1a79f996f0f4f9919814e0bc2fb2a413feb4e75af72ca80c3af0c89f9393f3d0

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2024, 03:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11acb9ce13bd536814fe7a00a0f3d119_JaffaCakes118.exe
Size

3.5MB
MD5

11acb9ce13bd536814fe7a00a0f3d119
SHA1

f671d2ba64fe08537ded22a0e27a516509147917
SHA256

1a79f996f0f4f9919814e0bc2fb2a413feb4e75af72ca80c3af0c89f9393f3d0
SHA512

f14542a7a85d5476f09318347745c07a71322426e5cc322a0c2b28ae5cbdaa2539fdc96660266d465b80aa97f46eb3fe27232169d28638eaff2ce24046a95c79
SSDEEP

98304:crzs6YwQbEDxhyu/zUEWfr2PrPR0YHTqwC:crzswQOTQxSPbRfHQ

Score

7^/10

defense_evasion discovery privilege_escalation

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	GenuineRegistryDoctor.exe

Executes dropped EXE 3 IoCs

pid	Process
368	CheckInstall.exe
4104	GenuineRegistryDoctor.exe
2364	GenuineRegistryDoctor.exe

Loads dropped DLL 1 IoCs

pid	Process
3524	11acb9ce13bd536814fe7a00a0f3d119_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\GenuineRegistryDoctor\GenuineRegistryDoctor.exe	11acb9ce13bd536814fe7a00a0f3d119_JaffaCakes118.exe
File created	C:\Program Files (x86)\GenuineRegistryDoctor\res\info.html	11acb9ce13bd536814fe7a00a0f3d119_JaffaCakes118.exe
File created	C:\Program Files (x86)\GenuineRegistryDoctor\res\trialnotify.mht	11acb9ce13bd536814fe7a00a0f3d119_JaffaCakes118.exe
File created	C:\Program Files (x86)\GenuineRegistryDoctor\uninst.exe	11acb9ce13bd536814fe7a00a0f3d119_JaffaCakes118.exe
File created	C:\Program Files (x86)\GenuineRegistryDoctor\res\icon.ico	11acb9ce13bd536814fe7a00a0f3d119_JaffaCakes118.exe
File created	C:\Program Files (x86)\GenuineRegistryDoctor\FilePulverizer.exe	11acb9ce13bd536814fe7a00a0f3d119_JaffaCakes118.exe
File created	C:\Program Files (x86)\GenuineRegistryDoctor\StartupManager.exe	11acb9ce13bd536814fe7a00a0f3d119_JaffaCakes118.exe
File created	C:\Program Files (x86)\GenuineRegistryDoctor\SystemInformation.exe	11acb9ce13bd536814fe7a00a0f3d119_JaffaCakes118.exe
File created	C:\Program Files (x86)\GenuineRegistryDoctor\const.dat	11acb9ce13bd536814fe7a00a0f3d119_JaffaCakes118.exe
File created	C:\Program Files (x86)\GenuineRegistryDoctor\data\topic.db	11acb9ce13bd536814fe7a00a0f3d119_JaffaCakes118.exe
File created	C:\Program Files (x86)\GenuineRegistryDoctor\data\utilities.db	11acb9ce13bd536814fe7a00a0f3d119_JaffaCakes118.exe
File created	C:\Program Files (x86)\GenuineRegistryDoctor\res\btnpanel.dat	11acb9ce13bd536814fe7a00a0f3d119_JaffaCakes118.exe
File created	C:\Program Files (x86)\GenuineRegistryDoctor\res\images\about.png	11acb9ce13bd536814fe7a00a0f3d119_JaffaCakes118.exe
File created	C:\Program Files (x86)\GenuineRegistryDoctor\res\images\background.png	11acb9ce13bd536814fe7a00a0f3d119_JaffaCakes118.exe
File created	C:\Program Files (x86)\GenuineRegistryDoctor\ClonedFileCleaner.exe	11acb9ce13bd536814fe7a00a0f3d119_JaffaCakes118.exe
File created	C:\Program Files (x86)\GenuineRegistryDoctor\SweepHelper.exe	11acb9ce13bd536814fe7a00a0f3d119_JaffaCakes118.exe
File created	C:\Program Files (x86)\GenuineRegistryDoctor\lang\English.lan	11acb9ce13bd536814fe7a00a0f3d119_JaffaCakes118.exe
File created	C:\Program Files (x86)\GenuineRegistryDoctor\res\16.png	11acb9ce13bd536814fe7a00a0f3d119_JaffaCakes118.exe
File created	C:\Program Files (x86)\GenuineRegistryDoctor\res\32.png	11acb9ce13bd536814fe7a00a0f3d119_JaffaCakes118.exe
File created	C:\Program Files (x86)\GenuineRegistryDoctor\skins\default.skn	11acb9ce13bd536814fe7a00a0f3d119_JaffaCakes118.exe
File created	C:\Program Files (x86)\GenuineRegistryDoctor\AutoShutdown.exe	11acb9ce13bd536814fe7a00a0f3d119_JaffaCakes118.exe

Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
2364	GenuineRegistryDoctor.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11acb9ce13bd536814fe7a00a0f3d119_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GenuineRegistryDoctor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GenuineRegistryDoctor.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3044	msedge.exe
3044	msedge.exe
2684	msedge.exe
2684	msedge.exe
2108	identity_helper.exe
2108	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2364	GenuineRegistryDoctor.exe
2364	GenuineRegistryDoctor.exe
2364	GenuineRegistryDoctor.exe
2364	GenuineRegistryDoctor.exe
2364	GenuineRegistryDoctor.exe
2364	GenuineRegistryDoctor.exe
2364	GenuineRegistryDoctor.exe
2364	GenuineRegistryDoctor.exe
2364	GenuineRegistryDoctor.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe

Suspicious use of SendNotifyMessage 33 IoCs

pid	Process
2364	GenuineRegistryDoctor.exe
2364	GenuineRegistryDoctor.exe
2364	GenuineRegistryDoctor.exe
2364	GenuineRegistryDoctor.exe
2364	GenuineRegistryDoctor.exe
2364	GenuineRegistryDoctor.exe
2364	GenuineRegistryDoctor.exe
2364	GenuineRegistryDoctor.exe
2364	GenuineRegistryDoctor.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe
2684	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4104	GenuineRegistryDoctor.exe
2364	GenuineRegistryDoctor.exe
2364	GenuineRegistryDoctor.exe
2364	GenuineRegistryDoctor.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3524 wrote to memory of 368	3524	11acb9ce13bd536814fe7a00a0f3d119_JaffaCakes118.exe	89
PID 3524 wrote to memory of 368	3524	11acb9ce13bd536814fe7a00a0f3d119_JaffaCakes118.exe	89
PID 3524 wrote to memory of 368	3524	11acb9ce13bd536814fe7a00a0f3d119_JaffaCakes118.exe	89
PID 3524 wrote to memory of 4104	3524	11acb9ce13bd536814fe7a00a0f3d119_JaffaCakes118.exe	93
PID 3524 wrote to memory of 4104	3524	11acb9ce13bd536814fe7a00a0f3d119_JaffaCakes118.exe	93
PID 3524 wrote to memory of 4104	3524	11acb9ce13bd536814fe7a00a0f3d119_JaffaCakes118.exe	93
PID 4104 wrote to memory of 2364	4104	GenuineRegistryDoctor.exe	94
PID 4104 wrote to memory of 2364	4104	GenuineRegistryDoctor.exe	94
PID 4104 wrote to memory of 2364	4104	GenuineRegistryDoctor.exe	94
PID 3524 wrote to memory of 2684	3524	11acb9ce13bd536814fe7a00a0f3d119_JaffaCakes118.exe	95
PID 3524 wrote to memory of 2684	3524	11acb9ce13bd536814fe7a00a0f3d119_JaffaCakes118.exe	95
PID 2684 wrote to memory of 1068	2684	msedge.exe	96
PID 2684 wrote to memory of 1068	2684	msedge.exe	96
PID 2684 wrote to memory of 2016	2684	msedge.exe	97
PID 2684 wrote to memory of 2016	2684	msedge.exe	97
PID 2684 wrote to memory of 2016	2684	msedge.exe	97
PID 2684 wrote to memory of 2016	2684	msedge.exe	97
PID 2684 wrote to memory of 2016	2684	msedge.exe	97
PID 2684 wrote to memory of 2016	2684	msedge.exe	97
PID 2684 wrote to memory of 2016	2684	msedge.exe	97
PID 2684 wrote to memory of 2016	2684	msedge.exe	97
PID 2684 wrote to memory of 2016	2684	msedge.exe	97
PID 2684 wrote to memory of 2016	2684	msedge.exe	97
PID 2684 wrote to memory of 2016	2684	msedge.exe	97
PID 2684 wrote to memory of 2016	2684	msedge.exe	97
PID 2684 wrote to memory of 2016	2684	msedge.exe	97
PID 2684 wrote to memory of 2016	2684	msedge.exe	97
PID 2684 wrote to memory of 2016	2684	msedge.exe	97
PID 2684 wrote to memory of 2016	2684	msedge.exe	97
PID 2684 wrote to memory of 2016	2684	msedge.exe	97
PID 2684 wrote to memory of 2016	2684	msedge.exe	97
PID 2684 wrote to memory of 2016	2684	msedge.exe	97
PID 2684 wrote to memory of 2016	2684	msedge.exe	97
PID 2684 wrote to memory of 2016	2684	msedge.exe	97
PID 2684 wrote to memory of 2016	2684	msedge.exe	97
PID 2684 wrote to memory of 2016	2684	msedge.exe	97
PID 2684 wrote to memory of 2016	2684	msedge.exe	97
PID 2684 wrote to memory of 2016	2684	msedge.exe	97
PID 2684 wrote to memory of 2016	2684	msedge.exe	97
PID 2684 wrote to memory of 2016	2684	msedge.exe	97
PID 2684 wrote to memory of 2016	2684	msedge.exe	97
PID 2684 wrote to memory of 2016	2684	msedge.exe	97
PID 2684 wrote to memory of 2016	2684	msedge.exe	97
PID 2684 wrote to memory of 2016	2684	msedge.exe	97
PID 2684 wrote to memory of 2016	2684	msedge.exe	97
PID 2684 wrote to memory of 2016	2684	msedge.exe	97
PID 2684 wrote to memory of 2016	2684	msedge.exe	97
PID 2684 wrote to memory of 2016	2684	msedge.exe	97
PID 2684 wrote to memory of 2016	2684	msedge.exe	97
PID 2684 wrote to memory of 2016	2684	msedge.exe	97
PID 2684 wrote to memory of 2016	2684	msedge.exe	97
PID 2684 wrote to memory of 2016	2684	msedge.exe	97
PID 2684 wrote to memory of 2016	2684	msedge.exe	97
PID 2684 wrote to memory of 3044	2684	msedge.exe	98
PID 2684 wrote to memory of 3044	2684	msedge.exe	98
PID 2684 wrote to memory of 2596	2684	msedge.exe	99
PID 2684 wrote to memory of 2596	2684	msedge.exe	99
PID 2684 wrote to memory of 2596	2684	msedge.exe	99
PID 2684 wrote to memory of 2596	2684	msedge.exe	99
PID 2684 wrote to memory of 2596	2684	msedge.exe	99
PID 2684 wrote to memory of 2596	2684	msedge.exe	99
PID 2684 wrote to memory of 2596	2684	msedge.exe	99
PID 2684 wrote to memory of 2596	2684	msedge.exe	99
PID 2684 wrote to memory of 2596	2684	msedge.exe	99

C:\Users\Admin\AppData\Local\Temp\11acb9ce13bd536814fe7a00a0f3d119_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\11acb9ce13bd536814fe7a00a0f3d119_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3524
- C:\Users\Admin\AppData\Local\Temp\nsd763B.tmp\CheckInstall.exe
  "C:\Users\Admin\AppData\Local\Temp\nsd763B.tmp\CheckInstall.exe" "Adobe Flash Player" "ShockwaveFlash.ShockwaveFlash.8" "http://clientn.super-mp3-download.com/install/flash_player_ax.exe" " -install"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:368
- C:\Program Files (x86)\GenuineRegistryDoctor\GenuineRegistryDoctor.exe
  "C:\Program Files (x86)\GenuineRegistryDoctor\GenuineRegistryDoctor.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4104
- - C:\Program Files (x86)\GenuineRegistryDoctor\GenuineRegistryDoctor.exe
    "C:\Program Files (x86)\GenuineRegistryDoctor\GenuineRegistryDoctor.exe" runas
    3⤵
    - Executes dropped EXE
    - Access Token Manipulation: Create Process with Token
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://client.genuineregistrydoctor.com/client/?PID=GRD&ACTION=installed&IVER=2.6.5.8&ILAN=
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffaa3eb46f8,0x7ffaa3eb4708,0x7ffaa3eb4718
    3⤵
    PID:1068
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2216,622575285774084280,12548628609965997237,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2224 /prefetch:2
    3⤵
    PID:2016
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2216,622575285774084280,12548628609965997237,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3044
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2216,622575285774084280,12548628609965997237,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8
    3⤵
    PID:2596
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,622575285774084280,12548628609965997237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
    3⤵
    PID:4936
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,622575285774084280,12548628609965997237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
    3⤵
    PID:1692
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2216,622575285774084280,12548628609965997237,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 /prefetch:8
    3⤵
    PID:4224
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2216,622575285774084280,12548628609965997237,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2108
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,622575285774084280,12548628609965997237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
    3⤵
    PID:4860
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,622575285774084280,12548628609965997237,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
    3⤵
    PID:2348
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,622575285774084280,12548628609965997237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
    3⤵
    PID:1816
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,622575285774084280,12548628609965997237,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
    3⤵
    PID:5068

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4276

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Defense Evasion

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GenuineRegistryDoctor\GenuineRegistryDoctor.exe

Filesize
3.8MB

MD5
2296b43333a06c894583e4ffc44c0f89

SHA1
91a3a364b629b4cb8805b646f28fde8c0cb137bf

SHA256
46510a796467580a805d7e44324f491f7ca9c33900bfdb05e09cf139d2003a13

SHA512
3cb4d08061f2621ed7bab1c893beb989a70c0758a82c0d533330c4b6093427fa5e4a4c56a14280a84551c3705bd44fe0fc023e93c5f053e9256e71df90c82f19

Download Submit
C:\Program Files (x86)\GenuineRegistryDoctor\const.dat

Filesize
4KB

MD5
39aaf34d15f479955d37437a930e6758

SHA1
51e149a559e90a4d1d11bf5f26327afec027ca82

SHA256
1cea7a1e7f3b2af23c6081166083da2ed412c71daf359bc1db20957670fe2772

SHA512
099677e35cd2f098639de0f9dc4043c855747d79b71241e34653aa6dcd72176ceca3e6f4ff288220e4facf9e2fd4ea15a636d922d99f75c91d881e7ffb7794fa

Download Submit
C:\Program Files (x86)\GenuineRegistryDoctor\data\topic.db

Filesize
17KB

MD5
8d2372ed77c07473de5ddd36b4a0ade3

SHA1
564bf55c75d7d9cedc9f9d96d9bf0c7a7c5697ed

SHA256
a64e6bd923bef4d9f28bc5690d0c4002b59e73a6023ff344a4dde41f7ed48932

SHA512
776e9957cdf80cf86225bdafb95eaabdac082752cbc6d4159ae5450e8d86ec45dc469b203d865b78c9dac6503b38093da280141cacf3ed0c21c327018d65ac00

Download Submit
C:\Program Files (x86)\GenuineRegistryDoctor\data\utilities.db

Filesize
751B

MD5
22ab749f89c70b019c66c596d9f6099e

SHA1
4a6089ee5530d84f9732f6affce28977a72add13

SHA256
28716b156c0a990218c1b28cdaa63e64fec8c9400b2f2da4882f1542af93a6e2

SHA512
16b78407275109686e2817040f12e3d085a79c92f8631a31b35e36099e5cb6025c0659cec7f9aa3da46d50e4b7a9ff105bdcda82fedffeca66f977e1928499e6

Download Submit
C:\Program Files (x86)\GenuineRegistryDoctor\lang\English.lan

Filesize
32KB

MD5
a13d65155149c990f419bcf4e61654ce

SHA1
2b47e7d82a7f8e15dda5e06eee67b38dc91980c5

SHA256
d7bac81b2bd6492a8ab0a7f6383120e10955ecb830d85283c558b153a90e0093

SHA512
677303fd99a1e212e5b71eddb3f71902e9aaf1ca0fded3dd6cc4954fc1d1ecace5527f9113a2b40a6eb476b5eb1fc10074931efc7f247fd4a297adb452fd2bcf

Download Submit
C:\Program Files (x86)\GenuineRegistryDoctor\res\16.png

Filesize
7KB

MD5
c47f04e414bd44b9eaab94c8fc254816

SHA1
12ec73ca16bbfa577fbc92719d1b61ff09f7bd58

SHA256
716abb298fb6dc3b88485ae519f1ddfc2738dabc81dcdb71eefe972c3a65b069

SHA512
b2a48ca6e409b630c46a574e16fe880654e07400de65259210e89fb44b94ed15f26542251e2ea6f3519a41d8be2cfcd19823626bf1318ac0a3458d849624a9f6

Download Submit
C:\Program Files (x86)\GenuineRegistryDoctor\res\32.png

Filesize
6KB

MD5
7df9873c95efb4f5f847dc2e25cb1a61

SHA1
a7f124986d5923226b5e812502a2b9ef3893c13f

SHA256
fdff06daa2b97212789d7b2a4d2f7cab58ae53254cdc3c875dde30bc704e69ea

SHA512
cced9e1504b3a8b744b407b6ca8110fbab3d81f4f0a9c20d096914d0d5b3b5266c86624d8fa86a590e9504d3beffde6eeba531cbf8ead8405379a0b80d138111

Download Submit
C:\Program Files (x86)\GenuineRegistryDoctor\res\icon.ico

Filesize
2KB

MD5
b3439a18499db27dd2449a4154793955

SHA1
17fcb5f695157db041d99523513a15670d08d3a0

SHA256
e00c2c7836f9742062af3406f87113d56d51de93ebc333086ae8e46e487cec56

SHA512
edd106e590228fda8f5655fcf91f373bcc26e65ac579a882056db4e4f53aa9ddf0af7ad7615105887687753c47dc0f09a26cd8100fa34099c014760e15472003

Download Submit
C:\Program Files (x86)\GenuineRegistryDoctor\res\images\background.png

Filesize
59KB

MD5
1e4f327cda98b132fb55842be6c35fbf

SHA1
bbd3c56d537c93443a399f61865e0e188e77282c

SHA256
86531b30ee554794d8a7ff9b9348c7a483c46ca7517644349109e54322fb85a9

SHA512
a3d58220b8f73e34886f2d4d7794550ae5bf581811c12dc42128a276cb1346bbdbd838f0436b962cf8445f9c6b04d2d7fa165ccc2357a24f5e316898533e221e

Download Submit
C:\Program Files (x86)\GenuineRegistryDoctor\res\info.html

Filesize
1KB

MD5
4133ae9746723d5098cc606f1d087d08

SHA1
df0b52ae9b5a6aa9b9b0741173e935bf02a0f699

SHA256
e6f63c573034320ae2c6b0ed9e7d6b3b90ef1229cf471fa672bb54eb331fa8d9

SHA512
c41f10c4c4a683bb4d95e23ec58938becc56a00235d84add760a46f77171c56aa38e52fba5640f0a87c2d1d4787d891415fd700ef08837152afa2c60f4ed0898

Download Submit
C:\Program Files (x86)\GenuineRegistryDoctor\skins\Default.skn

Filesize
126KB

MD5
1c7b0750bb159b6c3c6e31cf5f540e77

SHA1
299339f25183a42e1dfd2f7e9767770e94c93df8

SHA256
6358f278804ae31c92a97c3face6e23db5f936bde93e38d1492acbe061562d14

SHA512
658d3cdc1bc37357e6dd0bf45341afbb121df9db68eeaaf8ee49f364b78b3d4e101012249649f1ca0baee946c9810edbaf2ffebd6272378d70fd032c26febc79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2783c40400a8912a79cfd383da731086

SHA1
001a131fe399c30973089e18358818090ca81789

SHA256
331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5

SHA512
b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ff63763eedb406987ced076e36ec9acf

SHA1
16365aa97cd1a115412f8ae436d5d4e9be5f7b5d

SHA256
8f460e8b7a67f0c65b7248961a7c71146c9e7a19772b193972b486dbf05b8e4c

SHA512
ce90336169c8b2de249d4faea2519bf7c3df48ae9d77cdf471dd5dbd8e8542d47d9348080a098074aa63c255890850ee3b80ddb8eef8384919fdca3bb9371d9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
71d90ab0a745db6d535dbc6f95bf92d2

SHA1
2919ccd712c10c55e2eb5f4a165782d7da1a65fb

SHA256
f22654306f166313c429cd4ddbcfba5afd0087afd6bb66146534b1efbc5ed55b

SHA512
58b72d37c22c29ef45005024d58913faa484f090b69411be9e79563eb84c4d612336d612ee043c919b419120f0606f4e1db9802ed59df8638a9663ea7cc01db3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
727a945e6332ce989c095f32eddd57b3

SHA1
896df7a88fabd1604d87263eb5d02f13244a950a

SHA256
decd9963f90ec5f17501049d0d90dda314f510ff5744a4e4d7ff6b2f9600c414

SHA512
f473591d43bc12ba79f09854f60114e576770d02350898687fd2b7db393a3d32af476e0bec6daa8731a08b4c6861dc76114c7624b90c4d33e2acbf685a6c036a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
45e4683485be61490db860da006c6bb8

SHA1
7ff57fcbe1551368280150d27830e1068e1089a7

SHA256
e9cae467c6c1c8cb9dea5b3c72f728f6a3e8aed73a050ec0565e7b408c42a5bf

SHA512
95046555c2abc36829e0936c61e650c38643420af1930b97481d6a99d83e05873e9cca29a632bfe4ae60cd7d49d33c359c3d0e5f7f7ade73e2df518231aecb96

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd763B.tmp\CheckInstall.exe

Filesize
1.5MB

MD5
99eae10da4986df6b5e63244468b6e1d

SHA1
84f260486b9a7f80e55b3190a363eccbfbfcd998

SHA256
b7c5e8dc04e178e54cc54c975a0eed217b6972aa7ded5ab365cfd9738e9849d2

SHA512
f658f4ec40009bab4bf5bc2456c4461ff8836dca8b38a652c446cb5bc3cd7fdee2e5d836af6fa6b16bf2541ae8c646630169a8f500f38a1a2151475ee75338b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd763B.tmp\InstallOptions.dll

Filesize
14KB

MD5
ec48a8204e1aed3d9a951cd92158cbe3

SHA1
0db29522e15448553b697b88b31a3d8392efd933

SHA256
3166399ed2ee296749aa412a4ec70807373b6349e9b94a7fcd97c3418f744f0f

SHA512
9b0ab63fbe4bf89ddf93e5fc6922cc95c0586e21dea945ce04065afd7957bd2472e34c909d356123346f62dee4c6d6077a0072810c91b61ad3df4c168cdb79d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd763B.tmp\ioSpecial.ini

Filesize
537B

MD5
57ceb479ed88d1afb016aacf612c46fe

SHA1
8e774bbe2fdfc2725fbb47024b54edda77053f9c

SHA256
a21358e7acf498aabecc9fcc5aae4b7c246821a3ff3e5a4d6611c61927894edc

SHA512
eb4e90a0cf267dc000df172dc491d768688fb4cec10581ace0472d3f1a8a7e124928a67b095b451a14090c7248779cb47a16677dcc103ed0df5cf74c7609ac88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd763B.tmp\ioSpecial.ini

Filesize
883B

MD5
2af344e3e3903fa21cbe0a76ac3855da

SHA1
3d6b342fae761d866026816c579ddacf175d9b77

SHA256
45ebe6729aa997e2b355978181ef81474fcda3cae83d8c0e5feb3eb03b6a98ae

SHA512
4870e991079dc823818b1b42c4a4986828ca662ba0bd3783c6e8ea91cba228dac9df98a9b72f5617b3eaf6e080dd3ef797a465f92cbd6840c7499ba4ff0f3fdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd763B.tmp\ioSpecial.ini

Filesize
910B

MD5
61ff53aa4f3e1bf8c6e09989d16f9a59

SHA1
cbeb0f291bba55a3c4a969d33238001fd7fcdecd

SHA256
a2e397bc27723e279d9757ebf7aee0453ac5342321489ae2d837e40e2a2ddf30

SHA512
7b32cc868da79126d36886eb546c7023b4186f55a1d31cb463134bd88175e77c9d9a479ecfe33463bffefde2d5cd42134e3bc24e485a3f0d89b1dfb0ccd1190c

Download Submit
memory/368-104-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/368-105-0x0000000000400000-0x0000000000595000-memory.dmp

Filesize
1.6MB

Download
memory/2364-317-0x0000000000400000-0x00000000007D8000-memory.dmp

Filesize
3.8MB

Download
memory/2364-318-0x0000000000400000-0x00000000007D8000-memory.dmp

Filesize
3.8MB

Download
memory/2364-330-0x0000000000400000-0x00000000007D8000-memory.dmp

Filesize
3.8MB

Download
memory/4104-238-0x0000000000400000-0x00000000007D8000-memory.dmp

Filesize
3.8MB

Download