2c4fc168ba1c028f203994426fa8e7ccb32e3dfd2d7bb5d2fee45675a7bb4fbc

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
15-04-2024 03:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f03da91362839b14c80a88a3c5ce1ed0_JaffaCakes118.exe
Size

171KB
MD5

f03da91362839b14c80a88a3c5ce1ed0
SHA1

f142d5c236c22e339253ac2cc5c675a24bd10de6
SHA256

2c4fc168ba1c028f203994426fa8e7ccb32e3dfd2d7bb5d2fee45675a7bb4fbc
SHA512

9681ad5ff05a078515d98451afeecc06d1db02d239a0575dc0096d6a5a47285fb1b84c330be90aba95d3af7da68d6b4fba351e10664bd3b92aa408b572f8e642
SSDEEP

3072:WRJxc9wnNaSavqVroWuy1ojigHAJiQhCWZ6qaZTdbRZWeoSuxYF:WRJIZvwrhuy1oj/AJbCO6qaZhbRZkC

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmplayer = "C:\\MessengerPlus\\mplayer2.exe"	f03da91362839b14c80a88a3c5ce1ed0_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
924	2976	WerFault.exe	83

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Software\Microsoft\Internet Explorer\Download	f03da91362839b14c80a88a3c5ce1ed0_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	f03da91362839b14c80a88a3c5ce1ed0_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "00000001"	f03da91362839b14c80a88a3c5ce1ed0_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
2976	f03da91362839b14c80a88a3c5ce1ed0_JaffaCakes118.exe
2976	f03da91362839b14c80a88a3c5ce1ed0_JaffaCakes118.exe
2976	f03da91362839b14c80a88a3c5ce1ed0_JaffaCakes118.exe
2976	f03da91362839b14c80a88a3c5ce1ed0_JaffaCakes118.exe
2976	f03da91362839b14c80a88a3c5ce1ed0_JaffaCakes118.exe
2976	f03da91362839b14c80a88a3c5ce1ed0_JaffaCakes118.exe
2976	f03da91362839b14c80a88a3c5ce1ed0_JaffaCakes118.exe
2976	f03da91362839b14c80a88a3c5ce1ed0_JaffaCakes118.exe
2976	f03da91362839b14c80a88a3c5ce1ed0_JaffaCakes118.exe
2976	f03da91362839b14c80a88a3c5ce1ed0_JaffaCakes118.exe
2976	f03da91362839b14c80a88a3c5ce1ed0_JaffaCakes118.exe
2976	f03da91362839b14c80a88a3c5ce1ed0_JaffaCakes118.exe
2976	f03da91362839b14c80a88a3c5ce1ed0_JaffaCakes118.exe
2976	f03da91362839b14c80a88a3c5ce1ed0_JaffaCakes118.exe
2976	f03da91362839b14c80a88a3c5ce1ed0_JaffaCakes118.exe
2976	f03da91362839b14c80a88a3c5ce1ed0_JaffaCakes118.exe
2976	f03da91362839b14c80a88a3c5ce1ed0_JaffaCakes118.exe
2976	f03da91362839b14c80a88a3c5ce1ed0_JaffaCakes118.exe
2976	f03da91362839b14c80a88a3c5ce1ed0_JaffaCakes118.exe
2976	f03da91362839b14c80a88a3c5ce1ed0_JaffaCakes118.exe
2976	f03da91362839b14c80a88a3c5ce1ed0_JaffaCakes118.exe
2976	f03da91362839b14c80a88a3c5ce1ed0_JaffaCakes118.exe
2976	f03da91362839b14c80a88a3c5ce1ed0_JaffaCakes118.exe
2976	f03da91362839b14c80a88a3c5ce1ed0_JaffaCakes118.exe
2976	f03da91362839b14c80a88a3c5ce1ed0_JaffaCakes118.exe
2976	f03da91362839b14c80a88a3c5ce1ed0_JaffaCakes118.exe
2976	f03da91362839b14c80a88a3c5ce1ed0_JaffaCakes118.exe
2976	f03da91362839b14c80a88a3c5ce1ed0_JaffaCakes118.exe
2976	f03da91362839b14c80a88a3c5ce1ed0_JaffaCakes118.exe
2976	f03da91362839b14c80a88a3c5ce1ed0_JaffaCakes118.exe
2976	f03da91362839b14c80a88a3c5ce1ed0_JaffaCakes118.exe
2976	f03da91362839b14c80a88a3c5ce1ed0_JaffaCakes118.exe
2976	f03da91362839b14c80a88a3c5ce1ed0_JaffaCakes118.exe
2976	f03da91362839b14c80a88a3c5ce1ed0_JaffaCakes118.exe
2976	f03da91362839b14c80a88a3c5ce1ed0_JaffaCakes118.exe
2976	f03da91362839b14c80a88a3c5ce1ed0_JaffaCakes118.exe
2976	f03da91362839b14c80a88a3c5ce1ed0_JaffaCakes118.exe
2976	f03da91362839b14c80a88a3c5ce1ed0_JaffaCakes118.exe
1876	msedge.exe
1876	msedge.exe
5048	msedge.exe
5048	msedge.exe
4084	identity_helper.exe
4084	identity_helper.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4400	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4400	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2976	f03da91362839b14c80a88a3c5ce1ed0_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 5048	2976	f03da91362839b14c80a88a3c5ce1ed0_JaffaCakes118.exe	95
PID 2976 wrote to memory of 5048	2976	f03da91362839b14c80a88a3c5ce1ed0_JaffaCakes118.exe	95
PID 5048 wrote to memory of 1424	5048	msedge.exe	96
PID 5048 wrote to memory of 1424	5048	msedge.exe	96
PID 5048 wrote to memory of 412	5048	msedge.exe	97
PID 5048 wrote to memory of 412	5048	msedge.exe	97
PID 5048 wrote to memory of 412	5048	msedge.exe	97
PID 5048 wrote to memory of 412	5048	msedge.exe	97
PID 5048 wrote to memory of 412	5048	msedge.exe	97
PID 5048 wrote to memory of 412	5048	msedge.exe	97
PID 5048 wrote to memory of 412	5048	msedge.exe	97
PID 5048 wrote to memory of 412	5048	msedge.exe	97
PID 5048 wrote to memory of 412	5048	msedge.exe	97
PID 5048 wrote to memory of 412	5048	msedge.exe	97
PID 5048 wrote to memory of 412	5048	msedge.exe	97
PID 5048 wrote to memory of 412	5048	msedge.exe	97
PID 5048 wrote to memory of 412	5048	msedge.exe	97
PID 5048 wrote to memory of 412	5048	msedge.exe	97
PID 5048 wrote to memory of 412	5048	msedge.exe	97
PID 5048 wrote to memory of 412	5048	msedge.exe	97
PID 5048 wrote to memory of 412	5048	msedge.exe	97
PID 5048 wrote to memory of 412	5048	msedge.exe	97
PID 5048 wrote to memory of 412	5048	msedge.exe	97
PID 5048 wrote to memory of 412	5048	msedge.exe	97
PID 5048 wrote to memory of 412	5048	msedge.exe	97
PID 5048 wrote to memory of 412	5048	msedge.exe	97
PID 5048 wrote to memory of 412	5048	msedge.exe	97
PID 5048 wrote to memory of 412	5048	msedge.exe	97
PID 5048 wrote to memory of 412	5048	msedge.exe	97
PID 5048 wrote to memory of 412	5048	msedge.exe	97
PID 5048 wrote to memory of 412	5048	msedge.exe	97
PID 5048 wrote to memory of 412	5048	msedge.exe	97
PID 5048 wrote to memory of 412	5048	msedge.exe	97
PID 5048 wrote to memory of 412	5048	msedge.exe	97
PID 5048 wrote to memory of 412	5048	msedge.exe	97
PID 5048 wrote to memory of 412	5048	msedge.exe	97
PID 5048 wrote to memory of 412	5048	msedge.exe	97
PID 5048 wrote to memory of 412	5048	msedge.exe	97
PID 5048 wrote to memory of 412	5048	msedge.exe	97
PID 5048 wrote to memory of 412	5048	msedge.exe	97
PID 5048 wrote to memory of 412	5048	msedge.exe	97
PID 5048 wrote to memory of 412	5048	msedge.exe	97
PID 5048 wrote to memory of 412	5048	msedge.exe	97
PID 5048 wrote to memory of 412	5048	msedge.exe	97
PID 5048 wrote to memory of 1876	5048	msedge.exe	98
PID 5048 wrote to memory of 1876	5048	msedge.exe	98
PID 5048 wrote to memory of 3464	5048	msedge.exe	99
PID 5048 wrote to memory of 3464	5048	msedge.exe	99
PID 5048 wrote to memory of 3464	5048	msedge.exe	99
PID 5048 wrote to memory of 3464	5048	msedge.exe	99
PID 5048 wrote to memory of 3464	5048	msedge.exe	99
PID 5048 wrote to memory of 3464	5048	msedge.exe	99
PID 5048 wrote to memory of 3464	5048	msedge.exe	99
PID 5048 wrote to memory of 3464	5048	msedge.exe	99
PID 5048 wrote to memory of 3464	5048	msedge.exe	99
PID 5048 wrote to memory of 3464	5048	msedge.exe	99
PID 5048 wrote to memory of 3464	5048	msedge.exe	99
PID 5048 wrote to memory of 3464	5048	msedge.exe	99
PID 5048 wrote to memory of 3464	5048	msedge.exe	99
PID 5048 wrote to memory of 3464	5048	msedge.exe	99
PID 5048 wrote to memory of 3464	5048	msedge.exe	99
PID 5048 wrote to memory of 3464	5048	msedge.exe	99
PID 5048 wrote to memory of 3464	5048	msedge.exe	99
PID 5048 wrote to memory of 3464	5048	msedge.exe	99

C:\Users\Admin\AppData\Local\Temp\f03da91362839b14c80a88a3c5ce1ed0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f03da91362839b14c80a88a3c5ce1ed0_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2976 -s 388
  2⤵
  - Program crash
  PID:924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.youtube.com/watch?v=FvCdqOQZQuk
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:5048
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb627646f8,0x7ffb62764708,0x7ffb62764718
    3⤵
    PID:1424
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,3968806218683391367,4786303172927946537,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
    3⤵
    PID:412
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,3968806218683391367,4786303172927946537,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1876
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,3968806218683391367,4786303172927946537,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2984 /prefetch:8
    3⤵
    PID:3464
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,3968806218683391367,4786303172927946537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
    3⤵
    PID:768
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,3968806218683391367,4786303172927946537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
    3⤵
    PID:2728
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,3968806218683391367,4786303172927946537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:1
    3⤵
    PID:4136
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,3968806218683391367,4786303172927946537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3560 /prefetch:1
    3⤵
    PID:2284
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2072,3968806218683391367,4786303172927946537,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3564 /prefetch:8
    3⤵
    PID:4648
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,3968806218683391367,4786303172927946537,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5752 /prefetch:8
    3⤵
    PID:4440
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,3968806218683391367,4786303172927946537,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5752 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4084
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,3968806218683391367,4786303172927946537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:1
    3⤵
    PID:1208
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,3968806218683391367,4786303172927946537,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1
    3⤵
    PID:1540
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,3968806218683391367,4786303172927946537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:1
    3⤵
    PID:4556
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,3968806218683391367,4786303172927946537,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3560 /prefetch:1
    3⤵
    PID:1408
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,3968806218683391367,4786303172927946537,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4896 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2976 -ip 2976
1⤵
PID:3052

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1396

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:776

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2180

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2fc 0x4e0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7e0880992c640aca08737893588a0010

SHA1
6ceec5cb125a52751de8aeda4bab7112f68ae0fe

SHA256
8649a39877c190ec740a5422284ec5f9ff509b30b2d7896635476873dd8824e2

SHA512
52bd0a38ca7f43b26731966035045b1cbd8b60b2d81bdf9aad791cf444da8af8b722ebf3cb364a6e660bebdf23084eb0e30bc23562575b704801669817549f8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5e2f0fe48e7ee1aad1c24db5c01c354a

SHA1
5bfeb862e107dd290d87385dc9369bd7a1006b36

SHA256
f13b3ebe8d71bd0086d5bb82364c35f59a95d32b39753af251e8639360e291a9

SHA512
140d026437fd5e8a874cd00b03950c8f010e1a0732a0a1cc5bdde477e7f8315ccb95790bb4c15b8dbaab9468ad532eb885b6c429300a64e39412d976d079324e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
8ee223ab7a002b90eb5befa255cb390a

SHA1
7a058ae14aac70de01fe476305505ddd6fde477c

SHA256
01bd29f5a8965ff1dacfd64cbd0dd323ac91a73ea57c8d8c4741d5c37d05747d

SHA512
68b48a075f264158f0fa6fb81972261ecbb4a25f5534e403b58ad18cc5bba8c57a1b3ffb77bfd7e4c516e0c9c1f11ca9db50659ba82946329facc61bd040e3a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
e8c0cd95d74df43a47b6fd1ee182d743

SHA1
cf8eaea2ef464ea76d4acecd4af9f4978277cb0e

SHA256
394c7ccbe2161606ec37f6ad073fe38cee6a534ee9407dfba46b108c29ad39b6

SHA512
c214d537461c4531fa2b465a0bb1b03f8d66e574366f6879dfadc687d12d1fc34710f8ebe52f4f16d0bb81f10547fd248aa0d92b354a2c8226403f8f90aa6076

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
0b34e9a99b01c8c4c317fe7f0e7bef0b

SHA1
6c5e024ffc3c47d28b167f3129397d90b5b6efa5

SHA256
3c0dfe90496910f16e59ac3cbcd694c68b58a66c5931dab06addb91be96f2842

SHA512
6322681d1150c2f690e8b28842c1196b105433157dbc66861032768fec89433087f415d94813d25e4cdddf56fcdfb8197f9c245d252190ae5750066b40f1eac8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
18465c32642c728daf8723d9419cd579

SHA1
7e9202ecb10058cfd8a38d14862a5f8c6e99ad67

SHA256
c7beda6904ab036ebfb648cab333e86914c47ecae423ea05b79ff8a4a3b5a0b3

SHA512
d86fec2e14e8b173b288e78c4ec558b3a379dd9de2b7be22c5553431da11028b3536de8e10a9e2be45f386cdcec8e4e3267cf0f6adf155ef91ac7d8461fb70f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
69752f5eeec522506ddb6d4d40ac5750

SHA1
9c3cf689874592338839ca8afddb9ac9ca209d01

SHA256
67e64e3410df42ba36be6158ae7ce866dc73ffb6b960d66979c5945d2a876b7a

SHA512
7c1fdebb4db3a2905c81043121752c23c2a3313871e85a0a6005dac3b1c80fa5972e702837a21a5d31dae399c59cc1d5e3076cb502492a49dd64c5d95193186d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\9f67bd53-0dcf-4398-8b89-8961c6eac3e3\index-dir\the-real-index

Filesize
2KB

MD5
b8cf09cbe34fa9f4b6e16f5dd9a0ee9a

SHA1
2e43c8aab825dc7ab4012daa61c5964c41891652

SHA256
d59647a57bc3c24153962e28ba0c36434543e6ef53712f7191b25d009603fe72

SHA512
08b137c6e25c7b89f1fc49820ad10a586e9eaaec3d42ce3e5b2e7b1e6fafd56fd238ad7ef267a9c44dd0587cd4facd3bfd08a6024fcd2de69d879ff9e23ca40d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\9f67bd53-0dcf-4398-8b89-8961c6eac3e3\index-dir\the-real-index~RFe57cb20.TMP

Filesize
48B

MD5
3261be5b4d22954a074551ee64eb2825

SHA1
9e3955aa515ac882c69d6850bc7f1d1186003338

SHA256
d9578801391c6cda60dd3f1e8d404c115d347f0e6d2d6b41c1d3c9fbfcf029de

SHA512
cbe51672fc4d0c4cb71fc546e0447804bd4b59dfd205388a15a0c5857746facb11eda1264a4e7c16eaa9ae6480d38012e9602d2c1fd3b6f05cad696cd888f865

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
77a92f88720e1309a061ab7100c8e510

SHA1
08bcc6d9cb53b7bada5acde585ae685340a21b65

SHA256
55fb194496682e195831605f3dc0d22a496507c6352a81b136778e6b9c291f13

SHA512
db6e2f98a148399e01481dd5df87f9a7b33f2c3080b76f31da0725ae913b0bd93c70674b02637507b590fdaf27ca0b857592a5e7a0244d987351240d9f2b0ad7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
36b510a0ebf6ac2f6d4e1623159a3e21

SHA1
864dc3fa456dbe80b455e0a53838854fa001ceb2

SHA256
8fb81a1e11e769a172e0aa2db429353d8da2899c6aa1eafa128b371fb4675e0e

SHA512
320f4b3ee9b75d484cdc074bfa84ceb4f3c664615ee6ba56b535680a091453a17d15855b2015bd049e36967551a4299521ca81901e2ba74f315a4312d8db5243

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
8bd4980fdf2adcfdd84856dfc2a1e968

SHA1
8df558dcd7ac3e3c748db80bc41ffc5693837660

SHA256
7f8b311ac91b6e9cf0e52587d2c5a9a1638e8c23d9e2497188d50d745a3252a5

SHA512
ed9d9fb0d7b91b3725da91c4fd0715dbe5b836862a25ad7f44dddb206691cee5fc8ee6319b6bfc2e3676441cd299d51e5c287db1eb41eff9d251f5569d0bf490

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe577697.TMP

Filesize
89B

MD5
1f64588436e6cc21222bb570eb30bd28

SHA1
3754a8f336acc71df20bfccbc768157eeafde32f

SHA256
c3a0503d2166a9ab9aef436bb5f21ee1dd0035bd3c865d85b323190a56beaa90

SHA512
a07a8c39ff22d26eba208a63c299501296bd216e259819abb72b3b71536fd554195970e3875f3b3b62db4017c0d83d2a0b6357f9f9baaa75d840f38b19173d24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
88f68a51dd8f33c72d425972e36a37e2

SHA1
69c3405b4a0f01b63d77ac808d47d4f6dbeb2d8a

SHA256
597f9ed2ea629361767406aa110defcf6df1562ff2591a801a9616190dbbc65e

SHA512
31ad947dda910019c4b85c73ba0ec32d35484fce343cfc5257fe1f41b3adc66ffc30de0627182521f1394ba4cdc59d20b041f28022d3cc6bde79beae9a9b3bbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57c5a2.TMP

Filesize
48B

MD5
d95c0138b7160b1477e73e67d349d0bc

SHA1
d30c30a9789338e0233ffc8e05fa456fa07b3012

SHA256
a4464f0dc841678d48440a1fab7652fe8d504a8ecb3de13edb9ae426dd421c2e

SHA512
ad8a35361076866e0d387117a9e94102415659d5dd8c23efd1819dcd20072e806fa870c546aed118643b069cff3679b65e882d66d32b850a26cb366613da86a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f01fe9b533fd3adf5a8e17fd8ac781a2

SHA1
c9d698ab45e479e36961b28b0393543c2529c0a7

SHA256
74edc7f26e062d07625298cecb833fa0154d93c79db9f74200ba2438abb645c9

SHA512
84af96afac52ba2e4eadaf757c760a75b53af0fadcacd5fd283f67c18bed06166b502c58bd510c0a7f6625f73cd8cbae65ce2407362a4d401f59cd850f777b8a

Download Submit
memory/2976-0-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2976-7-0x0000000000720000-0x0000000000766000-memory.dmp

Filesize
280KB

Download
memory/2976-6-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2976-3-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2976-2-0x0000000000720000-0x0000000000766000-memory.dmp

Filesize
280KB

Download