4532 wrote to memory of 3568 4532 8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe 94 PID 4532 wrote to memory of 3568 4532 8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe 94 PID 4012 wrote to memory of 2780 4012 net.exe 97 PID 4012 wrote to memory of 2780 4012 net.exe 97 PID 4012 wrote to memory of 2780 4012 net.exe 97 PID 3916 wrote to memory of 2612 3916 nvsvc32.exe 98 PID 3916 wrote to memory of 2612 3916 nvsvc32.exe 98 PID 3916 wrote to memory of 2612 3916 nvsvc32.exe 98 PID 3916 wrote to memory of 2612 3916 nvsvc32.exe 98 PID 3916 wrote to memory of 2612 3916 nvsvc32.exe 98 PID 3916 wrote to memory of 2612 3916 nvsvc32.exe 98 PID 3916 wrote to memory of 2612 3916 nvsvc32.exe 98 PID 3916 wrote to memory of 2612 3916 nvsvc32.exe 98 PID 2612 wrote to memory of 1552 2612 nvsvc32.exe 100 PID 2612 wrote to memory of 1552 2612 nvsvc32.exe 100 PID 2612 wrote to memory of 1552 2612 nvsvc32.exe 100 PID 2612 wrote to memory of 1256 2612 nvsvc32.exe 101 PID 2612 wrote to memory of 1256 2612 nvsvc32.exe 101 PID 2612 wrote to memory of 1256 2612 nvsvc32.exe 101 PID 2612 wrote to memory of 2840 2612 nvsvc32.exe 102 PID 2612 wrote to memory of 2840 2612 nvsvc32.exe 102 PID 2612 wrote to memory of 2840 2612 nvsvc32.exe 102 PID 1256 wrote to memory of 4848 1256 net.exe 105 PID 1256 wrote to memory of 4848 1256 net.exe 105 PID 1256 wrote to memory of 4848 1256 net.exe 105 PID 2856 wrote to memory of 4696 2856 explorer.exe 106 PID 2856 wrote to memory of 4696 2856 explorer.exe 106 PID 4696 wrote to memory of 1612 4696 msedge.exe 108 PID 4696 wrote to memory of 1612 4696 msedge.exe 108 PID 4696 wrote to memory of 1564 4696 msedge.exe 109 PID 4696 wrote to memory of 1564 4696 msedge.exe 109 PID 4696 wrote to memory of 1564 4696 msedge.exe 109 PID 4696 wrote to memory of 1564 4696 msedge.exe 109 PID 4696 wrote to memory of 1564 4696 msedge.exe 109 PID 4696 wrote to memory of 1564 4696 msedge.exe 109 PID 4696 wrote to memory of 1564 4696 msedge.exe 109 PID 4696 wrote to memory of 1564 4696 msedge.exe 109 PID 4696 wrote to memory of 1564 4696 msedge.exe 109 PID 4696 wrote to memory of 1564 4696 msedge.exe 109 PID 4696 wrote to memory of 1564 4696 msedge.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\SysWOW64\net.exenet stop MsMpSvc2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MsMpSvc3⤵
- System Location Discovery: System Language Discovery
PID:2904
-
-
-
C:\Users\Admin\AppData\Local\Temp\8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe2⤵
- Modifies firewall policy service
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram 1.exe 1 ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4184
-
-
C:\Windows\nvsvc32.exe"C:\Windows\nvsvc32.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Windows\SysWOW64\net.exenet stop MsMpSvc4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MsMpSvc5⤵
- System Location Discovery: System Language Discovery
PID:2780
-
-
-
C:\Windows\nvsvc32.exeC:\Windows\nvsvc32.exe4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram 1.exe 1 ENABLE5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1552
-
-
C:\Windows\SysWOW64\net.exenet stop wuauserv5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv6⤵
- System Location Discovery: System Language Discovery
PID:4848
-
-
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled5⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2840
-
-
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe http://browseusers.myspace.com/Browse/Browse.aspx3⤵
- System Location Discovery: System Language Discovery
PID:3568
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://browseusers.myspace.com/Browse/Browse.aspx2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcf07f46f8,0x7ffcf07f4708,0x7ffcf07f47183⤵PID:1612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,8003495253121331422,8059412128777385528,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:23⤵PID:1564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,8003495253121331422,8059412128777385528,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:4972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,8003495253121331422,8059412128777385528,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:83⤵PID:4420
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8003495253121331422,8059412128777385528,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:13⤵PID:1520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8003495253121331422,8059412128777385528,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:13⤵PID:3936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8003495253121331422,8059412128777385528,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:13⤵PID:4796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8003495253121331422,8059412128777385528,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:13⤵PID:1496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8003495253121331422,8059412128777385528,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:13⤵PID:3108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8003495253121331422,8059412128777385528,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:13⤵PID:4184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8003495253121331422,8059412128777385528,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:13⤵PID:4772
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,8003495253121331422,8059412128777385528,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3592 /prefetch:83⤵PID:4688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,8003495253121331422,8059412128777385528,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3592 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:2292
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8003495253121331422,8059412128777385528,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4120 /prefetch:13⤵PID:2936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8003495253121331422,8059412128777385528,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:13⤵PID:2964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,8003495253121331422,8059412128777385528,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1896 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:1860
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2832
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3100
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD527304926d60324abe74d7a4b571c35ea
SHA178b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1
SHA2567039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de
SHA512f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd
-
Filesize
152B
MD59e3fc58a8fb86c93d19e1500b873ef6f
SHA1c6aae5f4e26f5570db5e14bba8d5061867a33b56
SHA256828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4
SHA512e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize240B
MD510a7623685c69de40351d124c7a65267
SHA10936a8928088ad0daf0b73f1b49c25671444fae1
SHA2565aa1ec44f8e03fb4fe62f27e569e9f243c32f8d116457a88c40175fd88f8f6ab
SHA5125bb2fa0ee0400a350752e21895dfcc119395aae8cd32cab37c667ba4293698ed390a801c9760515312f24408eccc992aa79357ec088835660ed4cf7a9a015509
-
Filesize
1KB
MD5dd880f29225abd57dd0f84c47bb6713b
SHA1dcfa8396b697028885c15ed49a31e717bade7492
SHA2564a09bf9ad22f9b137d04c17e868819b5d92ca8f2a5a3e9922f5ada8f8220b17e
SHA51297a8d70e353548c2bd9fa7afe8af180cf88c0d8580190f54ab4b91470c2c4432871d7b23824362bcfa15948ee6a71f81035f05955901110a423e7a7e8b36c898
-
Filesize
6KB
MD56c6e1036b065898a4224f5a93fc3f3f5
SHA103bd00d0c3e7ddf74a732ed9bb4c85e20127d849
SHA2569f61dce20182d6a5e7ec7d93a3bd6011ba9ce2e36928365a9ffb6748001d65ed
SHA5124f9a3b6d29c2a97d09a07b0864e740384652f9b7023d1619bd941e33833a75f1741b231aaee7390ab3949d97646fd46d8772fbe3ceac414dcaf6a22e20999179
-
Filesize
7KB
MD5456e3b2cc29d564a62abd30e45134066
SHA197b91901b07e75418231ad2220f2c00983f1d91b
SHA256702bb51d92cb41737404b25745b4ab755b3ca8c60c664ff658b798578d9878bf
SHA512218e5e186f0ce305a36e055958a61f0db3507676946f37a08219d366e798d0a28f5576bf478d7e5796cabaa07167cc6b4d402510d16ed145de5734905813db28
-
Filesize
6KB
MD5ce5cebd1e41050b47d4fc5064ff6959e
SHA1ecd16d2fb6649f6746b9609027d5a635fa9b0cce
SHA25611e966de2f03b5756cdf05c8e8ea7e6a502477aedd8a78cf5dfebf8d24aa5142
SHA512df46e943e8d50640664f826172f8e73f122e18af78ca27016337aa990495495b114da7893acbfbde2b9ff1b72326d22d8dd04ac2792f548c3788b44f2ad61943
-
Filesize
7KB
MD5ea1cdf072fa3858c4016428a0a78dc62
SHA139ac233a079009efa3c19649177b8a1f4792f1b2
SHA256a946baa56b41f1a9a338ef30b64ee5fcf5111ec6d9f07b0692a250c34001e80c
SHA512899ddddfdfaab93408123700db59ceaf730dfbdad0e776e96930f91afb128fbd5dde79fff8c4d2ffdfe55e1d1e3155a5a6848cd121f4997ef1ec592fdc2b4cdc
-
Filesize
705B
MD5b59f82ea7166cddfb9dc6ec5c3f3165d
SHA167e2e96980d76485f2adfed4c182a78412dfa277
SHA256e9a74a60f0ab4874ff567694a339578498de9050f3fe90063bf979aa6ab24392
SHA512f960bae8aab3acaaeed329b2718b1cda3ad61e30811b02532bede871b66df27186dfa9f04b5a81537512731769787489e5845674bb04590b3934e806e96a5d63
-
Filesize
371B
MD5fc095b6f6db612ab4e134f604bc8de24
SHA1cdbaa0cb05fdf6d15e96f89a1e64ce698ff8344c
SHA256235396a8c25cd37f310f1918881009eb32c46b3672f5b7f979631e630a3e9c08
SHA512d92710735c1a0888d14e2388a66174137008b58584ad43a01c6317c280276512bc007f4544083e2ab974b2436c857250467d73ccedf8fec6ebc35607399be2ba
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5046e020a3f2adb8121e807b45705bb50
SHA12f1de917d3164374a20dd1521aa90d14ab61a4ee
SHA2568c5d05f53e68e458455eb9e2cf00033a0bcbff1f0155a8432e01fae8a42a79dd
SHA512cacd88c1af5a945abad3c4f80a12ad86759d76929b2b4a55c5009f5ec1206e8b669aab953f2a30f74d09d5d2ad87b646c03ff2424192724089696f8d22751ac5
-
Filesize
229KB
MD58ea62755d4e84d11a74d5d935d51c919
SHA109241eb73c594a5e7da9824ac46de7b5e97e2f45
SHA256148c1c94ec622ade72d4b8f8c248ce3b27c39b5cd9f02c079c9c9860345ac8ba
SHA51279a97742ceb3f6cf71abd4c79f6c2f36809d4d1a43b3daa5484b1eee50d2b1cf08c8ba918a3da32d8179be0a9e3f7830f2549cb1202a31352efc7b28408537d5