Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10JaffaCakes...ef.exe
windows7-x64
10JaffaCakes...ef.exe
windows10-2004-x64
10"AKL.dll
windows7-x64
3"AKL.dll
windows10-2004-x64
3"AKL.exe
windows7-x64
3"AKL.exe
windows10-2004-x64
3"AKL.dll
windows7-x64
3"AKL.dll
windows10-2004-x64
3"AKL.dll
windows7-x64
3"AKL.dll
windows10-2004-x64
3"AKL.chm
windows7-x64
1"AKL.chm
windows10-2004-x64
1"AKL.exe
windows7-x64
6"AKL.exe
windows10-2004-x64
6$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3AKV.exe
windows7-x64
3AKV.exe
windows10-2004-x64
3Uninstall.exe
windows7-x64
7Uninstall.exe
windows10-2004-x64
7qs.html
windows7-x64
3qs.html
windows10-2004-x64
3Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
31/01/2025, 22:55
Behavioral task
behavioral1
Sample
JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe
Resource
win10v2004-20250129-en
Behavioral task
behavioral3
Sample
"AKL.dll
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
"AKL.dll
Resource
win10v2004-20250129-en
Behavioral task
behavioral5
Sample
"AKL.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
"AKL.exe
Resource
win10v2004-20250129-en
Behavioral task
behavioral7
Sample
"AKL.dll
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
"AKL.dll
Resource
win10v2004-20250129-en
Behavioral task
behavioral9
Sample
"AKL.dll
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
"AKL.dll
Resource
win10v2004-20250129-en
Behavioral task
behavioral11
Sample
"AKL.chm
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
"AKL.chm
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
"AKL.exe
Resource
win7-20241010-en
Behavioral task
behavioral14
Sample
"AKL.exe
Resource
win10v2004-20250129-en
Behavioral task
behavioral15
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240708-en
Behavioral task
behavioral16
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
AKV.exe
Resource
win7-20241010-en
Behavioral task
behavioral18
Sample
AKV.exe
Resource
win10v2004-20250129-en
Behavioral task
behavioral19
Sample
Uninstall.exe
Resource
win7-20241023-en
Behavioral task
behavioral20
Sample
Uninstall.exe
Resource
win10v2004-20250129-en
Behavioral task
behavioral21
Sample
qs.html
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
qs.html
Resource
win10v2004-20250129-en
General
-
Target
JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe
-
Size
255KB
-
MD5
6e9fdbd85c3f5e072b9cbe6a5fe316ef
-
SHA1
231d7f60c403a39483731c76e1ad4f3e75dfde38
-
SHA256
73f84fd9e2c75fa1296a1b2b1c2bbc70892acb2cfb33a3c372cf047d6e650d63
-
SHA512
ad7164b14e12b822e9e784e1aaa7a0ea97e9076f321b735565f9a56cd882c6fc004c61b1297c20bd89b472718ca6ffc83577a2e79d3ce4467f4f26c2a22ff4e7
-
SSDEEP
6144:DMrpk9YeqVCVyMRi8D6/MynywM29rAXIHDZOS0qPyKMo/S:D0EFYQyWtSfBZrLHVoQyKz/S
Malware Config
Signatures
-
Ardamax family
-
Ardamax main executable 1 IoCs
resource yara_rule behavioral2/files/0x0008000000023c5b-145.dat family_ardamax -
Executes dropped EXE 1 IoCs
pid Process 3892 AKL.exe -
Loads dropped DLL 2 IoCs
pid Process 3492 JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe 3892 AKL.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AKL = "C:\\Program Files (x86)\\AKL\\AKL.exe" AKL.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 24 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\AKL\AKL.exe JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe File opened for modification C:\Program Files (x86)\AKL\AKL.006 JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe File opened for modification C:\Program Files (x86)\AKL\tray.gif JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe File opened for modification C:\Program Files (x86)\AKL\menu.gif JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe File created C:\Program Files (x86)\AKL\menu.gif JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe File created C:\Program Files (x86)\AKL\tray.gif JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe File created C:\Program Files (x86)\AKL\AKL.chm JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe File opened for modification C:\Program Files (x86)\AKL\AKL.007 JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe File created C:\Program Files (x86)\AKL\AKL.007 JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe File created C:\Program Files (x86)\AKL\AKL.004 JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe File opened for modification C:\Program Files (x86)\AKL\AKV.exe JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe File created C:\Program Files (x86)\AKL\AKV.exe JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe File opened for modification C:\Program Files (x86)\AKL\qs.html JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe File opened for modification C:\Program Files (x86)\AKL AKL.exe File created C:\Program Files (x86)\AKL\AKL.003 JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe File created C:\Program Files (x86)\AKL\qs.html JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe File opened for modification C:\Program Files (x86)\AKL\AKL.chm JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe File created C:\Program Files (x86)\AKL\Uninstall.exe JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe File created C:\Program Files (x86)\AKL\AKL.exe JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe File created C:\Program Files (x86)\AKL\AKL.006 JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe File opened for modification C:\Program Files (x86)\AKL\AKL.003 JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe File opened for modification C:\Program Files (x86)\AKL\AKL.004 JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe File opened for modification C:\Program Files (x86)\AKL\license.txt JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe File created C:\Program Files (x86)\AKL\license.txt JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AKL.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 852 msedge.exe 852 msedge.exe 3220 msedge.exe 3220 msedge.exe 3220 msedge.exe 3612 identity_helper.exe 3612 identity_helper.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 3220 msedge.exe 3220 msedge.exe 3220 msedge.exe 3220 msedge.exe 3220 msedge.exe 3220 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 3892 AKL.exe Token: SeIncBasePriorityPrivilege 3892 AKL.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 3892 AKL.exe 3220 msedge.exe 3220 msedge.exe 3220 msedge.exe 3220 msedge.exe 3220 msedge.exe 3220 msedge.exe 3220 msedge.exe 3220 msedge.exe 3220 msedge.exe 3220 msedge.exe 3220 msedge.exe 3220 msedge.exe 3220 msedge.exe 3220 msedge.exe 3220 msedge.exe 3220 msedge.exe 3220 msedge.exe 3220 msedge.exe 3220 msedge.exe 3220 msedge.exe 3220 msedge.exe 3220 msedge.exe 3220 msedge.exe 3220 msedge.exe 3220 msedge.exe -
Suspicious use of SendNotifyMessage 25 IoCs
pid Process 3892 AKL.exe 3220 msedge.exe 3220 msedge.exe 3220 msedge.exe 3220 msedge.exe 3220 msedge.exe 3220 msedge.exe 3220 msedge.exe 3220 msedge.exe 3220 msedge.exe 3220 msedge.exe 3220 msedge.exe 3220 msedge.exe 3220 msedge.exe 3220 msedge.exe 3220 msedge.exe 3220 msedge.exe 3220 msedge.exe 3220 msedge.exe 3220 msedge.exe 3220 msedge.exe 3220 msedge.exe 3220 msedge.exe 3220 msedge.exe 3220 msedge.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3892 AKL.exe 3892 AKL.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3492 wrote to memory of 3892 3492 JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe 87 PID 3492 wrote to memory of 3892 3492 JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe 87 PID 3492 wrote to memory of 3892 3492 JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe 87 PID 3492 wrote to memory of 3220 3492 JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe 88 PID 3492 wrote to memory of 3220 3492 JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe 88 PID 3220 wrote to memory of 4628 3220 msedge.exe 89 PID 3220 wrote to memory of 4628 3220 msedge.exe 89 PID 3220 wrote to memory of 3936 3220 msedge.exe 90 PID 3220 wrote to memory of 3936 3220 msedge.exe 90 PID 3220 wrote to memory of 3936 3220 msedge.exe 90 PID 3220 wrote to memory of 3936 3220 msedge.exe 90 PID 3220 wrote to memory of 3936 3220 msedge.exe 90 PID 3220 wrote to memory of 3936 3220 msedge.exe 90 PID 3220 wrote to memory of 3936 3220 msedge.exe 90 PID 3220 wrote to memory of 3936 3220 msedge.exe 90 PID 3220 wrote to memory of 3936 3220 msedge.exe 90 PID 3220 wrote to memory of 3936 3220 msedge.exe 90 PID 3220 wrote to memory of 3936 3220 msedge.exe 90 PID 3220 wrote to memory of 3936 3220 msedge.exe 90 PID 3220 wrote to memory of 3936 3220 msedge.exe 90 PID 3220 wrote to memory of 3936 3220 msedge.exe 90 PID 3220 wrote to memory of 3936 3220 msedge.exe 90 PID 3220 wrote to memory of 3936 3220 msedge.exe 90 PID 3220 wrote to memory of 3936 3220 msedge.exe 90 PID 3220 wrote to memory of 3936 3220 msedge.exe 90 PID 3220 wrote to memory of 3936 3220 msedge.exe 90 PID 3220 wrote to memory of 3936 3220 msedge.exe 90 PID 3220 wrote to memory of 3936 3220 msedge.exe 90 PID 3220 wrote to memory of 3936 3220 msedge.exe 90 PID 3220 wrote to memory of 3936 3220 msedge.exe 90 PID 3220 wrote to memory of 3936 3220 msedge.exe 90 PID 3220 wrote to memory of 3936 3220 msedge.exe 90 PID 3220 wrote to memory of 3936 3220 msedge.exe 90 PID 3220 wrote to memory of 3936 3220 msedge.exe 90 PID 3220 wrote to memory of 3936 3220 msedge.exe 90 PID 3220 wrote to memory of 3936 3220 msedge.exe 90 PID 3220 wrote to memory of 3936 3220 msedge.exe 90 PID 3220 wrote to memory of 3936 3220 msedge.exe 90 PID 3220 wrote to memory of 3936 3220 msedge.exe 90 PID 3220 wrote to memory of 3936 3220 msedge.exe 90 PID 3220 wrote to memory of 3936 3220 msedge.exe 90 PID 3220 wrote to memory of 3936 3220 msedge.exe 90 PID 3220 wrote to memory of 3936 3220 msedge.exe 90 PID 3220 wrote to memory of 3936 3220 msedge.exe 90 PID 3220 wrote to memory of 3936 3220 msedge.exe 90 PID 3220 wrote to memory of 3936 3220 msedge.exe 90 PID 3220 wrote to memory of 3936 3220 msedge.exe 90 PID 3220 wrote to memory of 852 3220 msedge.exe 91 PID 3220 wrote to memory of 852 3220 msedge.exe 91 PID 3220 wrote to memory of 4820 3220 msedge.exe 92 PID 3220 wrote to memory of 4820 3220 msedge.exe 92 PID 3220 wrote to memory of 4820 3220 msedge.exe 92 PID 3220 wrote to memory of 4820 3220 msedge.exe 92 PID 3220 wrote to memory of 4820 3220 msedge.exe 92 PID 3220 wrote to memory of 4820 3220 msedge.exe 92 PID 3220 wrote to memory of 4820 3220 msedge.exe 92 PID 3220 wrote to memory of 4820 3220 msedge.exe 92 PID 3220 wrote to memory of 4820 3220 msedge.exe 92 PID 3220 wrote to memory of 4820 3220 msedge.exe 92 PID 3220 wrote to memory of 4820 3220 msedge.exe 92 PID 3220 wrote to memory of 4820 3220 msedge.exe 92 PID 3220 wrote to memory of 4820 3220 msedge.exe 92 PID 3220 wrote to memory of 4820 3220 msedge.exe 92 PID 3220 wrote to memory of 4820 3220 msedge.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Program Files (x86)\AKL\AKL.exe"C:\Program Files (x86)\AKL\AKL.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Program Files (x86)\AKL\qs.html2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ffebd2846f8,0x7ffebd284708,0x7ffebd2847183⤵PID:4628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,11652116441911482278,14774758173149245036,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:23⤵PID:3936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,11652116441911482278,14774758173149245036,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,11652116441911482278,14774758173149245036,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:83⤵PID:4820
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,11652116441911482278,14774758173149245036,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:13⤵PID:980
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,11652116441911482278,14774758173149245036,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:13⤵PID:1732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,11652116441911482278,14774758173149245036,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:83⤵PID:456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,11652116441911482278,14774758173149245036,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:3612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,11652116441911482278,14774758173149245036,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4300 /prefetch:13⤵PID:4468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,11652116441911482278,14774758173149245036,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:13⤵PID:1472
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,11652116441911482278,14774758173149245036,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4168 /prefetch:13⤵PID:372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,11652116441911482278,14774758173149245036,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:13⤵PID:2076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,11652116441911482278,14774758173149245036,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1284 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:5092
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4236
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2756
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5626b46c466bcc63f2888dbe1bf7c07ea
SHA1d6348cd2e7471c71940b22329057dabb6eb9b1aa
SHA256447973833fe70c0fdfbde12b03af25c8e238b976703b3a349ce24db7bff6dbb3
SHA5127ec431c583427b49e355299dbe7192c14fecb12b953e04e4844ced42b33618dd66d04b94dc811c21dae965801385d283572e6c164d6df89c392ee0bf045187f0
-
Filesize
218KB
MD5780bdf7f767d8a85f1844721cd0077fa
SHA11ad480226e8532edda9909030cadac61c9a22ba1
SHA25639f0a4980627c596514e51a540d4e721c8f1bf3d0c9e69abc8b3f11f7c4b9314
SHA5126d68ac87d611ca8dc3869438346681782df17f70128200edc35a82defc966da2597aaf4416bbd4a7f7b34b5ca424491bf4c4b7148aea02502242519b0c8e0577
-
Filesize
7KB
MD5572a4a33a8f93014f69c7f1ccaa54273
SHA1136c0b3818b572c83c26869f0bf6cf2bd36f2036
SHA25650245484d8606762cbba8d67b0238f7283a061d67b5e9f1f374064de695e0260
SHA512d2582ca552b7d2f7fb576ba220ce9f122f4ecafac311b9d1c9f62062f4b0ccd707b7a77a86ba7a856f1ae68eddfe872e653a1b7246359040f3c7b92e33b7dce2
-
Filesize
1KB
MD51f8a533b1761fd59231b763303647650
SHA18f4f75b6b7228257b501c6b3f990d27c55ee1b7f
SHA2561a962c7395d596113445b2b7fa0efd5bde4b64a413aa528daed9b7327aa2ae07
SHA512f04535920dba1a820b1253c61b347bde4d14307258b1ecf866b9f481045cef074307500bdb1c4bb5bfe4f9a22811ba79df42f38141df15d3ae332b445095ad1a
-
Filesize
1KB
MD57dd88dca29c7388f7423ef7cf917b202
SHA1a16cfc0b8f08c4381dfdd3737d7610f01af54c00
SHA2563140583f655378fbc1066339a4dd09a5a008570c77e9c6d022cd20b3d8cc9b43
SHA51209a23c5b7b893bb8b3f988bf2e4deaf8811ed143abf560c2176abd9b638a5d1601be06abb6645568fc656739efaa13b8852cf1dd6e469140e471a37c60861b91
-
Filesize
152B
MD5709e5bc1c62a5aa20abcf92d1a3ae51c
SHA171c8b6688cd83f8ba088d3d44d851c19ee9ccff6
SHA256aa718e97104d2a4c68a9dad4aae806a22060702177f836403094f7ca7f0f8d4e
SHA512b9fc809fbb95b29336e5102382295d71235b0e3a54828b40380958a7feaf27c6407461765680e1f61d88e2692e912f8ec677a66ff965854bea6afae69d99cf24
-
Filesize
152B
MD5bc29044ff79dd25458f32c381dc676af
SHA1f4657c0bee9b865607ec3686b8d4f5d4c2c61cd7
SHA256efe711204437661603d6e59765aba1654678f2093075c1eb2340dc5e80a1140f
SHA5123d484f755d88c0485195b247230edb79c07cc0941dedbf2f34738ae4f80ba90595f5094c449b213c0c871ade6aff0a14d4acfe843186e2421ccbad221d34bf54
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\53b350b9-a743-49dd-b306-91f797cdc78a.tmp
Filesize6KB
MD56ec8913bf79e96128261ebf33e32e91d
SHA1da882cda172988cb39885a09f7719487ea3cf4e3
SHA2567af65aba2450ebd500b019519b360385ad891c07d4af3a7421efe67618679c4e
SHA512fd4d03b814779ba1296e00d67cbf65e5808f3181ea7754f55e542a2538b7003574c50be26bfe650c4bf5c10c31e83fb0010540506f83b2b1c3cb8beeefacdd36
-
Filesize
6KB
MD5375c2abeeb2130ac54026ff9617048fb
SHA10754e9bf6902adf8f6f72e6f342236cbe7ef7679
SHA2567328620880f63fa03ad779f18a2c310793e4545fd51152e8786b3e80c17a09a3
SHA512a6c3fdf6c6d95ca6755129b1c7b32974ebe8eadcf48f7521e1786b0c6ff3433138a2f52b407a6cdbe6d063cad650295ca8f1ccdc455d6c351777a15e6e186504
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
11KB
MD56d6bd1e0b4c284f91aec7549d877c02b
SHA19e31e4180b73275c9f5e3b457398883f42f1943b
SHA2561ef2ac7705089de84299226dfed3221fc9719795ae618b1df4b118757f66acf8
SHA512ddcd17e04457193b62562aa5525f774d829e9b63613ff6864840492ffe256bd6b7b86cff0f1d5738c473d4616f1d299079676c8ec55400684533c27d82086860
-
Filesize
12KB
MD59aff00ec14e6cb71a13451011c580077
SHA15972140e4a0addb9eac685fe6037da7479f23ecf
SHA256cc8145683ad8fd77bd5cca193e84188e40d6d03a0a0d1d00e2bdbef91be96bb3
SHA512311abd4e9927c1424d794ba401f3935ad3b108a2124e58e0d29aa946514c7a1d62b9b08b013699f4f90796bdfb6c07211daddbb521c1d20ccee771f6ea43b110
-
Filesize
745B
MD55b6b93b07a2d2fa79d0cb3a0670c6d2f
SHA1dfe62e4048b6d5d253565451ea4494d4c7f8f809
SHA256d093b46544628b8cc62581a97bd11eac132f458f80c193ec7c9e1bd9aba34ec7
SHA512c87e0581d0af09a968b998232ee211af7003d85ea511a50fede93b5a07184eb07599010ccf1f9dd52c2441dc2c9377b157b809dc62ad40b19caf4f2389ece0a0
-
Filesize
736B
MD5556769b6de45aa7b0d5a4adbbc802e52
SHA1d6b27fa59f0a79d6b9ad0a4d3c732bc36722644d
SHA2569c6ce37c9e1992a2ef2eadf9b06fcb39c491d38752acba3a2adc59c9736d3d47
SHA512da1cfb577e66b9952d2b0db2c5dad1c28d3d6b5d8e60d36b62bca129b35b5c2e9c7afe780577da165367e199637523e4414e3729f288e50d5a6748265ae80405