Overview

overview

10

Static

static

3

1c5eb0e8f0...18.exe

windows7-x64

7

1c5eb0e8f0...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    134s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/07/2024, 20:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe

  • Size

    165KB

  • MD5

    1c5eb0e8f00fd584e8d1d3006278fe76

  • SHA1

    03f5aa75940b9176a97ac41257f306c33cca93da

  • SHA256

    e026f6f1a5a4f5b39e68c8cdb050334174764d2c7fe041073c6e64872a3a4099

  • SHA512

    592c5856367f942c29f9f88c7ed20f65eb453475991ffafa11cd72b4c45ca3e58f47af0d4daf6cda2a3800de45789d55596bfcfe3588ee4f7f77417e52474590

  • SSDEEP

    3072:yo5Htro+64OBGLvtwT+rGkLB0oA50BFLqlNyoNCzN2D3zCCR9GPU1:351llOBGLvuT+rjLBxAblNyN2zz7RWM

Score
10/10
ramnitbankerevasionspywarestealertrojanupxworm

Malware Config

Signatures

  • Modifies firewall policy service 3 TTPs 4 IoCs
    evasion
  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 4 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: MapViewOfSection 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:600
      • C:\Windows\system32\fontdrvhost.exe
        "fontdrvhost.exe"
        2⤵
          PID:764
        • C:\Windows\system32\dwm.exe
          "dwm.exe"
          2⤵
            PID:1012
        • C:\Windows\system32\lsass.exe
          C:\Windows\system32\lsass.exe
          1⤵
            PID:656
          • C:\Windows\system32\fontdrvhost.exe
            "fontdrvhost.exe"
            1⤵
              PID:772
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k DcomLaunch -p
              1⤵
                PID:780
                • C:\Windows\system32\wbem\unsecapp.exe
                  C:\Windows\system32\wbem\unsecapp.exe -Embedding
                  2⤵
                    PID:2808
                  • C:\Windows\system32\DllHost.exe
                    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                    2⤵
                      PID:3728
                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                      2⤵
                        PID:3884
                      • C:\Windows\System32\RuntimeBroker.exe
                        C:\Windows\System32\RuntimeBroker.exe -Embedding
                        2⤵
                          PID:3944
                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                          2⤵
                            PID:4040
                          • C:\Windows\System32\RuntimeBroker.exe
                            C:\Windows\System32\RuntimeBroker.exe -Embedding
                            2⤵
                              PID:3824
                            • C:\Windows\System32\RuntimeBroker.exe
                              C:\Windows\System32\RuntimeBroker.exe -Embedding
                              2⤵
                                PID:2484
                              • C:\Windows\system32\SppExtComObj.exe
                                C:\Windows\system32\SppExtComObj.exe -Embedding
                                2⤵
                                  PID:2648
                                • C:\Windows\system32\DllHost.exe
                                  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                  2⤵
                                    PID:2552
                                  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
                                    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
                                    2⤵
                                      PID:5024
                                    • C:\Windows\system32\backgroundTaskHost.exe
                                      "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                                      2⤵
                                        PID:4400
                                      • C:\Windows\system32\backgroundTaskHost.exe
                                        "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
                                        2⤵
                                          PID:2108
                                      • C:\Windows\system32\svchost.exe
                                        C:\Windows\system32\svchost.exe -k RPCSS -p
                                        1⤵
                                          PID:884
                                        • C:\Windows\system32\svchost.exe
                                          C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
                                          1⤵
                                            PID:932
                                          • C:\Windows\system32\svchost.exe
                                            C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                                            1⤵
                                              PID:420
                                            • C:\Windows\System32\svchost.exe
                                              C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
                                              1⤵
                                                PID:848
                                              • C:\Windows\system32\svchost.exe
                                                C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
                                                1⤵
                                                  PID:880
                                                • C:\Windows\System32\svchost.exe
                                                  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                  1⤵
                                                    PID:1096
                                                  • C:\Windows\system32\svchost.exe
                                                    C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                                                    1⤵
                                                      PID:1104
                                                    • C:\Windows\System32\svchost.exe
                                                      C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                                                      1⤵
                                                        PID:1180
                                                      • C:\Windows\system32\svchost.exe
                                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                                                        1⤵
                                                          PID:1204
                                                          • C:\Windows\system32\taskhostw.exe
                                                            taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                                                            2⤵
                                                              PID:652
                                                            • C:\Windows\system32\MusNotification.exe
                                                              C:\Windows\system32\MusNotification.exe
                                                              2⤵
                                                                PID:4596
                                                            • C:\Windows\system32\svchost.exe
                                                              C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                                                              1⤵
                                                                PID:1260
                                                              • C:\Windows\system32\svchost.exe
                                                                C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                                                                1⤵
                                                                  PID:1308
                                                                • C:\Windows\system32\svchost.exe
                                                                  C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                                                                  1⤵
                                                                    PID:1352
                                                                  • C:\Windows\system32\svchost.exe
                                                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                                                    1⤵
                                                                      PID:1412
                                                                      • C:\Windows\system32\sihost.exe
                                                                        sihost.exe
                                                                        2⤵
                                                                          PID:3048
                                                                      • C:\Windows\System32\svchost.exe
                                                                        C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                                                                        1⤵
                                                                          PID:1488
                                                                        • C:\Windows\system32\svchost.exe
                                                                          C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                                                                          1⤵
                                                                            PID:1500
                                                                          • C:\Windows\system32\svchost.exe
                                                                            C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                                                                            1⤵
                                                                              PID:1564
                                                                            • C:\Windows\system32\svchost.exe
                                                                              C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                                                              1⤵
                                                                                PID:1632
                                                                              • C:\Windows\System32\svchost.exe
                                                                                C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                                                                                1⤵
                                                                                  PID:1668
                                                                                • C:\Windows\System32\svchost.exe
                                                                                  C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
                                                                                  1⤵
                                                                                    PID:1696
                                                                                  • C:\Windows\System32\svchost.exe
                                                                                    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                                                    1⤵
                                                                                      PID:1780
                                                                                    • C:\Windows\System32\svchost.exe
                                                                                      C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
                                                                                      1⤵
                                                                                        PID:1796
                                                                                      • C:\Windows\system32\svchost.exe
                                                                                        C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
                                                                                        1⤵
                                                                                          PID:1908
                                                                                        • C:\Windows\System32\svchost.exe
                                                                                          C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                                                          1⤵
                                                                                            PID:1916
                                                                                          • C:\Windows\system32\svchost.exe
                                                                                            C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
                                                                                            1⤵
                                                                                              PID:1928
                                                                                            • C:\Windows\System32\svchost.exe
                                                                                              C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
                                                                                              1⤵
                                                                                                PID:2004
                                                                                              • C:\Windows\System32\spoolsv.exe
                                                                                                C:\Windows\System32\spoolsv.exe
                                                                                                1⤵
                                                                                                  PID:1708
                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                  C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
                                                                                                  1⤵
                                                                                                    PID:1804
                                                                                                  • C:\Windows\System32\svchost.exe
                                                                                                    C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
                                                                                                    1⤵
                                                                                                      PID:2072
                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                                                                                                      1⤵
                                                                                                        PID:2232
                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
                                                                                                        1⤵
                                                                                                          PID:2280
                                                                                                        • C:\Windows\system32\svchost.exe
                                                                                                          C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
                                                                                                          1⤵
                                                                                                            PID:2288
                                                                                                          • C:\Windows\System32\svchost.exe
                                                                                                            C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
                                                                                                            1⤵
                                                                                                              PID:2424
                                                                                                            • C:\Windows\system32\svchost.exe
                                                                                                              C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
                                                                                                              1⤵
                                                                                                                PID:2492
                                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
                                                                                                                1⤵
                                                                                                                  PID:2568
                                                                                                                • C:\Windows\sysmon.exe
                                                                                                                  C:\Windows\sysmon.exe
                                                                                                                  1⤵
                                                                                                                    PID:2580
                                                                                                                  • C:\Windows\System32\svchost.exe
                                                                                                                    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
                                                                                                                    1⤵
                                                                                                                      PID:2596
                                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
                                                                                                                      1⤵
                                                                                                                        PID:2624
                                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                                        C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                                                                                                        1⤵
                                                                                                                          PID:376
                                                                                                                        • C:\Windows\system32\svchost.exe
                                                                                                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
                                                                                                                          1⤵
                                                                                                                            PID:3140
                                                                                                                          • C:\Windows\Explorer.EXE
                                                                                                                            C:\Windows\Explorer.EXE
                                                                                                                            1⤵
                                                                                                                              PID:3304
                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe
                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe"
                                                                                                                                2⤵
                                                                                                                                • Modifies firewall policy service
                                                                                                                                • Drops file in Windows directory
                                                                                                                                • Modifies Internet Explorer settings
                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                • Suspicious behavior: MapViewOfSection
                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                • Suspicious use of WriteProcessMemory
                                                                                                                                PID:2016
                                                                                                                                • C:\Windows\System32\Conhost.exe
                                                                                                                                  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                  3⤵
                                                                                                                                    PID:2100
                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118mgr.exe
                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118mgr.exe
                                                                                                                                    3⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • Drops file in Program Files directory
                                                                                                                                    • Suspicious use of UnmapMainImage
                                                                                                                                    • Suspicious use of WriteProcessMemory
                                                                                                                                    PID:3252
                                                                                                                                    • C:\Program Files (x86)\Microsoft\WaterMark.exe
                                                                                                                                      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
                                                                                                                                      4⤵
                                                                                                                                      • Executes dropped EXE
                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                      • Suspicious use of UnmapMainImage
                                                                                                                                      PID:2392
                                                                                                                                      • C:\Windows\SysWOW64\svchost.exe
                                                                                                                                        C:\Windows\system32\svchost.exe
                                                                                                                                        5⤵
                                                                                                                                          PID:4720
                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 204
                                                                                                                                            6⤵
                                                                                                                                            • Program crash
                                                                                                                                            PID:3704
                                                                                                                                        • C:\Program Files\Internet Explorer\iexplore.exe
                                                                                                                                          "C:\Program Files\Internet Explorer\iexplore.exe"
                                                                                                                                          5⤵
                                                                                                                                          • Modifies Internet Explorer settings
                                                                                                                                          • Suspicious use of FindShellTrayWindow
                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                          PID:1152
                                                                                                                                          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                                                                                                                            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1152 CREDAT:17410 /prefetch:2
                                                                                                                                            6⤵
                                                                                                                                            • Modifies Internet Explorer settings
                                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                                            PID:1676
                                                                                                                                        • C:\Program Files\Internet Explorer\iexplore.exe
                                                                                                                                          "C:\Program Files\Internet Explorer\iexplore.exe"
                                                                                                                                          5⤵
                                                                                                                                          • Modifies Internet Explorer settings
                                                                                                                                          • Suspicious use of FindShellTrayWindow
                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                          PID:440
                                                                                                                                          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                                                                                                                            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:440 CREDAT:17410 /prefetch:2
                                                                                                                                            6⤵
                                                                                                                                            • Modifies Internet Explorer settings
                                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                                            PID:4280
                                                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                                                  C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
                                                                                                                                  1⤵
                                                                                                                                    PID:3316
                                                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                                                    C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                                                                                                                                    1⤵
                                                                                                                                      PID:3476
                                                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                                                                      1⤵
                                                                                                                                        PID:3932
                                                                                                                                      • C:\Windows\System32\svchost.exe
                                                                                                                                        C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                                                                        1⤵
                                                                                                                                          PID:828
                                                                                                                                        • C:\Windows\system32\svchost.exe
                                                                                                                                          C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
                                                                                                                                          1⤵
                                                                                                                                            PID:1644
                                                                                                                                          • C:\Windows\system32\svchost.exe
                                                                                                                                            C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
                                                                                                                                            1⤵
                                                                                                                                              PID:1952
                                                                                                                                            • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                                                                                                                                              "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                                                                                                                                              1⤵
                                                                                                                                                PID:1532
                                                                                                                                              • C:\Windows\System32\svchost.exe
                                                                                                                                                C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                                                                                1⤵
                                                                                                                                                  PID:4424
                                                                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                                                                  C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
                                                                                                                                                  1⤵
                                                                                                                                                    PID:3248
                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
                                                                                                                                                    1⤵
                                                                                                                                                      PID:4860
                                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=125.0.6422.142 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=125.0.2535.92 --initial-client-data=0x23c,0x240,0x244,0x238,0x24c,0x7fffda5f4ef8,0x7fffda5f4f04,0x7fffda5f4f10
                                                                                                                                                        2⤵
                                                                                                                                                          PID:2160
                                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2304,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=2300 /prefetch:2
                                                                                                                                                          2⤵
                                                                                                                                                            PID:2900
                                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1972,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=3408 /prefetch:3
                                                                                                                                                            2⤵
                                                                                                                                                              PID:4128
                                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2340,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=3544 /prefetch:8
                                                                                                                                                              2⤵
                                                                                                                                                                PID:2992
                                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3924,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=4084 /prefetch:8
                                                                                                                                                                2⤵
                                                                                                                                                                  PID:1732
                                                                                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                                                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
                                                                                                                                                                1⤵
                                                                                                                                                                  PID:2172
                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4720 -ip 4720
                                                                                                                                                                  1⤵
                                                                                                                                                                    PID:2788

                                                                                                                                                                  Network

                                                                                                                                                                  MITRE ATT&CK Enterprise v15

                                                                                                                                                                  Replay Monitor

                                                                                                                                                                  Loading Replay Monitor...

                                                                                                                                                                  Downloads

                                                                                                                                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                                                                                                                                                                    Filesize

                                                                                                                                                                    471B

                                                                                                                                                                    MD5

                                                                                                                                                                    df3b51cc5929f3af03350336b1afc568

                                                                                                                                                                    SHA1

                                                                                                                                                                    48453c44facbbea059f9da8565cf25b1c2cb9ce0

                                                                                                                                                                    SHA256

                                                                                                                                                                    2375353160c5f8c4cadce5954ff4a7cc5b9c403890f0404791ff85c8ec0dd748

                                                                                                                                                                    SHA512

                                                                                                                                                                    d8eaa0761def6d74462748aa794198b5f32fa593662bf373c81e1d300f3f76ecc1c723cef52774caa6482527f26524fd2677a5e2253285cb6d0984b044347e8a

                                                                                                                                                                    Download Submit

                                                                                                                                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                                                                                                                                                                    Filesize

                                                                                                                                                                    404B

                                                                                                                                                                    MD5

                                                                                                                                                                    08e3c4c6989ba6af68a34f66fc94db2b

                                                                                                                                                                    SHA1

                                                                                                                                                                    b2d7546a8aa1b2b170eb361a3b59b3b1939827ae

                                                                                                                                                                    SHA256

                                                                                                                                                                    6740765f5b675959f1a07a9471b66314514b873867f0c30095ded76af7991b4c

                                                                                                                                                                    SHA512

                                                                                                                                                                    53a6be9441e562535aa5742a09a14bdc11782d67a44dfa504ff5efa4a368baf3aebc1835c5c780b1415c657cd8b24871da2c3fbb3372894653994a1ce28c5f4f

                                                                                                                                                                    Download Submit

                                                                                                                                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                                                                                                                                                                    Filesize

                                                                                                                                                                    404B

                                                                                                                                                                    MD5

                                                                                                                                                                    c388cb27268621665793b075d9c84c08

                                                                                                                                                                    SHA1

                                                                                                                                                                    ea54bf7cc3b110dbbccc9284fcd7b483fe1cefd7

                                                                                                                                                                    SHA256

                                                                                                                                                                    226a7ca995cf5811d0dcfa766a12105dfda56cbc7c25c4e95ff46355bf616549

                                                                                                                                                                    SHA512

                                                                                                                                                                    ddef6d6b62baa57ef3daab78c8e4830ed4398b7e40e979ce6d3756c0c4dee86b9190f1b2e9f4276143891ca08127b3ed750a84b9c79c4775894f4ce14589cf71

                                                                                                                                                                    Download Submit

                                                                                                                                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
                                                                                                                                                                    Filesize

                                                                                                                                                                    4KB

                                                                                                                                                                    MD5

                                                                                                                                                                    da597791be3b6e732f0bc8b20e38ee62

                                                                                                                                                                    SHA1

                                                                                                                                                                    1125c45d285c360542027d7554a5c442288974de

                                                                                                                                                                    SHA256

                                                                                                                                                                    5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

                                                                                                                                                                    SHA512

                                                                                                                                                                    d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

                                                                                                                                                                    Download Submit

                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6E29E077-37E9-11EF-90FA-C21B8D59DC13}.dat
                                                                                                                                                                    Filesize

                                                                                                                                                                    5KB

                                                                                                                                                                    MD5

                                                                                                                                                                    518f5ca210ada501cd0e7399627e2ba6

                                                                                                                                                                    SHA1

                                                                                                                                                                    a19ee2c57c0ae050f0604304b22b23e16ca7fb2d

                                                                                                                                                                    SHA256

                                                                                                                                                                    f6f2addd822a660253384f3f069a3280afbf6ee71d683ca7391d1df8a48befb5

                                                                                                                                                                    SHA512

                                                                                                                                                                    8aefe96b185832bc325a2bfa055cef2ed96d4cc079b65d70a3bf2280d919d1aeec780d96aadfbe19126c258ff8b5c7f6e9ce57c9c78f7ac27a77333f6721c34b

                                                                                                                                                                    Download Submit

                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6E2EA621-37E9-11EF-90FA-C21B8D59DC13}.dat
                                                                                                                                                                    Filesize

                                                                                                                                                                    5KB

                                                                                                                                                                    MD5

                                                                                                                                                                    b2765c6c4580717eda5bf0766a1080ca

                                                                                                                                                                    SHA1

                                                                                                                                                                    726b7f72a38ee9001bbac616e2ccedf39078bbe0

                                                                                                                                                                    SHA256

                                                                                                                                                                    aa90afaea094e41a5833d4de164fcedc1decaa888bc9441b07137eb7384d506d

                                                                                                                                                                    SHA512

                                                                                                                                                                    7fc616366f25825f9e74b4219b6ef6c602a407eb10b51127f89cfae1bdc3b62968832905a0e7f2e7a79f180da49c38871462d48e1e550a88a8cc8d1b100c451e

                                                                                                                                                                    Download Submit

                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver70D6.tmp
                                                                                                                                                                    Filesize

                                                                                                                                                                    15KB

                                                                                                                                                                    MD5

                                                                                                                                                                    1a545d0052b581fbb2ab4c52133846bc

                                                                                                                                                                    SHA1

                                                                                                                                                                    62f3266a9b9925cd6d98658b92adec673cbe3dd3

                                                                                                                                                                    SHA256

                                                                                                                                                                    557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

                                                                                                                                                                    SHA512

                                                                                                                                                                    bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

                                                                                                                                                                    Download Submit

                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RD8M0ENG\suggestions[1].en-US
                                                                                                                                                                    Filesize

                                                                                                                                                                    17KB

                                                                                                                                                                    MD5

                                                                                                                                                                    5a34cb996293fde2cb7a4ac89587393a

                                                                                                                                                                    SHA1

                                                                                                                                                                    3c96c993500690d1a77873cd62bc639b3a10653f

                                                                                                                                                                    SHA256

                                                                                                                                                                    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

                                                                                                                                                                    SHA512

                                                                                                                                                                    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

                                                                                                                                                                    Download Submit

                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118mgr.exe
                                                                                                                                                                    Filesize

                                                                                                                                                                    60KB

                                                                                                                                                                    MD5

                                                                                                                                                                    cd963c64ad0bea4ca85a4819f6eefed1

                                                                                                                                                                    SHA1

                                                                                                                                                                    d9cd6316cf3c6ce5ceec9694c2debc7b7981775f

                                                                                                                                                                    SHA256

                                                                                                                                                                    33c4b715dc8b183dff9aac65cc42c7f2c70658580b8e3d449878251482a5d906

                                                                                                                                                                    SHA512

                                                                                                                                                                    f7cd12c57eff3acf7c89b0e7b55dfa81623618a65d6c49b490c199cfe63ae9e858f2681c8ef1425d1e4b25f7b0bbd6d4a9d9788956c23f52fece3d5d79b5907e

                                                                                                                                                                    Download Submit

                                                                                                                                                                  • memory/2016-33-0x000000007FE40000-0x000000007FE4C000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    48KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/2016-34-0x000000007FE40000-0x000000007FE4C000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    48KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/2016-44-0x0000000001000000-0x000000000102E000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    184KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/2016-41-0x000000007FE40000-0x000000007FE4C000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    48KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/2016-37-0x000000007FE40000-0x000000007FE4C000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    48KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/2016-35-0x00000000773F2000-0x00000000773F3000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    4KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/2016-36-0x00000000773F3000-0x00000000773F4000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    4KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/2016-0-0x0000000001000000-0x000000000102E000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    184KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/2392-32-0x00000000773F2000-0x00000000773F3000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    4KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/2392-31-0x0000000000400000-0x0000000000421000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    132KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/2392-45-0x0000000000070000-0x0000000000071000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    4KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/2392-65-0x0000000000400000-0x0000000000421000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    132KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/2392-26-0x0000000000900000-0x0000000000901000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    4KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/2392-27-0x0000000000400000-0x0000000000421000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    132KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/3252-5-0x0000000000400000-0x0000000000421000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    132KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/3252-6-0x0000000000400000-0x0000000000421000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    132KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/3252-9-0x0000000000400000-0x0000000000421000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    132KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/3252-12-0x0000000000400000-0x0000000000421000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    132KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/3252-14-0x0000000000400000-0x0000000000421000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    132KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/3252-13-0x0000000000400000-0x0000000000421000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    132KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/3252-10-0x00000000008A0000-0x00000000008A1000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    4KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/3252-7-0x0000000000400000-0x0000000000421000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    132KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/4720-29-0x0000000000E90000-0x0000000000E91000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    4KB

                                                                                                                                                                    Download

                                                                                                                                                                  • memory/4720-30-0x0000000000E70000-0x0000000000E71000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    4KB

                                                                                                                                                                    Download