Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240910-en -
resource tags
arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system -
submitted
03/10/2024, 20:43
Static task
static1
Behavioral task
behavioral1
Sample
10721600521da1f4c78fda3069591792_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
10721600521da1f4c78fda3069591792_JaffaCakes118.exe
Resource
win10v2004-20240910-en
General
-
Target
10721600521da1f4c78fda3069591792_JaffaCakes118.exe
-
Size
1.2MB
-
MD5
10721600521da1f4c78fda3069591792
-
SHA1
db022b26588d8c09435b5dcd3734573547f2efb7
-
SHA256
8a9cf3f37216734499bbc2d655d9e30af9e7304a76105de385271eb51bcaf9b0
-
SHA512
9c712683beef37cdf8dc9f1807d81faa280ca8d4f988418da00e1a42fc7622a217728a18374fc8abb02aa02e841330cd36334a9851c12275cf49f14431c1e3c3
-
SSDEEP
12288:YLzpqk/x6jRt14teGtLPfOy4/gEE4tLt+1NkT6VauKRWLODbQxsAWfv:YLzpxott+tPPfOlgEEng6VcRWL5xRW3
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation 10721600521da1f4c78fda3069591792_JaffaCakes118.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\safe.ico 10721600521da1f4c78fda3069591792_JaffaCakes118.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File created C:\progra~1\ico\2beb306d7b3f44248a7fe67ed62eb8e7$dpx$.tmp\9610c9b4e6f2a249a4d82f0f0f7f5a50.tmp expand.exe File opened for modification C:\progra~1\ico\{5FBBA850-AF98-425A-9A59-2E5EF5921FC2} expand.exe File opened for modification C:\progra~1\ico\Music.ico expand.exe File opened for modification C:\progra~1\ico\2beb306d7b3f44248a7fe67ed62eb8e7$dpx$.tmp\job.xml expand.exe File opened for modification C:\progra~1\ico\Chat.ico expand.exe File opened for modification C:\progra~1\ico\Taobao.ico expand.exe File created C:\progra~1\ico\2beb306d7b3f44248a7fe67ed62eb8e7$dpx$.tmp\ae6ac76f72ab184f98f154060115a001.tmp expand.exe File opened for modification C:\progra~1\ico\Film.ico expand.exe File created C:\progra~1\ico\2beb306d7b3f44248a7fe67ed62eb8e7$dpx$.tmp\0a2596e3c49d244793e634eac2e94296.tmp expand.exe File opened for modification C:\progra~1\ico\Beauty.ico expand.exe File created C:\progra~1\ico\2beb306d7b3f44248a7fe67ed62eb8e7$dpx$.tmp\bd3e5bf84f5cb24b871ddc2db45a2489.tmp expand.exe File created C:\progra~1\ico\2beb306d7b3f44248a7fe67ed62eb8e7$dpx$.tmp\6d1e07e12de86640b25e3f6095eb942a.tmp expand.exe File opened for modification C:\progra~1\ico\Video.ico expand.exe File opened for modification C:\progra~1\ico\2beb306d7b3f44248a7fe67ed62eb8e7$dpx$.tmp expand.exe File created C:\progra~1\ico\2beb306d7b3f44248a7fe67ed62eb8e7$dpx$.tmp\aab6cb21053e064ea5f7ef6c7082b39c.tmp expand.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\LOGS\DPX\setupact.log expand.exe File opened for modification C:\Windows\LOGS\DPX\setuperr.log expand.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 10721600521da1f4c78fda3069591792_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language expand.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d74c4a2d6d7764449694ff5b3c3fbde300000000020000000000106600000001000020000000606d130f8c2a3a7ee52cf65fc0feda53b7b3b2668242306b539fe3e6a64b8af3000000000e8000000002000020000000d0f4d67d3339120cb67132919e1ae96dc2e795db584505349b9f7508264767fd2000000040cd1f9fd2c4e075ab0bd8de79e45b9a2d3334363beea599916b3f34a85d582c4000000062d8dffa7e1b0007abacd878dd67571a27af45faec507c57befafaff39024ba75968860b11956f48f5ef2f3271c075595ef674c88f0d5c26f1ad7ae2f675441d iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4204612185" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31135188" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31135188" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60c7c7fdd415db01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135188" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135188" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d74c4a2d6d7764449694ff5b3c3fbde3000000000200000000001066000000010000200000004c5a315b287ab74c5b47927248d773eed0104d58805237ad9366de867d0306c3000000000e80000000020000200000007fe20f40ccdd67c638fd44cf2fed8704006bb48540727cdb659a49ffa72ef5ea200000005804a9cdc8fdc95eecb817656d5a2a4512d90335e139ffd5086d4a7e9bcadd534000000045e230f9b14b79609a9bff8867e574a2ea234a307919e6e0fd69b1e2581b199dc235ceb8058992e51e31dbe63505d4546150f10699dfd2991eaf0e36fdbd64ae iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 5064d1fdd415db01 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434753185" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4206018324" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4206018324" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{26341881-81C8-11EF-B35C-4E0A8D0F5CF6} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4204612185" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2208 msedge.exe 2208 msedge.exe 1348 msedge.exe 1348 msedge.exe 3192 identity_helper.exe 3192 identity_helper.exe 5488 msedge.exe 5488 msedge.exe 5488 msedge.exe 5488 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
pid Process 1348 msedge.exe 1348 msedge.exe 1348 msedge.exe 1348 msedge.exe 1348 msedge.exe 1348 msedge.exe 1348 msedge.exe 1348 msedge.exe 1348 msedge.exe 1348 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3664 10721600521da1f4c78fda3069591792_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 2236 iexplore.exe 1348 msedge.exe 1348 msedge.exe 1348 msedge.exe 1348 msedge.exe 1348 msedge.exe 1348 msedge.exe 1348 msedge.exe 1348 msedge.exe 1348 msedge.exe 1348 msedge.exe 1348 msedge.exe 1348 msedge.exe 1348 msedge.exe 1348 msedge.exe 1348 msedge.exe 1348 msedge.exe 1348 msedge.exe 1348 msedge.exe 1348 msedge.exe 1348 msedge.exe 1348 msedge.exe 1348 msedge.exe 1348 msedge.exe 1348 msedge.exe 1348 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1348 msedge.exe 1348 msedge.exe 1348 msedge.exe 1348 msedge.exe 1348 msedge.exe 1348 msedge.exe 1348 msedge.exe 1348 msedge.exe 1348 msedge.exe 1348 msedge.exe 1348 msedge.exe 1348 msedge.exe 1348 msedge.exe 1348 msedge.exe 1348 msedge.exe 1348 msedge.exe 1348 msedge.exe 1348 msedge.exe 1348 msedge.exe 1348 msedge.exe 1348 msedge.exe 1348 msedge.exe 1348 msedge.exe 1348 msedge.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3664 10721600521da1f4c78fda3069591792_JaffaCakes118.exe 3664 10721600521da1f4c78fda3069591792_JaffaCakes118.exe 3664 10721600521da1f4c78fda3069591792_JaffaCakes118.exe 2236 iexplore.exe 2236 iexplore.exe 232 IEXPLORE.EXE 232 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3664 wrote to memory of 4888 3664 10721600521da1f4c78fda3069591792_JaffaCakes118.exe 84 PID 3664 wrote to memory of 4888 3664 10721600521da1f4c78fda3069591792_JaffaCakes118.exe 84 PID 3664 wrote to memory of 4888 3664 10721600521da1f4c78fda3069591792_JaffaCakes118.exe 84 PID 4888 wrote to memory of 3560 4888 cmd.exe 86 PID 4888 wrote to memory of 3560 4888 cmd.exe 86 PID 4888 wrote to memory of 3560 4888 cmd.exe 86 PID 3664 wrote to memory of 2236 3664 10721600521da1f4c78fda3069591792_JaffaCakes118.exe 95 PID 3664 wrote to memory of 2236 3664 10721600521da1f4c78fda3069591792_JaffaCakes118.exe 95 PID 3664 wrote to memory of 4620 3664 10721600521da1f4c78fda3069591792_JaffaCakes118.exe 96 PID 3664 wrote to memory of 4620 3664 10721600521da1f4c78fda3069591792_JaffaCakes118.exe 96 PID 3664 wrote to memory of 4620 3664 10721600521da1f4c78fda3069591792_JaffaCakes118.exe 96 PID 2236 wrote to memory of 232 2236 iexplore.exe 98 PID 2236 wrote to memory of 232 2236 iexplore.exe 98 PID 2236 wrote to memory of 232 2236 iexplore.exe 98 PID 216 wrote to memory of 1348 216 explorer.exe 99 PID 216 wrote to memory of 1348 216 explorer.exe 99 PID 1348 wrote to memory of 4268 1348 msedge.exe 101 PID 1348 wrote to memory of 4268 1348 msedge.exe 101 PID 1348 wrote to memory of 1956 1348 msedge.exe 102 PID 1348 wrote to memory of 1956 1348 msedge.exe 102 PID 1348 wrote to memory of 1956 1348 msedge.exe 102 PID 1348 wrote to memory of 1956 1348 msedge.exe 102 PID 1348 wrote to memory of 1956 1348 msedge.exe 102 PID 1348 wrote to memory of 1956 1348 msedge.exe 102 PID 1348 wrote to memory of 1956 1348 msedge.exe 102 PID 1348 wrote to memory of 1956 1348 msedge.exe 102 PID 1348 wrote to memory of 1956 1348 msedge.exe 102 PID 1348 wrote to memory of 1956 1348 msedge.exe 102 PID 1348 wrote to memory of 1956 1348 msedge.exe 102 PID 1348 wrote to memory of 1956 1348 msedge.exe 102 PID 1348 wrote to memory of 1956 1348 msedge.exe 102 PID 1348 wrote to memory of 1956 1348 msedge.exe 102 PID 1348 wrote to memory of 1956 1348 msedge.exe 102 PID 1348 wrote to memory of 1956 1348 msedge.exe 102 PID 1348 wrote to memory of 1956 1348 msedge.exe 102 PID 1348 wrote to memory of 1956 1348 msedge.exe 102 PID 1348 wrote to memory of 1956 1348 msedge.exe 102 PID 1348 wrote to memory of 1956 1348 msedge.exe 102 PID 1348 wrote to memory of 1956 1348 msedge.exe 102 PID 1348 wrote to memory of 1956 1348 msedge.exe 102 PID 1348 wrote to memory of 1956 1348 msedge.exe 102 PID 1348 wrote to memory of 1956 1348 msedge.exe 102 PID 1348 wrote to memory of 1956 1348 msedge.exe 102 PID 1348 wrote to memory of 1956 1348 msedge.exe 102 PID 1348 wrote to memory of 1956 1348 msedge.exe 102 PID 1348 wrote to memory of 1956 1348 msedge.exe 102 PID 1348 wrote to memory of 1956 1348 msedge.exe 102 PID 1348 wrote to memory of 1956 1348 msedge.exe 102 PID 1348 wrote to memory of 1956 1348 msedge.exe 102 PID 1348 wrote to memory of 1956 1348 msedge.exe 102 PID 1348 wrote to memory of 1956 1348 msedge.exe 102 PID 1348 wrote to memory of 1956 1348 msedge.exe 102 PID 1348 wrote to memory of 1956 1348 msedge.exe 102 PID 1348 wrote to memory of 1956 1348 msedge.exe 102 PID 1348 wrote to memory of 1956 1348 msedge.exe 102 PID 1348 wrote to memory of 1956 1348 msedge.exe 102 PID 1348 wrote to memory of 1956 1348 msedge.exe 102 PID 1348 wrote to memory of 1956 1348 msedge.exe 102 PID 1348 wrote to memory of 2208 1348 msedge.exe 103 PID 1348 wrote to memory of 2208 1348 msedge.exe 103 PID 1348 wrote to memory of 1748 1348 msedge.exe 104 PID 1348 wrote to memory of 1748 1348 msedge.exe 104 PID 1348 wrote to memory of 1748 1348 msedge.exe 104 PID 1348 wrote to memory of 1748 1348 msedge.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\10721600521da1f4c78fda3069591792_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\10721600521da1f4c78fda3069591792_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\FjT0b.bat2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\expand.exeexpand.exe "C:\Users\Admin\AppData\Local\Temp\ico.cab" -F:*.* "C:\progra~1\ico"3⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3560
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.00815.com/?x2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2236 CREDAT:17410 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:232
-
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe http://tc.00815.com/2⤵
- System Location Discovery: System Language Discovery
PID:4620
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://tc.00815.com/2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff72a846f8,0x7fff72a84708,0x7fff72a847183⤵PID:4268
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,17972515831102534257,4519080720949930344,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:23⤵PID:1956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,17972515831102534257,4519080720949930344,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:2208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,17972515831102534257,4519080720949930344,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:83⤵PID:1748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17972515831102534257,4519080720949930344,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:13⤵PID:4516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17972515831102534257,4519080720949930344,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:13⤵PID:4124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,17972515831102534257,4519080720949930344,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4700 /prefetch:83⤵PID:2756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,17972515831102534257,4519080720949930344,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4700 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:3192
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17972515831102534257,4519080720949930344,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:13⤵PID:456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17972515831102534257,4519080720949930344,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:13⤵PID:2392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17972515831102534257,4519080720949930344,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:13⤵PID:4960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17972515831102534257,4519080720949930344,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:13⤵PID:5216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17972515831102534257,4519080720949930344,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:13⤵PID:5332
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17972515831102534257,4519080720949930344,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:13⤵PID:5500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17972515831102534257,4519080720949930344,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3088 /prefetch:13⤵PID:6100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17972515831102534257,4519080720949930344,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:13⤵PID:5128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,17972515831102534257,4519080720949930344,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5460 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:5488
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3212
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1408
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD56de4427d02d49cee2c46a8fead1fafa8
SHA1bee49bf0e4452ca72442face8e655bf4a8c3af17
SHA25646d5cd7ff558e5c788807eb674587359c6a660cef091eb420676977e49833d53
SHA512c80311bb92f9f49de96d06e9a76a3ef0310365999f00f401fd003d438b66744a88f093b5887e1723c6b8179798697ec24c4b2bda489323337f6cec6d28ef6434
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD5d67797fe90b7a31a5596f79385c9ad5a
SHA1c366bab41d42d1295fd4ba70f2648a9a5e37c15c
SHA2562bbe98168979f98ca3d739f1eb6d96bf60afe22a00df6d046a89c2e310097e0c
SHA5120650e78a502055785bb56e8ca911189a9f32dac3e73ae73f85e501498f9675d6cd3daf44d4f1fda1f9dcc82467ca5e8e72514116364ca34d9c136d24bb39fa09
-
Filesize
152B
MD5b80cf20d9e8cf6a579981bfaab1bdce2
SHA1171a886be3a882bd04206295ce7f1db5b8b7035e
SHA25610d995b136b604440ac4033b2222543975779068a321d7bddf675d0cb2a4c2b1
SHA5120233b34866be1afd214a1c8a9dcf8328d16246b3a5ef142295333547b4cfdc787c8627439a2ca03c20cb49107f7428d39696143b71f56b7f1f05029b3a14376a
-
Filesize
5KB
MD59186ae917505ae1eaa84e9b415fd4f47
SHA1368cbc7a7c248d9ef9573158f8b27c0cfd5e4401
SHA2567db9e7de21b055385b0072dd6ede9736cd525f45215f1e1057091c2604216a14
SHA512ee8e254400150a38f9444a4d224a7e20110a3a56c93de89e881e9d70cce05fe6c7e7b8b796f6dc213fb8dfa9a86ec45c82be2020beb64b035f82b38a91b7e602
-
Filesize
6KB
MD5c51e53aa0a1e15dca817e010a75bd84b
SHA13c6294ae910ca817194408f8e020e6f1eaa07da9
SHA256331fc68de77a1be706e33b63d7e674f063d90751b96b4e3e246d05bb3af0f6ce
SHA51200b6f7634c1e27e8b673ad2e2f784a457d06bf8c3c0b03d3be2b6ffb2198504bb5db11272d641b3fb6322b1d6b6cae0fd525165c5a478db81bc29d5377b43b88
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD51de4ecaceeee4425a7206988cf4ecc2c
SHA11a6bf6bafefc5a835f17621a952855bf5f40281c
SHA256d5060185b2c82c82ccf9565a9fd2fe1413d9c25454017faabc57db4f4e6b759b
SHA51249d302806d34d787783b9df93b19cfdd8cbb1d10e1aa0bb185f492781f23ae94e40d270185ccf21ec2f3be631eab47bcfa1a6bec30a59ab3820008a1be05dca5
-
Filesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
98B
MD5ada787702460241a372c495dc53dbdcf
SHA1da7d65ec9541fe9ed13b3531f38202f83b0ac96d
SHA2560d0f600f95192d2d602dbda346c4e08745295f331f5a0349deae21705367b850
SHA512c86091735b855691c89c7946145591dec6a6a6a36a2438d392587a9cc1f2d85c1ebe44fcff1cc9d94271a24ebbc2ca38639577a6f5c592e9e10517da26572708
-
Filesize
18KB
MD5f462d70986dc71a5ff375a82bd9e3677
SHA1f3d9c09a0ff51d81377e15ae4e0e2fceaede142b
SHA25669528b0fb4e1bc3fb8d92839d98e0717b3f680d98fdfcb9809a2f557aacab295
SHA5125bd2d67bb78dc8c4275390667c135ed10c4733e46ce58ef524ea79869f740db00d2f4a37b949896edcbf1ebbfa1ab4dd16afab4418ff637322883435bb7543ec