6f9ff374fe39ab45d30d728317dd3afaa5f307637eba3e4e7dcd7eb50084023f

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 19:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c2aa519cf1a087fd5bc9b16f3b29fbf_JaffaCakes118.exe
Size

388KB
MD5

1c2aa519cf1a087fd5bc9b16f3b29fbf
SHA1

cca1d82c54587343885b8ef28b3ec2e12e0ccc2f
SHA256

6f9ff374fe39ab45d30d728317dd3afaa5f307637eba3e4e7dcd7eb50084023f
SHA512

b88117ddec7a9034d6d9379ab39597dcfa92053f6b199771992f6a357711b9ec88c0321a9d23c1703a2ce432874dcefa20ddbc721d2e8c03a61b5fab3ba598b7
SSDEEP

6144:uBIHYIw4oP7kvzP3VyQgkrydG5/YHcUWF4/G4TyQOI5JgpcvqNplcwaNC:up4oPs3VvgldG5/4WF4fT0Iw5piNC

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
52	sites.google.com
63	sites.google.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
178	api.ipify.org
229	api.ipify.org

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\SysWOW64\GlaGlo.dll	1c2aa519cf1a087fd5bc9b16f3b29fbf_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2080292272-204036150-2159171770-1000\{993A0C1A-8113-4483-A2E4-6527BD68E55A}	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
848	msedge.exe
848	msedge.exe
2668	msedge.exe
2668	msedge.exe
824	msedge.exe
824	msedge.exe
5660	msedge.exe
5660	msedge.exe
5236	identity_helper.exe
5236	identity_helper.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4808	1c2aa519cf1a087fd5bc9b16f3b29fbf_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4808 wrote to memory of 824	4808	1c2aa519cf1a087fd5bc9b16f3b29fbf_JaffaCakes118.exe	90
PID 4808 wrote to memory of 824	4808	1c2aa519cf1a087fd5bc9b16f3b29fbf_JaffaCakes118.exe	90
PID 824 wrote to memory of 2700	824	msedge.exe	91
PID 824 wrote to memory of 2700	824	msedge.exe	91
PID 4808 wrote to memory of 1692	4808	1c2aa519cf1a087fd5bc9b16f3b29fbf_JaffaCakes118.exe	92
PID 4808 wrote to memory of 1692	4808	1c2aa519cf1a087fd5bc9b16f3b29fbf_JaffaCakes118.exe	92
PID 1692 wrote to memory of 2056	1692	msedge.exe	93
PID 1692 wrote to memory of 2056	1692	msedge.exe	93
PID 824 wrote to memory of 4080	824	msedge.exe	94
PID 824 wrote to memory of 4080	824	msedge.exe	94
PID 824 wrote to memory of 4080	824	msedge.exe	94
PID 824 wrote to memory of 4080	824	msedge.exe	94
PID 824 wrote to memory of 4080	824	msedge.exe	94
PID 824 wrote to memory of 4080	824	msedge.exe	94
PID 824 wrote to memory of 4080	824	msedge.exe	94
PID 824 wrote to memory of 4080	824	msedge.exe	94
PID 824 wrote to memory of 4080	824	msedge.exe	94
PID 824 wrote to memory of 4080	824	msedge.exe	94
PID 824 wrote to memory of 4080	824	msedge.exe	94
PID 824 wrote to memory of 4080	824	msedge.exe	94
PID 824 wrote to memory of 4080	824	msedge.exe	94
PID 824 wrote to memory of 4080	824	msedge.exe	94
PID 824 wrote to memory of 4080	824	msedge.exe	94
PID 824 wrote to memory of 4080	824	msedge.exe	94
PID 824 wrote to memory of 4080	824	msedge.exe	94
PID 824 wrote to memory of 4080	824	msedge.exe	94
PID 824 wrote to memory of 4080	824	msedge.exe	94
PID 824 wrote to memory of 4080	824	msedge.exe	94
PID 824 wrote to memory of 4080	824	msedge.exe	94
PID 824 wrote to memory of 4080	824	msedge.exe	94
PID 824 wrote to memory of 4080	824	msedge.exe	94
PID 824 wrote to memory of 4080	824	msedge.exe	94
PID 824 wrote to memory of 4080	824	msedge.exe	94
PID 824 wrote to memory of 4080	824	msedge.exe	94
PID 824 wrote to memory of 4080	824	msedge.exe	94
PID 824 wrote to memory of 4080	824	msedge.exe	94
PID 824 wrote to memory of 4080	824	msedge.exe	94
PID 824 wrote to memory of 4080	824	msedge.exe	94
PID 824 wrote to memory of 4080	824	msedge.exe	94
PID 824 wrote to memory of 4080	824	msedge.exe	94
PID 824 wrote to memory of 4080	824	msedge.exe	94
PID 824 wrote to memory of 4080	824	msedge.exe	94
PID 824 wrote to memory of 4080	824	msedge.exe	94
PID 824 wrote to memory of 4080	824	msedge.exe	94
PID 824 wrote to memory of 4080	824	msedge.exe	94
PID 824 wrote to memory of 4080	824	msedge.exe	94
PID 824 wrote to memory of 4080	824	msedge.exe	94
PID 824 wrote to memory of 4080	824	msedge.exe	94
PID 824 wrote to memory of 848	824	msedge.exe	95
PID 824 wrote to memory of 848	824	msedge.exe	95
PID 1692 wrote to memory of 2664	1692	msedge.exe	96
PID 1692 wrote to memory of 2664	1692	msedge.exe	96
PID 1692 wrote to memory of 2664	1692	msedge.exe	96
PID 1692 wrote to memory of 2664	1692	msedge.exe	96
PID 1692 wrote to memory of 2664	1692	msedge.exe	96
PID 1692 wrote to memory of 2664	1692	msedge.exe	96
PID 1692 wrote to memory of 2664	1692	msedge.exe	96
PID 1692 wrote to memory of 2664	1692	msedge.exe	96
PID 1692 wrote to memory of 2664	1692	msedge.exe	96
PID 1692 wrote to memory of 2664	1692	msedge.exe	96
PID 1692 wrote to memory of 2664	1692	msedge.exe	96
PID 1692 wrote to memory of 2664	1692	msedge.exe	96
PID 1692 wrote to memory of 2664	1692	msedge.exe	96
PID 1692 wrote to memory of 2664	1692	msedge.exe	96

C:\Users\Admin\AppData\Local\Temp\1c2aa519cf1a087fd5bc9b16f3b29fbf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1c2aa519cf1a087fd5bc9b16f3b29fbf_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://wawanfcd.blogspot.com/
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:824
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff97f1046f8,0x7ff97f104708,0x7ff97f104718
    3⤵
    PID:2700
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2284,6854915387747489493,16193121991284899651,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2296 /prefetch:2
    3⤵
    PID:4080
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2284,6854915387747489493,16193121991284899651,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:848
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2284,6854915387747489493,16193121991284899651,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:8
    3⤵
    PID:2824
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2284,6854915387747489493,16193121991284899651,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
    3⤵
    PID:3540
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2284,6854915387747489493,16193121991284899651,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
    3⤵
    PID:4688
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2284,6854915387747489493,16193121991284899651,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3884 /prefetch:1
    3⤵
    PID:312
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2284,6854915387747489493,16193121991284899651,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4244 /prefetch:1
    3⤵
    PID:2652
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2284,6854915387747489493,16193121991284899651,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4316 /prefetch:1
    3⤵
    PID:1344
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2284,6854915387747489493,16193121991284899651,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
    3⤵
    PID:4540
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2284,6854915387747489493,16193121991284899651,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
    3⤵
    PID:1648
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2284,6854915387747489493,16193121991284899651,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
    3⤵
    PID:856
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2284,6854915387747489493,16193121991284899651,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6412 /prefetch:1
    3⤵
    PID:5292
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2284,6854915387747489493,16193121991284899651,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6908 /prefetch:8
    3⤵
    PID:5652
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2284,6854915387747489493,16193121991284899651,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6928 /prefetch:8
    3⤵
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:5660
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2284,6854915387747489493,16193121991284899651,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7444 /prefetch:1
    3⤵
    PID:5844
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2284,6854915387747489493,16193121991284899651,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7464 /prefetch:1
    3⤵
    PID:5852
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2284,6854915387747489493,16193121991284899651,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7772 /prefetch:8
    3⤵
    PID:6012
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2284,6854915387747489493,16193121991284899651,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7772 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5236
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2284,6854915387747489493,16193121991284899651,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6264 /prefetch:1
    3⤵
    PID:5488
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2284,6854915387747489493,16193121991284899651,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
    3⤵
    PID:5108
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2284,6854915387747489493,16193121991284899651,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3300 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://adf.ly/27I8q
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff97f1046f8,0x7ff97f104708,0x7ff97f104718
    3⤵
    PID:2056
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,10570244146438137191,13682475638951966353,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
    3⤵
    PID:2664
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,10570244146438137191,13682475638951966353,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2668

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:884

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
328B

MD5
21f08fa8329bee593c157ff8e3a7e570

SHA1
25833f523b8e769494846ddded7b5584c684886b

SHA256
646ffd4896f0093eb416be83fffafe2677f671850bb7391cf684a881c047b136

SHA512
e958c166ac3da2f22b4b06a2f6fd8eeb42cbc5e526e246865fd4463985f582689171cbd2f288c88735e4cfb68bf66ce74f92fda3637caa779090c51f445c725c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
328B

MD5
fd88f06a1bf6c1cd3d025df8f8f3619f

SHA1
b7121d2958cdbe413c488d85dd25f49394e16c13

SHA256
d8838aeb722b1507ad7eb3b43c692ad7d2ce82b09e47c04213f94169c5fb0221

SHA512
c63b059bc6c0e244aed1097ccb04ea7e13e1021ac46ae81b1bf8dcf91507a5f47e9a0f2cf53bf9c9c39190ba38067f1ea0755c8a7ceee8b9f90e7aaab9dd7470

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\2c275b8c-6d62-4e5d-868f-520bd9ae0ab8.tmp

Filesize
8KB

MD5
ebbca0ab0b353ceb5c645732717c0369

SHA1
96734bfa778c954d5f486ff73b0cf9f7f1a672f8

SHA256
1fdfd584a37eb19f4953739afe081a1bf180b1773a41b79288a1664c129419aa

SHA512
b82d99f26883fbaaaef4a7c3f21c45a3ecc1c921224aa247da3d4bdbf2f0a83beafa8866247304570a2fc2352a70fdd77cfb861225450960da5c042e86906a86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
81e892ca5c5683efdf9135fe0f2adb15

SHA1
39159b30226d98a465ece1da28dc87088b20ecad

SHA256
830f394548cff6eed3608476190a7ee7d65fe651adc638c5b27ce58639a91e17

SHA512
c943f4cfe8615ac159cfac13c10b67e6c0c9093851dd3ac6dda3b82e195d3554e3c37962010a2d0ae5074828d376402624f0dda5499c9997e962e4cfd26444c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56067634f68231081c4bd5bdbfcc202f

SHA1
5582776da6ffc75bb0973840fc3d15598bc09eb1

SHA256
8c08b0cbceb301c8f960aa674c6e7f6dbf40b4a1c2684e6fb0456ec5ff0e56b4

SHA512
c4657393e0b9ec682570d7e251644a858d33e056ccd0f3eebffd0fde25244b3a699b8d9244bcdac00d6f74b49833629b270e099c2b557f729a9066922583f784

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000026

Filesize
21KB

MD5
ff707dbea4d040f3d79c697ba0daf3f9

SHA1
bd1a0f4af57137c44f8cd57896ec47a7028e1418

SHA256
15ba736f7df870aed03896ec1d459b8413bf06e76620633042529d1edaa8cbe5

SHA512
2eb4ab6877cbe224aaeaa6ba84471134ceb7a6066a59150e5fb60d4e58a60753e3334f803338e831e2ad12c361f9f593bc0f1c38b7777f5601d961929647e48a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000027

Filesize
45KB

MD5
94019c00785285cd78d6da8a1bdeaf80

SHA1
33ba11bbe8c91eca17a84c3dcae4667638a61b57

SHA256
2ea5a487d117c082ab04c8b2d979adc04c18f496af90ef2caf9910d9902ef8a9

SHA512
b58d23d9333290e203ee3191cbcca4686ae1f9b4c135ee8a8e0f014e7db4efdcffe6aa82b502b2d8e63bde705895a04726d799a4c6b0e22783b6925b4d297d70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
3dd3efc25881742fa338936d60040768

SHA1
cf68788cfcb651eb4d58f38eeb41859ac963669e

SHA256
a3fe85a499e79292dbe0bdbb40fc1fbc5e03a6ba7497ce51c7b0f807108c4232

SHA512
3eb86c7a76a0d0e370f9036403b46616ebb2a0947f859f25c8fd9fad1dfb899e30593661e4856e1b72b6303b4bea592323e61d26d0255f9a14de58a60fcce60e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
fbf5aa3408e3ddcef21af95514e99c6b

SHA1
60f83fbf0e90b79627801b1a3a1cd951f64e9fe9

SHA256
b3e3be17d6576739306b6e2e52ebe7185aaac6d8d7993b26d7e2f13a9b36d919

SHA512
0b4bef9c725a1b3405191c8381c3e11a536f000d7b89707cabdc32ec00094af7d2a70f24ccde99a46a442ba95ff0a971ec06d08f66cd0d3b82a7a3e9a3ee8013

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9817979a7e3b0d3fb29fbc6e07171fe4

SHA1
7169d0abe83a9f61a5790405fe82db222d1356e4

SHA256
7aff7b8e77e970263a0300f54547b17a7179820015e75d16950a89ff4264b86d

SHA512
0a6a8ec584915e0e85573fe009bcf3245b24212016df94b87b6925da8cb1b4f4a68eaadd7afbec3afaae19bd5d152a66738aa1804a7795e100dc63d7e7db1f64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
443000d7ac24f1759986c2719435cc1f

SHA1
88c312859e03962e84a64da5d10aa29a31662f92

SHA256
4bbea86890919a5a52f96737fbbba595639bea2ee61b7e41e126059aed62ddb5

SHA512
5cd318c3969b50e3d67e0230019ab1ddc987da42664f48aeaab2629000635d06c8464d065e515903718389b313392bd062d47d3a6bb9fa0445fb6d7bfdcb2634

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
f0d5c8f45de3a61a8c9acb34be144bad

SHA1
32ff8604bbe5cd57265cc4151684078cf5bc7fc2

SHA256
edc963b9efef59a909e485343980d1b757960e8a2040962c01a9017e407e985b

SHA512
400153c12f77fc701312556dfc5a752c17c86d4c604278fd99b6618b96773ec0858af8fa1177f5ef968a2fa786b1ce50247a047f4e50b8c88253dfc9c4fb2ab7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
7a4a6dcc2509560427b497ead488001d

SHA1
4aa3ef387a5129a8e6307dee92dc9dc5ff2f939f

SHA256
5be73f5a6767ee091b239cb34f21a894ee82120d48fb44fa465eefaa074664a9

SHA512
5bbc8ba8d67e9ccc907339f246dc52e6f9ed1e2cfe0f4327bf7b724c0a6c2467abb99fc307b7725823d624e21b20de901bc05c4b590e1eaeb06840989dc762a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8cfaf60995005d116c3a146d11c26c89

SHA1
85fcb25c3a98ab9804c39f6d7dd2b006b3cc889b

SHA256
2682bb0da3f2f7487fe1655a1107855544ce96f84966d84dfce6a7f19ffcd0a1

SHA512
738e3971e237489931aaf7594bd2264fd2cb1cb23558f49df97258672e7a17edd5d823f775830731e54325d50fd700097c94161ec713d8a74cfaa59297f6722d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57bfc6.TMP

Filesize
1KB

MD5
fa60d15743e1e5e289a73b6c754d8296

SHA1
81ee5562ccca106a949ab165cf215da1203a901b

SHA256
692547426ca7988274cb17836e4ed6c110c71b088d90215e582f9d100df624f6

SHA512
c3eb7b3a0615a6fcc4fb6674ed8066c9f4594198a66ab2cba058a8ff883600e13432aa9887046b60b5a252ea726be5f15a1c70074a0a497480991137d4ea3645

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
b0803546254a73d014b7c6c071dbfdad

SHA1
90c97a8973791816518f13ce6a2f0e67946a56ac

SHA256
e155de001fcdaf33c1bf63ba75728687eba0c1ac0c149c2cbe758bbce3fd2a8a

SHA512
3c308dc4c32defea32538f2c66a7d855b5edc374908f8e2d2d6329f43251fa5c7236e27d7d43066035c5023f9a73f956a8860a9893e8199ff36772257b07f65a

Download Submit