a17cef58a8b0afdc9f83faa64dab352a1116df47a1c9434ffdbbd8cbe8cf13e0

Analysis

max time kernel
146s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15/07/2024, 15:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a400880fd817ccb126782675a484fdb_JaffaCakes118.exe
Size

468KB
MD5

4a400880fd817ccb126782675a484fdb
SHA1

50c5be3956fb3d0eaa73199d92aa4b5a64a1f17d
SHA256

a17cef58a8b0afdc9f83faa64dab352a1116df47a1c9434ffdbbd8cbe8cf13e0
SHA512

36abd4382f4f828b6d5ebe9472c5f9ad549ac448c9bf39e59b3c907ed569d716a8869c52077078e8d01091ac9557476ac2e7b0f1baaa2f3f11fe07188f62940c
SSDEEP

12288:ingwSxFYLDkOcWkU9KozExPymhb/0S6guKqZbQ0zKPp:igwSxFtBWx9KKEA+uZZb9KPp

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1116-0-0x0000000000400000-0x00000000004F1000-memory.dmp	upx
behavioral2/memory/2648-1-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral2/memory/2648-3-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral2/memory/2648-5-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral2/memory/1116-8-0x0000000000400000-0x00000000004F1000-memory.dmp	upx
behavioral2/memory/2648-11-0x0000000000400000-0x0000000000435000-memory.dmp	upx

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/1116-8-0x0000000000400000-0x00000000004F1000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1116 set thread context of 2648	1116	4a400880fd817ccb126782675a484fdb_JaffaCakes118.exe	85

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
2648	4a400880fd817ccb126782675a484fdb_JaffaCakes118.exe
2648	4a400880fd817ccb126782675a484fdb_JaffaCakes118.exe
2648	4a400880fd817ccb126782675a484fdb_JaffaCakes118.exe
2648	4a400880fd817ccb126782675a484fdb_JaffaCakes118.exe
2648	4a400880fd817ccb126782675a484fdb_JaffaCakes118.exe
2648	4a400880fd817ccb126782675a484fdb_JaffaCakes118.exe
2648	4a400880fd817ccb126782675a484fdb_JaffaCakes118.exe
2648	4a400880fd817ccb126782675a484fdb_JaffaCakes118.exe
2648	4a400880fd817ccb126782675a484fdb_JaffaCakes118.exe
2648	4a400880fd817ccb126782675a484fdb_JaffaCakes118.exe
2648	4a400880fd817ccb126782675a484fdb_JaffaCakes118.exe
2648	4a400880fd817ccb126782675a484fdb_JaffaCakes118.exe
2648	4a400880fd817ccb126782675a484fdb_JaffaCakes118.exe
2648	4a400880fd817ccb126782675a484fdb_JaffaCakes118.exe
2648	4a400880fd817ccb126782675a484fdb_JaffaCakes118.exe
2648	4a400880fd817ccb126782675a484fdb_JaffaCakes118.exe
2648	4a400880fd817ccb126782675a484fdb_JaffaCakes118.exe
2648	4a400880fd817ccb126782675a484fdb_JaffaCakes118.exe
2648	4a400880fd817ccb126782675a484fdb_JaffaCakes118.exe
2648	4a400880fd817ccb126782675a484fdb_JaffaCakes118.exe
2648	4a400880fd817ccb126782675a484fdb_JaffaCakes118.exe
2648	4a400880fd817ccb126782675a484fdb_JaffaCakes118.exe
2648	4a400880fd817ccb126782675a484fdb_JaffaCakes118.exe
2648	4a400880fd817ccb126782675a484fdb_JaffaCakes118.exe
2648	4a400880fd817ccb126782675a484fdb_JaffaCakes118.exe
2648	4a400880fd817ccb126782675a484fdb_JaffaCakes118.exe
2648	4a400880fd817ccb126782675a484fdb_JaffaCakes118.exe
2648	4a400880fd817ccb126782675a484fdb_JaffaCakes118.exe
2648	4a400880fd817ccb126782675a484fdb_JaffaCakes118.exe
2648	4a400880fd817ccb126782675a484fdb_JaffaCakes118.exe
2648	4a400880fd817ccb126782675a484fdb_JaffaCakes118.exe
2648	4a400880fd817ccb126782675a484fdb_JaffaCakes118.exe
2648	4a400880fd817ccb126782675a484fdb_JaffaCakes118.exe
2648	4a400880fd817ccb126782675a484fdb_JaffaCakes118.exe
2648	4a400880fd817ccb126782675a484fdb_JaffaCakes118.exe
2648	4a400880fd817ccb126782675a484fdb_JaffaCakes118.exe
2648	4a400880fd817ccb126782675a484fdb_JaffaCakes118.exe
2648	4a400880fd817ccb126782675a484fdb_JaffaCakes118.exe
3056	msedge.exe
3056	msedge.exe
1204	msedge.exe
1204	msedge.exe
3484	identity_helper.exe
3484	identity_helper.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2476	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2476	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
1116	4a400880fd817ccb126782675a484fdb_JaffaCakes118.exe
1116	4a400880fd817ccb126782675a484fdb_JaffaCakes118.exe
1116	4a400880fd817ccb126782675a484fdb_JaffaCakes118.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
1116	4a400880fd817ccb126782675a484fdb_JaffaCakes118.exe
1116	4a400880fd817ccb126782675a484fdb_JaffaCakes118.exe
1116	4a400880fd817ccb126782675a484fdb_JaffaCakes118.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2648	4a400880fd817ccb126782675a484fdb_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1116 wrote to memory of 2648	1116	4a400880fd817ccb126782675a484fdb_JaffaCakes118.exe	85
PID 1116 wrote to memory of 2648	1116	4a400880fd817ccb126782675a484fdb_JaffaCakes118.exe	85
PID 1116 wrote to memory of 2648	1116	4a400880fd817ccb126782675a484fdb_JaffaCakes118.exe	85
PID 1116 wrote to memory of 2648	1116	4a400880fd817ccb126782675a484fdb_JaffaCakes118.exe	85
PID 1116 wrote to memory of 2648	1116	4a400880fd817ccb126782675a484fdb_JaffaCakes118.exe	85
PID 1116 wrote to memory of 2648	1116	4a400880fd817ccb126782675a484fdb_JaffaCakes118.exe	85
PID 1116 wrote to memory of 2648	1116	4a400880fd817ccb126782675a484fdb_JaffaCakes118.exe	85
PID 2648 wrote to memory of 1204	2648	4a400880fd817ccb126782675a484fdb_JaffaCakes118.exe	87
PID 2648 wrote to memory of 1204	2648	4a400880fd817ccb126782675a484fdb_JaffaCakes118.exe	87
PID 1204 wrote to memory of 884	1204	msedge.exe	88
PID 1204 wrote to memory of 884	1204	msedge.exe	88
PID 1204 wrote to memory of 1276	1204	msedge.exe	89
PID 1204 wrote to memory of 1276	1204	msedge.exe	89
PID 1204 wrote to memory of 1276	1204	msedge.exe	89
PID 1204 wrote to memory of 1276	1204	msedge.exe	89
PID 1204 wrote to memory of 1276	1204	msedge.exe	89
PID 1204 wrote to memory of 1276	1204	msedge.exe	89
PID 1204 wrote to memory of 1276	1204	msedge.exe	89
PID 1204 wrote to memory of 1276	1204	msedge.exe	89
PID 1204 wrote to memory of 1276	1204	msedge.exe	89
PID 1204 wrote to memory of 1276	1204	msedge.exe	89
PID 1204 wrote to memory of 1276	1204	msedge.exe	89
PID 1204 wrote to memory of 1276	1204	msedge.exe	89
PID 1204 wrote to memory of 1276	1204	msedge.exe	89
PID 1204 wrote to memory of 1276	1204	msedge.exe	89
PID 1204 wrote to memory of 1276	1204	msedge.exe	89
PID 1204 wrote to memory of 1276	1204	msedge.exe	89
PID 1204 wrote to memory of 1276	1204	msedge.exe	89
PID 1204 wrote to memory of 1276	1204	msedge.exe	89
PID 1204 wrote to memory of 1276	1204	msedge.exe	89
PID 1204 wrote to memory of 1276	1204	msedge.exe	89
PID 1204 wrote to memory of 1276	1204	msedge.exe	89
PID 1204 wrote to memory of 1276	1204	msedge.exe	89
PID 1204 wrote to memory of 1276	1204	msedge.exe	89
PID 1204 wrote to memory of 1276	1204	msedge.exe	89
PID 1204 wrote to memory of 1276	1204	msedge.exe	89
PID 1204 wrote to memory of 1276	1204	msedge.exe	89
PID 1204 wrote to memory of 1276	1204	msedge.exe	89
PID 1204 wrote to memory of 1276	1204	msedge.exe	89
PID 1204 wrote to memory of 1276	1204	msedge.exe	89
PID 1204 wrote to memory of 1276	1204	msedge.exe	89
PID 1204 wrote to memory of 1276	1204	msedge.exe	89
PID 1204 wrote to memory of 1276	1204	msedge.exe	89
PID 1204 wrote to memory of 1276	1204	msedge.exe	89
PID 1204 wrote to memory of 1276	1204	msedge.exe	89
PID 1204 wrote to memory of 1276	1204	msedge.exe	89
PID 1204 wrote to memory of 1276	1204	msedge.exe	89
PID 1204 wrote to memory of 1276	1204	msedge.exe	89
PID 1204 wrote to memory of 1276	1204	msedge.exe	89
PID 1204 wrote to memory of 1276	1204	msedge.exe	89
PID 1204 wrote to memory of 1276	1204	msedge.exe	89
PID 1204 wrote to memory of 3056	1204	msedge.exe	90
PID 1204 wrote to memory of 3056	1204	msedge.exe	90
PID 1204 wrote to memory of 3696	1204	msedge.exe	91
PID 1204 wrote to memory of 3696	1204	msedge.exe	91
PID 1204 wrote to memory of 3696	1204	msedge.exe	91
PID 1204 wrote to memory of 3696	1204	msedge.exe	91
PID 1204 wrote to memory of 3696	1204	msedge.exe	91
PID 1204 wrote to memory of 3696	1204	msedge.exe	91
PID 1204 wrote to memory of 3696	1204	msedge.exe	91
PID 1204 wrote to memory of 3696	1204	msedge.exe	91
PID 1204 wrote to memory of 3696	1204	msedge.exe	91
PID 1204 wrote to memory of 3696	1204	msedge.exe	91
PID 1204 wrote to memory of 3696	1204	msedge.exe	91

C:\Users\Admin\AppData\Local\Temp\4a400880fd817ccb126782675a484fdb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4a400880fd817ccb126782675a484fdb_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1116
- C:\Users\Admin\AppData\Local\Temp\4a400880fd817ccb126782675a484fdb_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\4a400880fd817ccb126782675a484fdb_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.youtube.com/watch?v=-vezRHz1V0o&feature=related
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1204
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff547b46f8,0x7fff547b4708,0x7fff547b4718
      4⤵
      PID:884
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,572833495037658958,6283812580518877832,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2
      4⤵
      PID:1276
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,572833495037658958,6283812580518877832,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3056
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,572833495037658958,6283812580518877832,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
      4⤵
      PID:3696
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,572833495037658958,6283812580518877832,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
      4⤵
      PID:3144
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,572833495037658958,6283812580518877832,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
      4⤵
      PID:4256
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,572833495037658958,6283812580518877832,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:1
      4⤵
      PID:2192
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,572833495037658958,6283812580518877832,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4176 /prefetch:1
      4⤵
      PID:3252
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2068,572833495037658958,6283812580518877832,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5336 /prefetch:8
      4⤵
      PID:1720
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,572833495037658958,6283812580518877832,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5612 /prefetch:8
      4⤵
      PID:1412
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,572833495037658958,6283812580518877832,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5612 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3484
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,572833495037658958,6283812580518877832,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
      4⤵
      PID:3956
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,572833495037658958,6283812580518877832,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
      4⤵
      PID:5100
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,572833495037658958,6283812580518877832,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
      4⤵
      PID:3108
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,572833495037658958,6283812580518877832,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:1
      4⤵
      PID:3024
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,572833495037658958,6283812580518877832,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1048 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2848

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3132

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:836

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2200

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4a0 0x4f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
60ead4145eb78b972baf6c6270ae6d72

SHA1
e71f4507bea5b518d9ee9fb2d523c5a11adea842

SHA256
b9e99e7387a915275e8fe4ac0b0c0cd330b4632814d5c9c446beb2755f1309a7

SHA512
8cdbafd2783048f5f54f22e13f6ef890936d5b986b0bb3fa86d2420a5bfecf7bedc56f46e6d5f126eae79f492315843c134c441084b912296e269f384a73ccde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1f9d180c0bcf71b48e7bc8302f85c28f

SHA1
ade94a8e51c446383dc0a45edf5aad5fa20edf3c

SHA256
a17d56c41d524453a78e3f06e0d0b0081e79d090a4b75d0b693ddbc39f6f7fdc

SHA512
282863df0e51288049587886ed37ad1cf5b6bfeed86454ea3b9f2bb7f0a1c591f3540c62712ebfcd6f1095e1977446dd5b13b904bb52b6d5c910a1efc208c785

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
b6ed863dc14c738339b02b818e19af62

SHA1
1deecdcc3b96a36222f9b26a2c386b42c35fb54f

SHA256
75ca6b1d6b0a582b498c4f8a004490b9b32666b36d24b3d5d6dffb4ff0008a55

SHA512
7bf59cc8d7a63f4aa29f1cfdcecde88bcaa0058434eb8fe8b8c5c09032ad6d9b8f750be1978381bfd157e1c845d0dd9a4cce5fdf2c285038e760be6140771f3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
0d1216abfe5eb4dc39019a0e13163264

SHA1
43dcf86e872d0588307f40e8286e15799b235dbc

SHA256
649cbbfc66f4ed60819c8f564cb50bcaa322d29c39b4dc2c53bd4939a0ff070a

SHA512
640dc7048afd205205af16be230a97e2d598689cbb1231fe1f39ff95b0760f46aa098dc71b18847779e0352bf2c1cc8567cc2194ace5e7497194519e282e6dff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
e7d6981d14e3ac866785c9fac701d1a0

SHA1
5b881c6e220d666ab1b9c854409c96b66f637216

SHA256
c48850990cb61ecbcca467609132cd8808f0c23e847952fbac38a8d563fda96b

SHA512
e4944f98a5d009b84c0b191306fa7900f02fd35327d883fef3792270e23bb43a3a122af19edd23a8cd7146a8dd680d687c9e25b4a1fdec088ce84c12d1950f56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
212558206d4ee80d2e5538dc7879bb59

SHA1
2579a92b68d1b2ceaebe2b35a47842cf012dba4e

SHA256
cff450c60d5aa411da7210002eab697299947dadcaf4dbbec06ff4ad1a60e7f4

SHA512
c47035f711919a26866d1700cf5c51b79a2249598bfaaccc262e4374a273c78fc3b741c07b29d67710291ead88da08841feddf840724f57d8e2efc80c3aacaed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c93b122f8fc411fffaf450365f1f2dbc

SHA1
6e41b2b0b7dbfbe0726475bcc110e4bbae89c68f

SHA256
4ebf2eccd02d9a171a5268ebb5cea3e1521bd304698a49543e9cf0c31d9c5ceb

SHA512
4a69c16649ee157f34dda02b12774e1e1d01d430e754acf7986f953c94f3d8d9d63bd4d3c629b2a743739ef86c7bd56b98e2fb429f2b3222decda06b181adbd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\45c5a77c-4e3e-4d63-ab96-fb2a289bffbc\index-dir\the-real-index

Filesize
2KB

MD5
2c77992df1a9f07d2a22832336b5abef

SHA1
7b2481afef3725c7797c6e20da361887e3fca452

SHA256
2eb082e848844313e96ef09fe04d5bfe997ab99c9beb4c6919c268aa84c4d14a

SHA512
f2a6c696e36f0d2c74ef3025aed31d4d7de258604a0833216099b411bb1c6f37a4654c415259a88e9b4156d3d577dfa790e059b72623ca4c2517620984400557

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\45c5a77c-4e3e-4d63-ab96-fb2a289bffbc\index-dir\the-real-index~RFe580693.TMP

Filesize
48B

MD5
ef1d321ee753a772a6286f3b03babfac

SHA1
bb608565c1570cfb19475e31403bc7e3db086e23

SHA256
a82fe376cc5eace7ebcd55619520fdb52524eb9ede1bbd6abfd9d6d24763e06a

SHA512
92f01490212767130517591fbcfd88045332ddab6cffa70a5f34fdf4d6a118064898c381f6225aad7b396a5b41bd99b58c9ae02c0daa24138cd6ee4a6d000a8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
8b908ce48ca03c97ac18cda2eb3744dc

SHA1
4482a8eb5ebcdea0ba392ce8a44553cb833ba10a

SHA256
7036351618a99d12036c6009226a45e9aaec4005fd0fb31ea34c796f6330300b

SHA512
28ad68f475fa8b643700149ca4a63975d04d87ef81f90fd25885ac72ff37d5a865a8e03c565b0d06d283ff7ede241010afd77e5cea52951e08c70fcc95bf95ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
c285ac588d034f97369f27820e732015

SHA1
4c260c5fd99d4ca4457b9af193bb4569306ece33

SHA256
3bc82e1427eed0087bc20d46e83cff3f4a58283edcbdc39122a9c1b11aafb9ef

SHA512
d1a4b089cfd5dcd348cdaba5f660c664df83a896d1465e88279900b202466c1dcb030d828ffd0e99b44aea826d3a7237206a94fec123946ff3a055b2f907752c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
39aa68e991a8e344c49656f8e316631f

SHA1
e92e070f6e0a07c49018cfe1f521839b57a99379

SHA256
2d3b8a417119c18604c273825a3ecb417f14752c42736ca17c0fe50c2fbbbb16

SHA512
1591a5095b2aa96396055ac56bf4e82b15538f3de10dc2bd185c43a3c380b00c6015a7701c8ffdda78b8045190f3865688c62b6740412b9051898e4313f9bdd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe57b093.TMP

Filesize
89B

MD5
da3124cbe0688bf608f9e11a25787b07

SHA1
e5029d68ae94d29394a7e060f0cdef8c9d38e093

SHA256
e7118124bad8f3b69173cdf95d410409abca7719b5a87c72cf57acf16143e659

SHA512
e3b096c0a49803febc0fb6e637bfda486b24a2f88150817333e551029d481a2d1336222946a1fa5b127b2d0875a54396b415856078b67670cebcdce72ab60019

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
85c93639fbb9e6a59dbd0c4b01f22e40

SHA1
e90f28ad0a34bdc97ee20f7890047c32670a931d

SHA256
ef322a99fcb1fa47184e3e9abd9f506c87f98f492b0c8cb5e57c2fa35189b9dd

SHA512
abe0faf8d24745038b47aadb750a1f313bf736eedb55df55a0ee50234cbb7ce8914877249044c5a007b76c5459f1577fde3fd77a68c0344b5139326dc2e4ff00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57ffcc.TMP

Filesize
48B

MD5
c7f30292cef9b1632d15d0b75ff3089b

SHA1
3bc98b94cba29b5d5a0d64d939284b1339e6ffa3

SHA256
6fb5051a0f615032329b2a2f698b14c7b6c4280590b7ed1c80f486cde941c346

SHA512
59adb97cd2234b198555edcebaaec4a33845b47fd03cb2a71183242cd2d1de179e7c8f77009089ec7f7f8e43dd47e60cfbdf1d46a8550a07ee37d11494e6f48c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
abd9ccb0e53e94deef2ec9acd2a710ac

SHA1
d260d4c437ae252df3f524668a8ed7af415a88f9

SHA256
1a57b5b6daa97b82f0e7d0de64a3314f11464eb17538cf62ca4dbddf92d8d847

SHA512
661800b89a8456389931b758e610ccbe3d40b771fe20997b5a8e81fbebbc553ecf065daaced89e3fab13d39c006173dbbe20aa3ca794ffe27f9069e38151a4f6

Download Submit
memory/1116-0-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/1116-8-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2648-11-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2648-5-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2648-3-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2648-1-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download