518601dff51642f794f17841a749a9de071f19e5752ce7e0c35cad84cd103e92

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17-05-2024 18:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
Size

413KB
MD5

50ecc35a543a683d1c25ee62100b21c2
SHA1

04e369b119f881627ba89d3b453164b77051ee76
SHA256

518601dff51642f794f17841a749a9de071f19e5752ce7e0c35cad84cd103e92
SHA512

8c17a8ee05a298c4eb18ee4d914da35d12ffb7493300e2005f8c91ba81f886707b7eac8a12400cec058ca64bdf3a0a9bca4c5eacce490a06b7a8a0443419e203
SSDEEP

6144:XOPjvGIQQSqNp0xM6IIx5mkETtTnL3cwSoDwsSHjjM9bwHJIX+0qdtN11:wyIQQfNpq7f0Hcw4MR2DHtNf

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 64 IoCs

pid	Process
3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2232	msedge.exe
2232	msedge.exe
2552	msedge.exe
2552	msedge.exe
1456	identity_helper.exe
1456	identity_helper.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3956 wrote to memory of 2552	3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe	96
PID 3956 wrote to memory of 2552	3956	50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe	96
PID 2552 wrote to memory of 4300	2552	msedge.exe	97
PID 2552 wrote to memory of 4300	2552	msedge.exe	97
PID 2552 wrote to memory of 4696	2552	msedge.exe	98
PID 2552 wrote to memory of 4696	2552	msedge.exe	98
PID 2552 wrote to memory of 4696	2552	msedge.exe	98
PID 2552 wrote to memory of 4696	2552	msedge.exe	98
PID 2552 wrote to memory of 4696	2552	msedge.exe	98
PID 2552 wrote to memory of 4696	2552	msedge.exe	98
PID 2552 wrote to memory of 4696	2552	msedge.exe	98
PID 2552 wrote to memory of 4696	2552	msedge.exe	98
PID 2552 wrote to memory of 4696	2552	msedge.exe	98
PID 2552 wrote to memory of 4696	2552	msedge.exe	98
PID 2552 wrote to memory of 4696	2552	msedge.exe	98
PID 2552 wrote to memory of 4696	2552	msedge.exe	98
PID 2552 wrote to memory of 4696	2552	msedge.exe	98
PID 2552 wrote to memory of 4696	2552	msedge.exe	98
PID 2552 wrote to memory of 4696	2552	msedge.exe	98
PID 2552 wrote to memory of 4696	2552	msedge.exe	98
PID 2552 wrote to memory of 4696	2552	msedge.exe	98
PID 2552 wrote to memory of 4696	2552	msedge.exe	98
PID 2552 wrote to memory of 4696	2552	msedge.exe	98
PID 2552 wrote to memory of 4696	2552	msedge.exe	98
PID 2552 wrote to memory of 4696	2552	msedge.exe	98
PID 2552 wrote to memory of 4696	2552	msedge.exe	98
PID 2552 wrote to memory of 4696	2552	msedge.exe	98
PID 2552 wrote to memory of 4696	2552	msedge.exe	98
PID 2552 wrote to memory of 4696	2552	msedge.exe	98
PID 2552 wrote to memory of 4696	2552	msedge.exe	98
PID 2552 wrote to memory of 4696	2552	msedge.exe	98
PID 2552 wrote to memory of 4696	2552	msedge.exe	98
PID 2552 wrote to memory of 4696	2552	msedge.exe	98
PID 2552 wrote to memory of 4696	2552	msedge.exe	98
PID 2552 wrote to memory of 4696	2552	msedge.exe	98
PID 2552 wrote to memory of 4696	2552	msedge.exe	98
PID 2552 wrote to memory of 4696	2552	msedge.exe	98
PID 2552 wrote to memory of 4696	2552	msedge.exe	98
PID 2552 wrote to memory of 4696	2552	msedge.exe	98
PID 2552 wrote to memory of 4696	2552	msedge.exe	98
PID 2552 wrote to memory of 4696	2552	msedge.exe	98
PID 2552 wrote to memory of 4696	2552	msedge.exe	98
PID 2552 wrote to memory of 4696	2552	msedge.exe	98
PID 2552 wrote to memory of 4696	2552	msedge.exe	98
PID 2552 wrote to memory of 2232	2552	msedge.exe	99
PID 2552 wrote to memory of 2232	2552	msedge.exe	99
PID 2552 wrote to memory of 464	2552	msedge.exe	100
PID 2552 wrote to memory of 464	2552	msedge.exe	100
PID 2552 wrote to memory of 464	2552	msedge.exe	100
PID 2552 wrote to memory of 464	2552	msedge.exe	100
PID 2552 wrote to memory of 464	2552	msedge.exe	100
PID 2552 wrote to memory of 464	2552	msedge.exe	100
PID 2552 wrote to memory of 464	2552	msedge.exe	100
PID 2552 wrote to memory of 464	2552	msedge.exe	100
PID 2552 wrote to memory of 464	2552	msedge.exe	100
PID 2552 wrote to memory of 464	2552	msedge.exe	100
PID 2552 wrote to memory of 464	2552	msedge.exe	100
PID 2552 wrote to memory of 464	2552	msedge.exe	100
PID 2552 wrote to memory of 464	2552	msedge.exe	100
PID 2552 wrote to memory of 464	2552	msedge.exe	100
PID 2552 wrote to memory of 464	2552	msedge.exe	100
PID 2552 wrote to memory of 464	2552	msedge.exe	100
PID 2552 wrote to memory of 464	2552	msedge.exe	100
PID 2552 wrote to memory of 464	2552	msedge.exe	100

C:\Users\Admin\AppData\Local\Temp\50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\50ecc35a543a683d1c25ee62100b21c2_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://120.55.138.124/NTBlY2MzNWE1NDNhNjgzZDFjMjVlZTYyMTAwYjIxYzJfSmFmZmFDYWtlczExOC5leGU=/40.html
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe31c246f8,0x7ffe31c24708,0x7ffe31c24718
    3⤵
    PID:4300
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,9740846396801514361,11798809579802900736,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
    3⤵
    PID:4696
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,9740846396801514361,11798809579802900736,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2232
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,9740846396801514361,11798809579802900736,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2956 /prefetch:8
    3⤵
    PID:464
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,9740846396801514361,11798809579802900736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
    3⤵
    PID:3232
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,9740846396801514361,11798809579802900736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
    3⤵
    PID:704
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,9740846396801514361,11798809579802900736,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4100 /prefetch:8
    3⤵
    PID:1336
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,9740846396801514361,11798809579802900736,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4100 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1456
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,9740846396801514361,11798809579802900736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
    3⤵
    PID:3508
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,9740846396801514361,11798809579802900736,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
    3⤵
    PID:2252
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,9740846396801514361,11798809579802900736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
    3⤵
    PID:4180
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,9740846396801514361,11798809579802900736,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1
    3⤵
    PID:1020
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,9740846396801514361,11798809579802900736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6064 /prefetch:1
    3⤵
    PID:4560
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,9740846396801514361,11798809579802900736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3660 /prefetch:1
    3⤵
    PID:1680
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,9740846396801514361,11798809579802900736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4640 /prefetch:1
    3⤵
    PID:4140
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,9740846396801514361,11798809579802900736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1
    3⤵
    PID:1920
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,9740846396801514361,11798809579802900736,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1928 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1888

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1220

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1c4e586fe4454e3272f5cbb1e8f6c83c

SHA1
7e59c4e64a3cd32eda6dd7fd3e61bb6f1480971d

SHA256
2b9469e8422322d4c73432c8b656c1e8dc7f088bb91e60f89bb29aad77787a81

SHA512
c8aebd1ef531787ebf3e0cec9b523e8031b7fd384fb0d9b6c3a75e0c6277875a229ea946f40efc23920cf0b7c6c67abed5927f34024c66b70c580ed384d870dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a45addb8f676ae97b7eb23cbda1c0fc9

SHA1
c36afcf6e3d0aed5b9e69248ba6ad56fd5778f0c

SHA256
79598e3c32f77aa060643c00b38ebc0363c7d376a7487f0b6e53c294ce39df10

SHA512
1c766731105aef80bce810fad57da1d81ba7e191de265d55726e9b2efa0a8559f54641f3efbfb76adaf411f5ff4ced89b2a16db7e6549c5c622fd79ef61f634c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d36378641bbf3ec8f5cc938331c7dc6c

SHA1
e7d1e77b16d399337d0dd7d97b6bd367e4fffc7e

SHA256
d00f9df00c66249e01a723c274b1dfd22b05531719279e783bd52028189de064

SHA512
200628609f59c19336d0c4faf0dc82e5c139549755aa7935ae3c3e47664f89088dff8b241a62f8814c39b7bbbe5781d72818d55a0b50bd8d1da38d6f1a85db8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd423B.tmp\2.gif

Filesize
135KB

MD5
e1f71a0a0c96a1b46e1bb8ccdbc7dcff

SHA1
36d11bad14a80944eaa61be8083d92cedde50c01

SHA256
8351f6b374d3c05958842d602c401b2b7eb4f08cfc0a952279eb9c88a0218ec7

SHA512
23f7dd6645cf0857dc612cd2dc0502f8d1beedd848d8f06dd8f94cd74e4730b7552c563d98d77d1e3308405bfc490d5c2b3c05ea42d185d583615f99f2640fc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd423B.tmp\Base64.dll

Filesize
4KB

MD5
f0e3845fefd227d7f1101850410ec849

SHA1
3067203fafd4237be0c186ddab7029dfcbdfb53e

SHA256
7c688940e73022bf526f07cc922a631a1b1db78a19439af6bafbff2a3b46d554

SHA512
584ae5a0d1c1639ba4e2187d0c8a0ac7e54c0be0a266029c4689d81c0c64a7f80e7d918da0df5c6344f9f7a114f30d8f2feda253b29e813bae086604731a3d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd423B.tmp\NSISdl.dll

Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd423B.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd423B.tmp\ZipDLL.dll

Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit
memory/3956-25-0x0000000002EF0000-0x0000000002F1D000-memory.dmp

Filesize
180KB

Download