Overview
overview
10Static
static
10f6c0e59d2b...18.exe
windows7-x64
10f6c0e59d2b...18.exe
windows10-2004-x64
10"MT.dll
windows7-x64
3"MT.dll
windows10-2004-x64
3"MT.exe
windows7-x64
3"MT.exe
windows10-2004-x64
3"MT.dll
windows7-x64
3"MT.dll
windows10-2004-x64
3"MT.dll
windows7-x64
3"MT.dll
windows10-2004-x64
3"MT.chm
windows7-x64
1"MT.chm
windows10-2004-x64
1"MT.exe
windows7-x64
6"MT.exe
windows10-2004-x64
6$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3AKV.exe
windows7-x64
3AKV.exe
windows10-2004-x64
3Uninstall.exe
windows7-x64
7Uninstall.exe
windows10-2004-x64
7qs.html
windows7-x64
3qs.html
windows10-2004-x64
3Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16/12/2024, 01:55
Behavioral task
behavioral1
Sample
f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
"MT.dll
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
"MT.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
"MT.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
"MT.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
"MT.dll
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
"MT.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
"MT.dll
Resource
win7-20241010-en
Behavioral task
behavioral10
Sample
"MT.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
"MT.chm
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
"MT.chm
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
"MT.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
"MT.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20241010-en
Behavioral task
behavioral16
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
AKV.exe
Resource
win7-20241023-en
Behavioral task
behavioral18
Sample
AKV.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
Uninstall.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
Uninstall.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
qs.html
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
qs.html
Resource
win10v2004-20241007-en
General
-
Target
f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe
-
Size
263KB
-
MD5
f6c0e59d2bf4e3a26bffbc4f534c8398
-
SHA1
357acce7d203efc55ac3208c2750226fca39d034
-
SHA256
0aad85d84f05a4a15d601dde72683f809fed0373f57c99c4e4029d9f8e1d5ef3
-
SHA512
ed0f0fcfaf42cd3ad019591a11e1c926b75fa191a0683b59aab80124e8e32975fb1f9e2895762bf8189b2a8b1ced42984f448e89d7819709ea3474fce1dba503
-
SSDEEP
6144:uMre14YG/6rQ+u5efO+0mX16ahX/K0KwjOKPbenLBKln:u/S3/saoO+0mX16jeOaKLByn
Malware Config
Signatures
-
Ardamax family
-
Ardamax main executable 1 IoCs
resource yara_rule behavioral2/files/0x0009000000023bbf-144.dat family_ardamax -
Executes dropped EXE 1 IoCs
pid Process 4376 MT.exe -
Loads dropped DLL 2 IoCs
pid Process 3944 f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe 4376 MT.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MT = "C:\\Program Files (x86)\\MT\\MT.exe" MT.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 24 IoCs
description ioc Process File created C:\Program Files (x86)\MT\MT.003 f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe File created C:\Program Files (x86)\MT\AKV.exe f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\MT\MT.chm f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe File created C:\Program Files (x86)\MT\MT.exe f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\MT\MT.007 f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\MT\MT.004 f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\MT\tray.gif f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\MT MT.exe File created C:\Program Files (x86)\MT\MT.006 f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\MT\MT.003 f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\MT\AKV.exe f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\MT\license.txt f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe File created C:\Program Files (x86)\MT\qs.html f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe File created C:\Program Files (x86)\MT\tray.gif f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\MT\menu.gif f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe File created C:\Program Files (x86)\MT\menu.gif f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\MT\MT.006 f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe File created C:\Program Files (x86)\MT\MT.004 f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe File created C:\Program Files (x86)\MT\MT.chm f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe File created C:\Program Files (x86)\MT\license.txt f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\MT\qs.html f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe File created C:\Program Files (x86)\MT\Uninstall.exe f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\MT\MT.exe f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe File created C:\Program Files (x86)\MT\MT.007 f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 4016 msedge.exe 4016 msedge.exe 4848 msedge.exe 4848 msedge.exe 2304 identity_helper.exe 2304 identity_helper.exe 4152 msedge.exe 4152 msedge.exe 4152 msedge.exe 4152 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 4376 MT.exe Token: SeIncBasePriorityPrivilege 4376 MT.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 4376 MT.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe -
Suspicious use of SendNotifyMessage 25 IoCs
pid Process 4376 MT.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4376 MT.exe 4376 MT.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3944 wrote to memory of 4376 3944 f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe 97 PID 3944 wrote to memory of 4376 3944 f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe 97 PID 3944 wrote to memory of 4376 3944 f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe 97 PID 3944 wrote to memory of 4848 3944 f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe 98 PID 3944 wrote to memory of 4848 3944 f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe 98 PID 4848 wrote to memory of 3972 4848 msedge.exe 99 PID 4848 wrote to memory of 3972 4848 msedge.exe 99 PID 4848 wrote to memory of 4352 4848 msedge.exe 100 PID 4848 wrote to memory of 4352 4848 msedge.exe 100 PID 4848 wrote to memory of 4352 4848 msedge.exe 100 PID 4848 wrote to memory of 4352 4848 msedge.exe 100 PID 4848 wrote to memory of 4352 4848 msedge.exe 100 PID 4848 wrote to memory of 4352 4848 msedge.exe 100 PID 4848 wrote to memory of 4352 4848 msedge.exe 100 PID 4848 wrote to memory of 4352 4848 msedge.exe 100 PID 4848 wrote to memory of 4352 4848 msedge.exe 100 PID 4848 wrote to memory of 4352 4848 msedge.exe 100 PID 4848 wrote to memory of 4352 4848 msedge.exe 100 PID 4848 wrote to memory of 4352 4848 msedge.exe 100 PID 4848 wrote to memory of 4352 4848 msedge.exe 100 PID 4848 wrote to memory of 4352 4848 msedge.exe 100 PID 4848 wrote to memory of 4352 4848 msedge.exe 100 PID 4848 wrote to memory of 4352 4848 msedge.exe 100 PID 4848 wrote to memory of 4352 4848 msedge.exe 100 PID 4848 wrote to memory of 4352 4848 msedge.exe 100 PID 4848 wrote to memory of 4352 4848 msedge.exe 100 PID 4848 wrote to memory of 4352 4848 msedge.exe 100 PID 4848 wrote to memory of 4352 4848 msedge.exe 100 PID 4848 wrote to memory of 4352 4848 msedge.exe 100 PID 4848 wrote to memory of 4352 4848 msedge.exe 100 PID 4848 wrote to memory of 4352 4848 msedge.exe 100 PID 4848 wrote to memory of 4352 4848 msedge.exe 100 PID 4848 wrote to memory of 4352 4848 msedge.exe 100 PID 4848 wrote to memory of 4352 4848 msedge.exe 100 PID 4848 wrote to memory of 4352 4848 msedge.exe 100 PID 4848 wrote to memory of 4352 4848 msedge.exe 100 PID 4848 wrote to memory of 4352 4848 msedge.exe 100 PID 4848 wrote to memory of 4352 4848 msedge.exe 100 PID 4848 wrote to memory of 4352 4848 msedge.exe 100 PID 4848 wrote to memory of 4352 4848 msedge.exe 100 PID 4848 wrote to memory of 4352 4848 msedge.exe 100 PID 4848 wrote to memory of 4352 4848 msedge.exe 100 PID 4848 wrote to memory of 4352 4848 msedge.exe 100 PID 4848 wrote to memory of 4352 4848 msedge.exe 100 PID 4848 wrote to memory of 4352 4848 msedge.exe 100 PID 4848 wrote to memory of 4352 4848 msedge.exe 100 PID 4848 wrote to memory of 4352 4848 msedge.exe 100 PID 4848 wrote to memory of 4016 4848 msedge.exe 101 PID 4848 wrote to memory of 4016 4848 msedge.exe 101 PID 4848 wrote to memory of 448 4848 msedge.exe 102 PID 4848 wrote to memory of 448 4848 msedge.exe 102 PID 4848 wrote to memory of 448 4848 msedge.exe 102 PID 4848 wrote to memory of 448 4848 msedge.exe 102 PID 4848 wrote to memory of 448 4848 msedge.exe 102 PID 4848 wrote to memory of 448 4848 msedge.exe 102 PID 4848 wrote to memory of 448 4848 msedge.exe 102 PID 4848 wrote to memory of 448 4848 msedge.exe 102 PID 4848 wrote to memory of 448 4848 msedge.exe 102 PID 4848 wrote to memory of 448 4848 msedge.exe 102 PID 4848 wrote to memory of 448 4848 msedge.exe 102 PID 4848 wrote to memory of 448 4848 msedge.exe 102 PID 4848 wrote to memory of 448 4848 msedge.exe 102 PID 4848 wrote to memory of 448 4848 msedge.exe 102 PID 4848 wrote to memory of 448 4848 msedge.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Program Files (x86)\MT\MT.exe"C:\Program Files (x86)\MT\MT.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Program Files (x86)\MT\qs.html2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffda2546f8,0x7fffda254708,0x7fffda2547183⤵PID:3972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,11778205403245365885,5236568142025984696,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:23⤵PID:4352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,11778205403245365885,5236568142025984696,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:4016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,11778205403245365885,5236568142025984696,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:83⤵PID:448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11778205403245365885,5236568142025984696,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:13⤵PID:1632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11778205403245365885,5236568142025984696,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:13⤵PID:4544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,11778205403245365885,5236568142025984696,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:83⤵PID:2928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,11778205403245365885,5236568142025984696,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:2304
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11778205403245365885,5236568142025984696,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:13⤵PID:4904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11778205403245365885,5236568142025984696,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:13⤵PID:3092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11778205403245365885,5236568142025984696,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3820 /prefetch:13⤵PID:3656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11778205403245365885,5236568142025984696,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:13⤵PID:2508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,11778205403245365885,5236568142025984696,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3152 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:4152
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2832
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3136
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD51153fe5fbe61266713539cae72d87ad3
SHA1245047d3d158f4eda34290ed22e4bb13a28f9539
SHA2563b2700a8033916afd0e89ab5519702720f35b94a570ebe865df113f2aacda16c
SHA51224058cdebaf8ccfc00622301927b221116b846c2a8acf8f0935ba30e0d716bfecd6ab07aaf8d93030ec2149ee98eec5f6d2395ee8a1a62ad00e07124447c107c
-
Filesize
231KB
MD579c6903c4794af027053331946137b26
SHA1b688916709014fc874c5b7870553105a9961c652
SHA256f3cbf3dd3f229f6119a8be5357959b77af1a43f9d568a7febe9a06f7593b20ed
SHA512ac28813dcdc38ff1b0736b1673ced7e35d7da5667b0224b88952908564373ae61aff1b0f03d27e40b613559c8d4e37c402269791db2ed1311f62d069a2e5111e
-
Filesize
7KB
MD5572a4a33a8f93014f69c7f1ccaa54273
SHA1136c0b3818b572c83c26869f0bf6cf2bd36f2036
SHA25650245484d8606762cbba8d67b0238f7283a061d67b5e9f1f374064de695e0260
SHA512d2582ca552b7d2f7fb576ba220ce9f122f4ecafac311b9d1c9f62062f4b0ccd707b7a77a86ba7a856f1ae68eddfe872e653a1b7246359040f3c7b92e33b7dce2
-
Filesize
1KB
MD51f8a533b1761fd59231b763303647650
SHA18f4f75b6b7228257b501c6b3f990d27c55ee1b7f
SHA2561a962c7395d596113445b2b7fa0efd5bde4b64a413aa528daed9b7327aa2ae07
SHA512f04535920dba1a820b1253c61b347bde4d14307258b1ecf866b9f481045cef074307500bdb1c4bb5bfe4f9a22811ba79df42f38141df15d3ae332b445095ad1a
-
Filesize
1KB
MD57dd88dca29c7388f7423ef7cf917b202
SHA1a16cfc0b8f08c4381dfdd3737d7610f01af54c00
SHA2563140583f655378fbc1066339a4dd09a5a008570c77e9c6d022cd20b3d8cc9b43
SHA51209a23c5b7b893bb8b3f988bf2e4deaf8811ed143abf560c2176abd9b638a5d1601be06abb6645568fc656739efaa13b8852cf1dd6e469140e471a37c60861b91
-
Filesize
152B
MD537f660dd4b6ddf23bc37f5c823d1c33a
SHA11c35538aa307a3e09d15519df6ace99674ae428b
SHA2564e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8
SHA512807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d
-
Filesize
152B
MD5d7cb450b1315c63b1d5d89d98ba22da5
SHA1694005cd9e1a4c54e0b83d0598a8a0c089df1556
SHA25638355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031
SHA512df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8
-
Filesize
6KB
MD55e8397fed7577dd5074f069398d061a7
SHA1a0cb5547c0e0d63f8562b2050d4a4c7075fbe014
SHA256ebb06da31db7725fd16143323b85e6c9450f479e3651ebeacb320bbd2f2624a6
SHA512e91f2fb70714980637dc32afeab79b27466db7c14f01f490b61fa0646873104c309cce3c8f5c838c8bcf03d30637fe8f6cfef773d8898447d78fd584bb5229f2
-
Filesize
5KB
MD5ee68749f8c53197bbf63ffac4b4fcdbe
SHA172938f4a838cf08e6322cf8d700bcfd9ce0e6ed4
SHA25623bd3faa70cc298ce558613792fe2af127f4ba1f293a89924f6aaec967985f96
SHA51267e7acff32aecbd52d0548daeaf22f72b54f4e60f14ec9ad5be7226fcc9834970ecc56b3d174017ad7ee59f5476757ca0b5ff0b1b15835d2c6837ca7e94338de
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5881aa2a09574b56a30b6b5cbd3dcab20
SHA1570dca80108640d758fa5d8eeab764f80d800ad6
SHA256e06edeb213f5784eab14475495638168cd6e18c8c9cc2e22b2bc196c7a129ca1
SHA51202f51c4f98846329b298636b99a62622b15c7fabfed1415244fa5055568143a08ab3ee77e2d0d4dfe867c028e8443a75c415e48e46301b8c7983535ddfbd6149
-
Filesize
12KB
MD59aff00ec14e6cb71a13451011c580077
SHA15972140e4a0addb9eac685fe6037da7479f23ecf
SHA256cc8145683ad8fd77bd5cca193e84188e40d6d03a0a0d1d00e2bdbef91be96bb3
SHA512311abd4e9927c1424d794ba401f3935ad3b108a2124e58e0d29aa946514c7a1d62b9b08b013699f4f90796bdfb6c07211daddbb521c1d20ccee771f6ea43b110
-
Filesize
745B
MD579f9e86130e348c3d4c646ca7a48cee3
SHA16f4569f218354a7c5364183bc1b0fdca36c7cee0
SHA25636c9d3a6a7db6eab2c1e0a9487f56a808abc1622df1cb897d7ba430febbf164d
SHA512b58709e4202258741429d954f5108b10eaefb9c3cd343a57368ea28357494e4a31d11b84225d7e5c5d7e5cbf617f3e19582d96e65b1c4d8a5e918644f1fd3e1d
-
Filesize
736B
MD564c791c4f3b089ea64a81e4cfdc93995
SHA1839e78eff36d727958bd158010cea1b5813183d3
SHA256d89335c84e43092d4e8d451d7abc5f8daf22b89a5dfb0a628a8470443769efb2
SHA512ad423ab711b7358ef6858cc91a662d625ae42fd303bcaca0984a38109c4cba42889a0ded0ba17acf834e8bc98392a1a8b72bcff4c2c011a65ee01201251615ff