5266b1005295bd1b35ac4bd52561903af2867b73eb97584968bf0c5231f95c19

Analysis

max time kernel
133s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2024, 18:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

293dd9fbf3424a5882721cc611e0f903_JaffaCakes118.exe
Size

64KB
MD5

293dd9fbf3424a5882721cc611e0f903
SHA1

536b2f5cd8adb75bd596ff81f970353ae87deb61
SHA256

5266b1005295bd1b35ac4bd52561903af2867b73eb97584968bf0c5231f95c19
SHA512

e964baac0ee0f58640f371d02bebd4d1773e4a113523b80fab8461ae13f3a6a5c307d2c0a1767e98bdc649e508d6aeea7048e492a413e7cb0ce2d47b9af670e8
SSDEEP

768:yz2tc9UCb2ijmgGNGv4AyG9KV2Xm9pHxJ9K8ra9gELN4tc3uH:C2teVX34aUJvSxN4tUu

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 34 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shellex\ContextMenuHandlers	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-ba4f-11d1-d627-00a0c91eedba}\Instance\CLSID = "{3f454f0e-42ae-4d7c-8ea3-328250d6e272}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-ba4f-11d1-d627-00a0c91eedba}\Instance\InitPropertyBag\method = "ShellExecute"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-ba4f-11d1-d627-00a0c91eedba}\Instance\InitPropertyBag\Param1 = "http://%77%77%77%2e%31%39%38%33%30%39%2e%63%6f%6d"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-ba4f-11d1-d627-00a0c91eedba}\shellex\ContextMenuHandlers\{1f4de370-ba4f-11d1-d627-00a0c91eedba}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32\	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder\HideOnDesktopPerUser	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-ba4f-11d1-d627-00a0c91eedba}\Instance\InitPropertyBag\command = "´ò¿ª(&O)"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-ba4f-11d1-d627-00a0c91eedba}\shellex\ContextMenuHandlers\{1f4de370-ba4f-11d1-d627-00a0c91eedba}\	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder\WantsParseDisplayName	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder\HideFolderVerbs	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-ba4f-11d1-d627-00a0c91eedba}\InProcServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-ba4f-11d1-d627-00a0c91eedba}\Instance\InitPropertyBag	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-ba4f-11d1-d627-00a0c91eedba}\Instance\InitPropertyBag\Param2 = "%ProgramFiles(x86)%\\Internet Explorer\\iexplore.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shellex	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-ba4f-11d1-d627-00a0c91eedba}\shellex\MayChangeDefaultMenu	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InfoTip = "ÌØÂô"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shellex\ContextMenuHandlers\ieframe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-ba4f-11d1-d627-00a0c91eedba}\shellex	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32\ThreadingModel = "Apartment"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-ba4f-11d1-d627-00a0c91eedba}\InProcServer32\ThreadingModel = "Apartment"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-ba4f-11d1-d627-00a0c91eedba}\Instance\InitPropertyBag\CLSID = "{13709620-C279-11CE-A49E-444553540000}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-ba4f-11d1-d627-00a0c91eedba}\InProcServer32\ = "%SystemRoot%\\SysWow64\\shdocvw.dll"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-ba4f-11d1-d627-00a0c91eedba}\Instance	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\LocalizedString = "Internet Explorer"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\DefaultIcon	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\DefaultIcon\ = "shdoclc.dll,-190"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shellex\ContextMenuHandlers\ieframe\ = "{1f4de370-ba4f-11d1-d627-00a0c91eedba}"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder\Attributes = "0"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-ba4f-11d1-d627-00a0c91eedba}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-ba4f-11d1-d627-00a0c91eedba}\shellex\ContextMenuHandlers	regedit.exe

Runs .reg file with regedit 1 IoCs

pid	Process
2292	regedit.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1808	msedge.exe
1808	msedge.exe
1968	msedge.exe
1968	msedge.exe
1368	identity_helper.exe
1368	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4400	293dd9fbf3424a5882721cc611e0f903_JaffaCakes118.exe
4400	293dd9fbf3424a5882721cc611e0f903_JaffaCakes118.exe
4400	293dd9fbf3424a5882721cc611e0f903_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4400 wrote to memory of 2292	4400	293dd9fbf3424a5882721cc611e0f903_JaffaCakes118.exe	84
PID 4400 wrote to memory of 2292	4400	293dd9fbf3424a5882721cc611e0f903_JaffaCakes118.exe	84
PID 4400 wrote to memory of 2292	4400	293dd9fbf3424a5882721cc611e0f903_JaffaCakes118.exe	84
PID 4400 wrote to memory of 1956	4400	293dd9fbf3424a5882721cc611e0f903_JaffaCakes118.exe	86
PID 4400 wrote to memory of 1956	4400	293dd9fbf3424a5882721cc611e0f903_JaffaCakes118.exe	86
PID 4400 wrote to memory of 1956	4400	293dd9fbf3424a5882721cc611e0f903_JaffaCakes118.exe	86
PID 1956 wrote to memory of 1968	1956	wscript.exe	91
PID 1956 wrote to memory of 1968	1956	wscript.exe	91
PID 1968 wrote to memory of 3096	1968	msedge.exe	92
PID 1968 wrote to memory of 3096	1968	msedge.exe	92
PID 1968 wrote to memory of 2992	1968	msedge.exe	93
PID 1968 wrote to memory of 2992	1968	msedge.exe	93
PID 1968 wrote to memory of 2992	1968	msedge.exe	93
PID 1968 wrote to memory of 2992	1968	msedge.exe	93
PID 1968 wrote to memory of 2992	1968	msedge.exe	93
PID 1968 wrote to memory of 2992	1968	msedge.exe	93
PID 1968 wrote to memory of 2992	1968	msedge.exe	93
PID 1968 wrote to memory of 2992	1968	msedge.exe	93
PID 1968 wrote to memory of 2992	1968	msedge.exe	93
PID 1968 wrote to memory of 2992	1968	msedge.exe	93
PID 1968 wrote to memory of 2992	1968	msedge.exe	93
PID 1968 wrote to memory of 2992	1968	msedge.exe	93
PID 1968 wrote to memory of 2992	1968	msedge.exe	93
PID 1968 wrote to memory of 2992	1968	msedge.exe	93
PID 1968 wrote to memory of 2992	1968	msedge.exe	93
PID 1968 wrote to memory of 2992	1968	msedge.exe	93
PID 1968 wrote to memory of 2992	1968	msedge.exe	93
PID 1968 wrote to memory of 2992	1968	msedge.exe	93
PID 1968 wrote to memory of 2992	1968	msedge.exe	93
PID 1968 wrote to memory of 2992	1968	msedge.exe	93
PID 1968 wrote to memory of 2992	1968	msedge.exe	93
PID 1968 wrote to memory of 2992	1968	msedge.exe	93
PID 1968 wrote to memory of 2992	1968	msedge.exe	93
PID 1968 wrote to memory of 2992	1968	msedge.exe	93
PID 1968 wrote to memory of 2992	1968	msedge.exe	93
PID 1968 wrote to memory of 2992	1968	msedge.exe	93
PID 1968 wrote to memory of 2992	1968	msedge.exe	93
PID 1968 wrote to memory of 2992	1968	msedge.exe	93
PID 1968 wrote to memory of 2992	1968	msedge.exe	93
PID 1968 wrote to memory of 2992	1968	msedge.exe	93
PID 1968 wrote to memory of 2992	1968	msedge.exe	93
PID 1968 wrote to memory of 2992	1968	msedge.exe	93
PID 1968 wrote to memory of 2992	1968	msedge.exe	93
PID 1968 wrote to memory of 2992	1968	msedge.exe	93
PID 1968 wrote to memory of 2992	1968	msedge.exe	93
PID 1968 wrote to memory of 2992	1968	msedge.exe	93
PID 1968 wrote to memory of 2992	1968	msedge.exe	93
PID 1968 wrote to memory of 2992	1968	msedge.exe	93
PID 1968 wrote to memory of 2992	1968	msedge.exe	93
PID 1968 wrote to memory of 2992	1968	msedge.exe	93
PID 1968 wrote to memory of 1808	1968	msedge.exe	94
PID 1968 wrote to memory of 1808	1968	msedge.exe	94
PID 1968 wrote to memory of 3220	1968	msedge.exe	95
PID 1968 wrote to memory of 3220	1968	msedge.exe	95
PID 1968 wrote to memory of 3220	1968	msedge.exe	95
PID 1968 wrote to memory of 3220	1968	msedge.exe	95
PID 1968 wrote to memory of 3220	1968	msedge.exe	95
PID 1968 wrote to memory of 3220	1968	msedge.exe	95
PID 1968 wrote to memory of 3220	1968	msedge.exe	95
PID 1968 wrote to memory of 3220	1968	msedge.exe	95
PID 1968 wrote to memory of 3220	1968	msedge.exe	95
PID 1968 wrote to memory of 3220	1968	msedge.exe	95
PID 1968 wrote to memory of 3220	1968	msedge.exe	95
PID 1968 wrote to memory of 3220	1968	msedge.exe	95

C:\Users\Admin\AppData\Local\Temp\293dd9fbf3424a5882721cc611e0f903_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\293dd9fbf3424a5882721cc611e0f903_JaffaCakes118.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4400
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Users\Admin\AppData\Local\Temp\go.reg
  2⤵
  - Modifies registry class
  - Runs .reg file with regedit
  PID:2292
- C:\Windows\SysWOW64\wscript.exe
  wscript.exe C:\Users\Admin\AppData\Local\Temp\go.vbs
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.gupiao1.info/index.htm?bbtbb
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1968
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc454646f8,0x7ffc45464708,0x7ffc45464718
      4⤵
      PID:3096
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,10580723701675263314,13771353437986703862,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
      4⤵
      PID:2992
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,10580723701675263314,13771353437986703862,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1808
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,10580723701675263314,13771353437986703862,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:8
      4⤵
      PID:3220
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10580723701675263314,13771353437986703862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
      4⤵
      PID:4916
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10580723701675263314,13771353437986703862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
      4⤵
      PID:3924
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10580723701675263314,13771353437986703862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4200 /prefetch:1
      4⤵
      PID:4568
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10580723701675263314,13771353437986703862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
      4⤵
      PID:4492
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,10580723701675263314,13771353437986703862,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5440 /prefetch:8
      4⤵
      PID:5048
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,10580723701675263314,13771353437986703862,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5440 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1368
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10580723701675263314,13771353437986703862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4328 /prefetch:1
      4⤵
      PID:5028
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10580723701675263314,13771353437986703862,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4304 /prefetch:1
      4⤵
      PID:1428
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10580723701675263314,13771353437986703862,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
      4⤵
      PID:1068
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10580723701675263314,13771353437986703862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
      4⤵
      PID:4384
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10580723701675263314,13771353437986703862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2764 /prefetch:1
      4⤵
      PID:3280

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1552

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4e6521c03f1bc16d91d99c059cc5424

SHA1
043665051c486192a6eefe6d0632cf34ae8e89ad

SHA256
7759c346539367b2f80e78abca170f09731caa169e3462f11eda84c3f1ca63d1

SHA512
0bb4f628da6d715910161439685052409be54435e192cb4105191472bb14a33724592df24686d1655e9ba9572bd3dff8f46e211c0310e16bfe2ac949c49fbc5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
210676dde5c0bd984dc057e2333e1075

SHA1
2d2f8c14ee48a2580f852db7ac605f81b5b1399a

SHA256
2a89d71b4ddd34734b16d91ebd8ea68b760f321baccdd4963f91b8d3507a3fb5

SHA512
aeb81804cac5b17a5d1e55327f62df7645e9bbbfa8cad1401e7382628341a939b7aedc749b2412c06174a9e3fcdd5248d6df9b5d3f56c53232d17e59277ab017

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f9da3857dbf6dc7bedbcf5b1f44efcc9

SHA1
3bec253395ef984af34ac8484939a4b5147a0b6e

SHA256
10f11d0ec1a76fbaef5e5045700f03fa26bd45ea0e92b685e25c2f9d234952e6

SHA512
6637fe3646f99de7b08306e59f3065c7c31c91ebeeb3c87d9a8eb808bce4e570fb17f5df4767a8f116a0ac04063924519c4cf1b3020f086a295af7240fe5d532

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c98a470c33caf9ef767c24a3310aca44

SHA1
7adc817e4cf709327877714fd30fe2223aa0ffe3

SHA256
141ad1ce5ce28dc08b6c78036be5662b47e44a1f07ae88855037addd4994872b

SHA512
6924ebe48c05ef05ff97ebceb90d5ead256a16be3b5a3832155b9f56a3b2dbb9fff083b54b3655d373a7bb308377b6f3eab58ef8d87bb4e4101deb2a585c4706

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2abea7940b8a3e1dc8def593491a1bc8

SHA1
d0ff7be838e3966e964500e54ac2f6af11a4af43

SHA256
348ea1096ecb83ca1266a67f03e229567f57746a1f2f6f8264b380538e7a2793

SHA512
5a6650bbed796cd4ab66f497f6fd509eb4a1b10ce2db15feb9d73f4f089ce6ea78fcd1f516da2bf92fe3087b62be88466be79a82cbd63629fe0cdb825fe456eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\go.reg

Filesize
2KB

MD5
82d6525e15a0106f80a26b9ff9155ec2

SHA1
ce4cdd54ced1fb8571b3b2d452033473365a3cb8

SHA256
bc2b5691da50b6bf526d284f0aced0e048f2739607f22bdaa828f8d5ebd13eab

SHA512
7ec1f2bb5cbdd4dc85c509ae399c624cd70acb6cbcb971f10eccab0d8c0634e9d103fef4d0de12c3ba93f369c72cf4ecead2232c24c6ad94b3e6927b7a26bdde

Download Submit
C:\Users\Admin\AppData\Local\Temp\go.vbs

Filesize
1KB

MD5
3e8e40698eb487d341f9b50170a83178

SHA1
0fd53ce1383333929b7f50ad148c6d29f9752619

SHA256
c26b201dbd639bd67c26f5b490cc3dbb924f021a2c319e5557cc6ecc0fcc29b8

SHA512
4a8b45787116a474b68e44e6463b1082f3794ab7ff61970336088507d240164bc83b47c496beed79fbf8124a270ce06164da935a8801774c319e7518362aa2c0

Download Submit