Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
70e33b00d35...18.exe
windows7-x64
70e33b00d35...18.exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...dl.dll
windows7-x64
3$PLUGINSDI...dl.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/UAC.dll
windows7-x64
3$PLUGINSDIR/UAC.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3$TEMP/Tool...ke.exe
windows7-x64
7$TEMP/Tool...ke.exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...dl.dll
windows7-x64
3$PLUGINSDI...dl.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...om.dll
windows7-x64
5$PLUGINSDI...om.dll
windows10-2004-x64
5$PLUGINSDI...dt.dll
windows7-x64
3$PLUGINSDI...dt.dll
windows10-2004-x64
3$R0.dll
windows7-x64
6$R0.dll
windows10-2004-x64
6$R2/NSIS.L...4_.exe
windows7-x64
1$R2/NSIS.L...4_.exe
windows10-2004-x64
3Analysis
-
max time kernel
144s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
03/10/2024, 05:46
Behavioral task
behavioral1
Sample
0e33b00d35c755562043fe7fe9b7ae77_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
0e33b00d35c755562043fe7fe9b7ae77_JaffaCakes118.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/NSISdl.dll
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/NSISdl.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/UAC.dll
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/UAC.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
$TEMP/Toolbar_Phpnuke.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
$TEMP/Toolbar_Phpnuke.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral17
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral19
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral21
Sample
$PLUGINSDIR/NSISdl.dll
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
$PLUGINSDIR/NSISdl.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral23
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral25
Sample
$PLUGINSDIR/nsRandom.dll
Resource
win7-20240708-en
Behavioral task
behavioral26
Sample
$PLUGINSDIR/nsRandom.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral27
Sample
$PLUGINSDIR/nsisdt.dll
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
$PLUGINSDIR/nsisdt.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral29
Sample
$R0.dll
Resource
win7-20240708-en
Behavioral task
behavioral30
Sample
$R0.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral31
Sample
$R2/NSIS.Library.RegTool.v3.$_4_.exe
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
$R2/NSIS.Library.RegTool.v3.$_4_.exe
Resource
win10v2004-20240802-en
General
-
Target
0e33b00d35c755562043fe7fe9b7ae77_JaffaCakes118.exe
-
Size
2.3MB
-
MD5
0e33b00d35c755562043fe7fe9b7ae77
-
SHA1
a90f1b32e7680df523287a8a6394b66ff274497b
-
SHA256
bc54c023051826946addecb5d79d6d803ef9954284acb58f340344765ee232bc
-
SHA512
260e7b5ec24020bd5346494994093aef95442beb131dd1d71736022e17f055bce078b3406e5ec5cb244b8b4d26d6fe8e83ffb171e9082efb9774fed0a042d707
-
SSDEEP
24576:06lzh36fbL0ySYK63k4yO6AbzppgJLo01dvXjyolmkHCAi1WcrtpIqj7mEeKu2xQ:9AO6TN6ZLbdzlmaCAcjIO7I2QnjiY
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x00070000000234c4-348.dat acprotect -
Executes dropped EXE 1 IoCs
pid Process 948 Toolbar_Phpnuke.exe -
Loads dropped DLL 23 IoCs
pid Process 856 0e33b00d35c755562043fe7fe9b7ae77_JaffaCakes118.exe 856 0e33b00d35c755562043fe7fe9b7ae77_JaffaCakes118.exe 856 0e33b00d35c755562043fe7fe9b7ae77_JaffaCakes118.exe 856 0e33b00d35c755562043fe7fe9b7ae77_JaffaCakes118.exe 856 0e33b00d35c755562043fe7fe9b7ae77_JaffaCakes118.exe 948 Toolbar_Phpnuke.exe 948 Toolbar_Phpnuke.exe 948 Toolbar_Phpnuke.exe 4624 regsvr32.exe 948 Toolbar_Phpnuke.exe 948 Toolbar_Phpnuke.exe 948 Toolbar_Phpnuke.exe 948 Toolbar_Phpnuke.exe 948 Toolbar_Phpnuke.exe 948 Toolbar_Phpnuke.exe 948 Toolbar_Phpnuke.exe 948 Toolbar_Phpnuke.exe 948 Toolbar_Phpnuke.exe 948 Toolbar_Phpnuke.exe 948 Toolbar_Phpnuke.exe 948 Toolbar_Phpnuke.exe 948 Toolbar_Phpnuke.exe 948 Toolbar_Phpnuke.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 4 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A6174F27-1FFF-E1D6-A93F-BA48AD5DD448} Toolbar_Phpnuke.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A6174F27-1FFF-E1D6-A93F-BA48AD5DD448}\NoExplorer = "1" Toolbar_Phpnuke.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A6174F27-1FFF-E1D6-A93F-BA48AD5DD448} regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A6174F27-1FFF-E1D6-A93F-BA48AD5DD448}\NoExplorer = "1" regsvr32.exe -
resource yara_rule behavioral2/files/0x00070000000234c4-348.dat upx behavioral2/memory/948-353-0x0000000003010000-0x0000000003022000-memory.dmp upx behavioral2/memory/948-352-0x0000000003010000-0x0000000003022000-memory.dmp upx behavioral2/memory/948-351-0x0000000003010000-0x0000000003022000-memory.dmp upx -
Drops file in Program Files directory 9 IoCs
description ioc Process File created C:\Program Files (x86)\Mozilla Firefox\extensions\{EB9394A3-4AD6-4918-9537-31A1FD8E8EDF}\chrome.manifest Toolbar_Phpnuke.exe File created C:\Program Files (x86)\Mozilla Firefox\extensions\{EB9394A3-4AD6-4918-9537-31A1FD8E8EDF}\install.rdf Toolbar_Phpnuke.exe File created C:\Program Files (x86)\Mozilla Firefox\extensions\{EB9394A3-4AD6-4918-9537-31A1FD8E8EDF}\chrome\content\dealply.xul Toolbar_Phpnuke.exe File created C:\Program Files (x86)\Mozilla Firefox\extensions\{EB9394A3-4AD6-4918-9537-31A1FD8E8EDF}\defaults\preferences\defaults.js Toolbar_Phpnuke.exe File opened for modification C:\Program Files (x86)\Mozilla Firefox\extensions\{EB9394A3-4AD6-4918-9537-31A1FD8E8EDF}\defaults\preferences\defaults.js Toolbar_Phpnuke.exe File created C:\Program Files (x86)\DealPly\DealPlyIE.dll Toolbar_Phpnuke.exe File created C:\Program Files (x86)\DealPly\DealPly.crx Toolbar_Phpnuke.exe File created C:\Program Files (x86)\Mozilla Firefox\extensions\{EB9394A3-4AD6-4918-9537-31A1FD8E8EDF}\chrome\content\images\dealplyIcon32.png Toolbar_Phpnuke.exe File created C:\Program Files (x86)\DealPly\uninst.exe Toolbar_Phpnuke.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0e33b00d35c755562043fe7fe9b7ae77_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Toolbar_Phpnuke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe -
NSIS installer 2 IoCs
resource yara_rule behavioral2/files/0x00070000000234ae-264.dat nsis_installer_1 behavioral2/files/0x00070000000234ae-264.dat nsis_installer_2 -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A6174F27-1FFF-E1D6-A93F-BA48AD5DD448} Toolbar_Phpnuke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A6174F27-1FFF-E1D6-A93F-BA48AD5DD448}\InProcServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A6174F27-1FFF-E1D6-A93F-BA48AD5DD448}\InProcServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A6174F27-1FFF-E1D6-A93F-BA48AD5DD448} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A6174F27-1FFF-E1D6-A93F-BA48AD5DD448}\ = "DealPly" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A6174F27-1FFF-E1D6-A93F-BA48AD5DD448}\InProcServer32\ = "C:\\Program Files (x86)\\DealPly\\DealPlyIE.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A6174F27-1FFF-E1D6-A93F-BA48AD5DD448}\ = "DealPly" Toolbar_Phpnuke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A6174F27-1FFF-E1D6-A93F-BA48AD5DD448}\InProcServer32 Toolbar_Phpnuke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A6174F27-1FFF-E1D6-A93F-BA48AD5DD448}\InProcServer32\ = "C:\\Program Files (x86)\\DealPly\\DealPlyIE.dll" Toolbar_Phpnuke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A6174F27-1FFF-E1D6-A93F-BA48AD5DD448}\InProcServer32\ThreadingModel = "Apartment" Toolbar_Phpnuke.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1800 msedge.exe 1800 msedge.exe 3928 msedge.exe 3928 msedge.exe 1064 identity_helper.exe 1064 identity_helper.exe 4428 msedge.exe 4428 msedge.exe 4428 msedge.exe 4428 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
pid Process 3928 msedge.exe 3928 msedge.exe 3928 msedge.exe 3928 msedge.exe 3928 msedge.exe 3928 msedge.exe 3928 msedge.exe 3928 msedge.exe 3928 msedge.exe 3928 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 3928 msedge.exe 3928 msedge.exe 3928 msedge.exe 3928 msedge.exe 3928 msedge.exe 3928 msedge.exe 3928 msedge.exe 3928 msedge.exe 3928 msedge.exe 3928 msedge.exe 3928 msedge.exe 3928 msedge.exe 3928 msedge.exe 3928 msedge.exe 3928 msedge.exe 3928 msedge.exe 3928 msedge.exe 3928 msedge.exe 3928 msedge.exe 3928 msedge.exe 3928 msedge.exe 3928 msedge.exe 3928 msedge.exe 3928 msedge.exe 3928 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3928 msedge.exe 3928 msedge.exe 3928 msedge.exe 3928 msedge.exe 3928 msedge.exe 3928 msedge.exe 3928 msedge.exe 3928 msedge.exe 3928 msedge.exe 3928 msedge.exe 3928 msedge.exe 3928 msedge.exe 3928 msedge.exe 3928 msedge.exe 3928 msedge.exe 3928 msedge.exe 3928 msedge.exe 3928 msedge.exe 3928 msedge.exe 3928 msedge.exe 3928 msedge.exe 3928 msedge.exe 3928 msedge.exe 3928 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 856 wrote to memory of 3928 856 0e33b00d35c755562043fe7fe9b7ae77_JaffaCakes118.exe 82 PID 856 wrote to memory of 3928 856 0e33b00d35c755562043fe7fe9b7ae77_JaffaCakes118.exe 82 PID 856 wrote to memory of 948 856 0e33b00d35c755562043fe7fe9b7ae77_JaffaCakes118.exe 83 PID 856 wrote to memory of 948 856 0e33b00d35c755562043fe7fe9b7ae77_JaffaCakes118.exe 83 PID 856 wrote to memory of 948 856 0e33b00d35c755562043fe7fe9b7ae77_JaffaCakes118.exe 83 PID 3928 wrote to memory of 3688 3928 msedge.exe 84 PID 3928 wrote to memory of 3688 3928 msedge.exe 84 PID 948 wrote to memory of 4624 948 Toolbar_Phpnuke.exe 85 PID 948 wrote to memory of 4624 948 Toolbar_Phpnuke.exe 85 PID 948 wrote to memory of 4624 948 Toolbar_Phpnuke.exe 85 PID 3928 wrote to memory of 1896 3928 msedge.exe 86 PID 3928 wrote to memory of 1896 3928 msedge.exe 86 PID 3928 wrote to memory of 1896 3928 msedge.exe 86 PID 3928 wrote to memory of 1896 3928 msedge.exe 86 PID 3928 wrote to memory of 1896 3928 msedge.exe 86 PID 3928 wrote to memory of 1896 3928 msedge.exe 86 PID 3928 wrote to memory of 1896 3928 msedge.exe 86 PID 3928 wrote to memory of 1896 3928 msedge.exe 86 PID 3928 wrote to memory of 1896 3928 msedge.exe 86 PID 3928 wrote to memory of 1896 3928 msedge.exe 86 PID 3928 wrote to memory of 1896 3928 msedge.exe 86 PID 3928 wrote to memory of 1896 3928 msedge.exe 86 PID 3928 wrote to memory of 1896 3928 msedge.exe 86 PID 3928 wrote to memory of 1896 3928 msedge.exe 86 PID 3928 wrote to memory of 1896 3928 msedge.exe 86 PID 3928 wrote to memory of 1896 3928 msedge.exe 86 PID 3928 wrote to memory of 1896 3928 msedge.exe 86 PID 3928 wrote to memory of 1896 3928 msedge.exe 86 PID 3928 wrote to memory of 1896 3928 msedge.exe 86 PID 3928 wrote to memory of 1896 3928 msedge.exe 86 PID 3928 wrote to memory of 1896 3928 msedge.exe 86 PID 3928 wrote to memory of 1896 3928 msedge.exe 86 PID 3928 wrote to memory of 1896 3928 msedge.exe 86 PID 3928 wrote to memory of 1896 3928 msedge.exe 86 PID 3928 wrote to memory of 1896 3928 msedge.exe 86 PID 3928 wrote to memory of 1896 3928 msedge.exe 86 PID 3928 wrote to memory of 1896 3928 msedge.exe 86 PID 3928 wrote to memory of 1896 3928 msedge.exe 86 PID 3928 wrote to memory of 1896 3928 msedge.exe 86 PID 3928 wrote to memory of 1896 3928 msedge.exe 86 PID 3928 wrote to memory of 1896 3928 msedge.exe 86 PID 3928 wrote to memory of 1896 3928 msedge.exe 86 PID 3928 wrote to memory of 1896 3928 msedge.exe 86 PID 3928 wrote to memory of 1896 3928 msedge.exe 86 PID 3928 wrote to memory of 1896 3928 msedge.exe 86 PID 3928 wrote to memory of 1896 3928 msedge.exe 86 PID 3928 wrote to memory of 1896 3928 msedge.exe 86 PID 3928 wrote to memory of 1896 3928 msedge.exe 86 PID 3928 wrote to memory of 1896 3928 msedge.exe 86 PID 3928 wrote to memory of 1896 3928 msedge.exe 86 PID 3928 wrote to memory of 1800 3928 msedge.exe 87 PID 3928 wrote to memory of 1800 3928 msedge.exe 87 PID 3928 wrote to memory of 2000 3928 msedge.exe 88 PID 3928 wrote to memory of 2000 3928 msedge.exe 88 PID 3928 wrote to memory of 2000 3928 msedge.exe 88 PID 3928 wrote to memory of 2000 3928 msedge.exe 88 PID 3928 wrote to memory of 2000 3928 msedge.exe 88 PID 3928 wrote to memory of 2000 3928 msedge.exe 88 PID 3928 wrote to memory of 2000 3928 msedge.exe 88 PID 3928 wrote to memory of 2000 3928 msedge.exe 88 PID 3928 wrote to memory of 2000 3928 msedge.exe 88 PID 3928 wrote to memory of 2000 3928 msedge.exe 88 PID 3928 wrote to memory of 2000 3928 msedge.exe 88 PID 3928 wrote to memory of 2000 3928 msedge.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e33b00d35c755562043fe7fe9b7ae77_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0e33b00d35c755562043fe7fe9b7ae77_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://pf.toggle.com/s/3/2/32235-93100-hitman-pro.exe2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff998e246f8,0x7ff998e24708,0x7ff998e247183⤵PID:3688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,1480170792421428585,5016441998649539750,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:23⤵PID:1896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,1480170792421428585,5016441998649539750,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:1800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,1480170792421428585,5016441998649539750,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:83⤵PID:2000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1480170792421428585,5016441998649539750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:13⤵PID:1076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1480170792421428585,5016441998649539750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:13⤵PID:3544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1480170792421428585,5016441998649539750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4012 /prefetch:13⤵PID:4724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1480170792421428585,5016441998649539750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3564 /prefetch:13⤵PID:4004
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,1480170792421428585,5016441998649539750,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 /prefetch:83⤵PID:4400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,1480170792421428585,5016441998649539750,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:1064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1480170792421428585,5016441998649539750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4040 /prefetch:13⤵PID:1900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1480170792421428585,5016441998649539750,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:13⤵PID:2084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1480170792421428585,5016441998649539750,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:13⤵PID:4860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1480170792421428585,5016441998649539750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:13⤵PID:948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1480170792421428585,5016441998649539750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2344 /prefetch:13⤵PID:4968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1480170792421428585,5016441998649539750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3644 /prefetch:13⤵PID:32
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,1480170792421428585,5016441998649539750,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4032 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:4428
-
-
-
C:\Users\Admin\AppData\Local\Temp\Toolbar_Phpnuke.exe"C:\Users\Admin\AppData\Local\Temp\Toolbar_Phpnuke.exe" /DEFAULTSEARCH /DEFAULTSTART /S /CHANNEL=dptgl /TOOLBAR2⤵
- Executes dropped EXE
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe /s "C:\Program Files (x86)\DealPly\DealPlyIE.dll"3⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4624
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:996
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3608
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76KB
MD5ee5fb0fd8c2d19d90e8fad8e8636a38e
SHA15d41abc6c1e69e72466eeb4e4f2128ac0343bb16
SHA25602e1d44c854de1f8400a1cc24c2ba89efec402cf327dd192b0c581c6e01dede9
SHA512607212af21ecd1d0bb0f308f566a457c8ed57d71eb4848242f5efe450de149b232c0953dde49140a8b4e6571fabbc21196272a1a856a6b34cb2da27c38def68f
-
Filesize
152B
MD5847d47008dbea51cb1732d54861ba9c9
SHA1f2099242027dccb88d6f05760b57f7c89d926c0d
SHA25610292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1
SHA512bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f
-
Filesize
152B
MD5f9664c896e19205022c094d725f820b6
SHA1f8f1baf648df755ba64b412d512446baf88c0184
SHA2567121d84202a850791c2320385eb59eda4d697310dc51b1fcd4d51264aba2434e
SHA5123fa5d2c68a9e70e4a25eaac2095171d87c741eec2624c314c6a56f4fa390d6319633bf4c48b1a4af7e9a0451f346beced9693da88cfc7bcba8dfe209cbd1b3ae
-
Filesize
5KB
MD53c4bcd7af7ba844556b0451fcc0c954f
SHA15835daa1c794f83f7a5ce92db132b8aa9fd80399
SHA2568f1cfb67c0b3277d6539a8fa3e423e83a595367b614bdbc7bf7877163ab9da5d
SHA5121bebd771eaa561abaa7e294156d8754fd3f892c736a7213800d1e86ce9f9f8434e78dda1af9ee5643505e59452b92e80014d4176ea042365d2af357143c05f24
-
Filesize
6KB
MD59034a6dbc47c23e75dc6cc63718852b2
SHA10b647aeaaf7e24ae9ff4bae084cb6a2e962785d0
SHA256d3b7c3acf75702a964c6f8447efb30fa9c517f4dfd5fc1b5681711c9b0e08d12
SHA51255d9c46b3b2103b4d6bf999f7bec822cb0c6274b4546200c784dfd8e7eb82aa8b4e59fcd477485cfe4cdaf3d0f684fc5701353f1357d02d659d28a1c8f3bbf06
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD54eec0b2e850a1b7b96c4fc297f852d46
SHA1c2ec40af804c606d8d811b31536b5a01bf9d5ed3
SHA256a16c9ccb80919064b48e396ebd6afcdb3fb4dd5c984b66fad438a1add93fdd10
SHA51228f1f074af649f82ab5d5e536d6bffba4e43bd4992067dfac0a60928955f8ce1c3592a0006206c74a872b3bbae326d5b555169001364b9157dd9448a1be9b311
-
Filesize
210KB
MD51e3e68a0a110922361890ff0de710d74
SHA1adf466a53c099099541e48655118e2dfeea75be2
SHA2560930a168d6c22438d2d55cda730b93b330e849325d6ac47590682b3417541baf
SHA5123a769923b6822dc4d62f3bde718efa87c3da8d5fa7237128236c6249e0d4a1345c0c1b23fdf669052ae30551ac79258ab9e654eb44480b7f0033ea460562f565
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
Filesize
21KB
MD5ab467b8dfaa660a0f0e5b26e28af5735
SHA1596abd2c31eaff3479edf2069db1c155b59ce74d
SHA256db267d9920395b4badc48de04df99dfd21d579480d103cae0f48e6578197ff73
SHA5127d002dc203997b8a4d8ec20c92cd82848e29d746414f4a61265c76d4afb12c05bce826fc63f4d2bd3d527f38506c391855767d864c37584df11b5db9ca008301
-
Filesize
5KB
MD5df4795dfabe3bc9278a73d496cc4b40d
SHA12648ded47e29ecf3e1a1cc20c631e83caf566897
SHA2562261027077f23c8dba6b72af28862832aaa059740d0f5634b46cabb14326dd10
SHA512013d9712c3d699a7f41ab3e55931c9abb421fb2eda3542da5a4831ad2f073a1b0643120cc78147db0bfcd01df98ade3045ecb2f1e252fff1dc40be845e5ae303
-
Filesize
14KB
MD5325b008aec81e5aaa57096f05d4212b5
SHA127a2d89747a20305b6518438eff5b9f57f7df5c3
SHA256c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
SHA51218362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf
-
Filesize
5KB
MD59384f4007c492d4fa040924f31c00166
SHA1aba37faef30d7c445584c688a0b5638f5db31c7b
SHA25660a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5
SHA51268f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf
-
Filesize
14KB
MD5a5f8399a743ab7f9c88c645c35b1ebb5
SHA1168f3c158913b0367bf79fa413357fbe97018191
SHA256dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9
SHA512824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977
-
Filesize
17KB
MD509caf01bc8d88eeb733abc161acff659
SHA1b8c2126d641f88628c632dd2259686da3776a6da
SHA2563555afe95e8bb269240a21520361677b280562b802978fccfb27490c79b9a478
SHA512ef1e8fc4fc8f5609483b2c459d00a47036699dfb70b6be6f10a30c5d2fc66bae174345bffa9a44abd9ca029e609ff834d701ff6a769cca09fe5562365d5010fa
-
Filesize
1KB
MD53f202db385148217d79d53f06462e686
SHA16a9c47bc42173d96cf16c8a154c1bcd88e395d4c
SHA2566e60397746fc1cbc1935279d65dcf5a087a148071fe9bb772798ee7eba9aad26
SHA5121e9697d383daf03ee362e105bad8fca4d908ce79f29b5032d6a1b7305e38c94385eb0a434e96af7e5eb69fe3d9e1ce0a3588cdd40b6cd2c0e083f27f9fa3c836
-
Filesize
1KB
MD54556800e1026520af6a9ae83cdacdb62
SHA1718fe152a40ee68a685c3ed1b2e3063d6d537497
SHA256031a161d5e80ba5026cb406c2e2e01fb3f6711b5f4bb3939aef9d5503b818630
SHA512b38bdfff1e3403e98953823845a869af6cfee4170dcc0ffdd0a926ef83c0a9fe6a985da9f2baf0bea89bd502843fcbec2e74b6b51bf358e58380da974b038a64
-
Filesize
1KB
MD5a78e8ff7b6e3a803e270a8a5fc09bf11
SHA1887c43a761f779c5e9553bc74f71e5a5b159186c
SHA256469f0e1643f6a75f351a7ffb934e00a392593e7f09956a86fe7391f8f73fd731
SHA5122653c6808a9a9838e2ba424a83dad239eb17cfb719f490986dd93b14795421921b08087e25fb256344bcc1a03c64659ef8e2f96223f8d5bcfaa1eb0681e95155