1930a2efe2ab477ad2e503766ae4fbf0b15fc1fe2b76316de1b9f32793715707

Analysis

max time kernel
136s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
27-06-2024 21:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
Size

229KB
MD5

17a8208667e746f100921b9d45c264c9
SHA1

135a08bb0b340a170f426f623296c0fec969169e
SHA256

1930a2efe2ab477ad2e503766ae4fbf0b15fc1fe2b76316de1b9f32793715707
SHA512

2281b01c93f1823ffc5d578fff20b6a9e41bb4dd51f9bdba8620a7f0b1988305b0b74243fc2d0329ad1eaa28a590a2c6c304271731a688a520556e77d75293e5
SSDEEP

3072:ebHHjm3P7BkOWWLvmxJny8HxhC2bl1DsyOrExy:ebHjCkeLvH8pbl1Yy

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File opened (read-only)	\??\R:	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File opened (read-only)	\??\Q:	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File opened (read-only)	\??\N:	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File opened (read-only)	\??\M:	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File opened (read-only)	\??\E:	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File opened (read-only)	\??\Y:	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File opened (read-only)	\??\U:	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File opened (read-only)	\??\P:	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File opened (read-only)	\??\O:	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File opened (read-only)	\??\V:	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File opened (read-only)	\??\J:	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File opened (read-only)	\??\I:	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File opened (read-only)	\??\H:	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File opened (read-only)	\??\G:	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File opened (read-only)	\??\W:	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File opened (read-only)	\??\T:	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File opened (read-only)	\??\S:	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File opened (read-only)	\??\L:	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File opened (read-only)	\??\K:	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File opened (read-only)	\??\Z:	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\_desktop.ini	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\_desktop.ini	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\he-il\_desktop.ini	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\root\_desktop.ini	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sk-sk\_desktop.ini	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\cs-cz\_desktop.ini	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ar-ae\_desktop.ini	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File created	C:\Program Files\Internet Explorer\es-ES\_desktop.ini	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\legal\_desktop.ini	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Integration\Addons\_desktop.ini	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033\_desktop.ini	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\uk-ua\_desktop.ini	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\pt-br\_desktop.ini	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\he\_desktop.ini	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File created	C:\Program Files\Windows Photo Viewer\ja-JP\_desktop.ini	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\tr-tr\_desktop.ini	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\hu-hu\_desktop.ini	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\_desktop.ini	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\ja-JP\_desktop.ini	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\eu-es\_desktop.ini	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-tw\_desktop.ini	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sv-se\_desktop.ini	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\_desktop.ini	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fr-fr\_desktop.ini	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\uk-UA\_desktop.ini	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\nb-no\_desktop.ini	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\_desktop.ini	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-gb\_desktop.ini	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\es-es\_desktop.ini	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\de-de\_desktop.ini	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\hu\_desktop.ini	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AFTRNOON\_desktop.ini	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sk-sk\_desktop.ini	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\_desktop.ini	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\_desktop.ini	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\eu-es\_desktop.ini	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\_desktop.ini	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\locale\en_GB\_desktop.ini	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\_desktop.ini	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\INDUST\_desktop.ini	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\visualization\_desktop.ini	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sw\_desktop.ini	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sv-se\_desktop.ini	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\it-it\_desktop.ini	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-TW\_desktop.ini	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Common AppData\_desktop.ini	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am_ET\LC_MESSAGES\_desktop.ini	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\locale\es_MX\LC_MESSAGES\_desktop.ini	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\_desktop.ini	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\hu-hu\_desktop.ini	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\uk-ua\_desktop.ini	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\or_IN\LC_MESSAGES\_desktop.ini	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\js\_desktop.ini	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-ae\_desktop.ini	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\pl-pl\_desktop.ini	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-sl\_desktop.ini	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\css\_desktop.ini	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\fi-fi\_desktop.ini	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\_desktop.ini	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\_desktop.ini	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\_desktop.ini	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\_desktop.ini	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\_desktop.ini	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nl-nl\_desktop.ini	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
File created	C:\Windows\Dll.dll	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3532	4736	WerFault.exe	92
4292	4736	WerFault.exe	92

Runs net.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
4736	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
4736	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
4736	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
4736	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
4736	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
4736	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
4736	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
4736	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
4736	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
4736	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
4736	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
4736	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
4736	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
4736	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
4736	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
4736	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
4736	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
4736	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
4736	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
4736	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
4736	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
4736	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
4736	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
4736	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
4736	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
4736	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
4736	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
4736	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
4736	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
4736	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
4736	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
4736	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
4736	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
4736	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
4736	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
4736	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
4736	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
4736	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
4736	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
4736	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
4736	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
4736	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
4736	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
4736	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4736 wrote to memory of 3532	4736	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe	93
PID 4736 wrote to memory of 3532	4736	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe	93
PID 4736 wrote to memory of 3532	4736	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe	93
PID 3532 wrote to memory of 4420	3532	net.exe	95
PID 3532 wrote to memory of 4420	3532	net.exe	95
PID 3532 wrote to memory of 4420	3532	net.exe	95
PID 4736 wrote to memory of 3452	4736	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe	56
PID 4736 wrote to memory of 3452	4736	17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3452
- C:\Users\Admin\AppData\Local\Temp\17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe"
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4736
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3532
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:4420
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 1020
    3⤵
    - Program crash
    PID:3532
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 1020
    3⤵
    - Program crash
    PID:4292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4736 -ip 4736
1⤵
PID:1724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4432,i,6522675234395427298,2952738987384583032,262144 --variations-seed-version --mojo-platform-channel-handle=1308 /prefetch:8
1⤵
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4736 -ip 4736
1⤵
PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

F:\$RECYCLE.BIN\S-1-5-21-3665033694-1447845302-680750983-1000\_desktop.ini

Filesize
9B

MD5
7d17b811a66f09661920bf5af1f95ae9

SHA1
f974fb71f0c9242357d308243f16d5509a0fb040

SHA256
1ffbf32a83283a76202c268eb3ea579c4b39aa6fb11fc42ad18318286fbf749c

SHA512
019689bb28dd360a9b3fe6696944854f806ebe877734f4f8533f7c2508d371049a96f6c7bd5dda908ab91686dbfba4a54335cbc6c4d649775e62912f0af730e3

Download Submit
memory/4736-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4736-4093-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download