63845f087d2c1e6110e619d02bb8f893d6ac66394ba169a96883d821c9754652

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
16/07/2024, 07:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe
Size

260KB
MD5

4d48147aff1bb8ab18255b32d11c29d7
SHA1

a13347c53a0d207a312a9be9f2ef9a6d5bae360c
SHA256

63845f087d2c1e6110e619d02bb8f893d6ac66394ba169a96883d821c9754652
SHA512

0d50f8e212210a9850f184f2d66e1a4b8b1d8f03f31968f4c22e52d897948300eb186316f3c4cef0324dc719706e69b548d087aa5393704de86f57147b2e4b70
SSDEEP

6144:sMaDN3jto7RcPJ1KOuNINpk0gniex+2LQKHKRI:sMahuNOpax+2L0I

Score

7^/10

persistence upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4200-0-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral2/memory/4200-3-0x0000000000400000-0x0000000000442000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmplayer = "C:\\MessengerPlus\\mplayer2.exe"	4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "00000001"	4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Software\Microsoft\Internet Explorer\Download	4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
4200	4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe
4200	4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe
4200	4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe
4200	4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe
4200	4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe
4200	4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe
4200	4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe
4200	4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe
4200	4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe
4200	4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe
4200	4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe
4200	4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe
4200	4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe
4200	4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe
4200	4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe
4200	4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe
4200	4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe
4200	4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe
4200	4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe
4200	4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe
4200	4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe
4200	4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe
4200	4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe
4200	4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe
4200	4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe
4200	4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe
4200	4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe
4200	4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe
4200	4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe
4200	4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe
4200	4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe
4200	4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe
4200	4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe
4200	4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe
4200	4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe
4200	4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe
4200	4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe
4200	4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe
4792	msedge.exe
4792	msedge.exe
3260	msedge.exe
3260	msedge.exe
4244	identity_helper.exe
4244	identity_helper.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4484	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4484	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4200	4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4200 wrote to memory of 3260	4200	4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe	86
PID 4200 wrote to memory of 3260	4200	4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe	86
PID 3260 wrote to memory of 1468	3260	msedge.exe	87
PID 3260 wrote to memory of 1468	3260	msedge.exe	87
PID 3260 wrote to memory of 3532	3260	msedge.exe	88
PID 3260 wrote to memory of 3532	3260	msedge.exe	88
PID 3260 wrote to memory of 3532	3260	msedge.exe	88
PID 3260 wrote to memory of 3532	3260	msedge.exe	88
PID 3260 wrote to memory of 3532	3260	msedge.exe	88
PID 3260 wrote to memory of 3532	3260	msedge.exe	88
PID 3260 wrote to memory of 3532	3260	msedge.exe	88
PID 3260 wrote to memory of 3532	3260	msedge.exe	88
PID 3260 wrote to memory of 3532	3260	msedge.exe	88
PID 3260 wrote to memory of 3532	3260	msedge.exe	88
PID 3260 wrote to memory of 3532	3260	msedge.exe	88
PID 3260 wrote to memory of 3532	3260	msedge.exe	88
PID 3260 wrote to memory of 3532	3260	msedge.exe	88
PID 3260 wrote to memory of 3532	3260	msedge.exe	88
PID 3260 wrote to memory of 3532	3260	msedge.exe	88
PID 3260 wrote to memory of 3532	3260	msedge.exe	88
PID 3260 wrote to memory of 3532	3260	msedge.exe	88
PID 3260 wrote to memory of 3532	3260	msedge.exe	88
PID 3260 wrote to memory of 3532	3260	msedge.exe	88
PID 3260 wrote to memory of 3532	3260	msedge.exe	88
PID 3260 wrote to memory of 3532	3260	msedge.exe	88
PID 3260 wrote to memory of 3532	3260	msedge.exe	88
PID 3260 wrote to memory of 3532	3260	msedge.exe	88
PID 3260 wrote to memory of 3532	3260	msedge.exe	88
PID 3260 wrote to memory of 3532	3260	msedge.exe	88
PID 3260 wrote to memory of 3532	3260	msedge.exe	88
PID 3260 wrote to memory of 3532	3260	msedge.exe	88
PID 3260 wrote to memory of 3532	3260	msedge.exe	88
PID 3260 wrote to memory of 3532	3260	msedge.exe	88
PID 3260 wrote to memory of 3532	3260	msedge.exe	88
PID 3260 wrote to memory of 3532	3260	msedge.exe	88
PID 3260 wrote to memory of 3532	3260	msedge.exe	88
PID 3260 wrote to memory of 3532	3260	msedge.exe	88
PID 3260 wrote to memory of 3532	3260	msedge.exe	88
PID 3260 wrote to memory of 3532	3260	msedge.exe	88
PID 3260 wrote to memory of 3532	3260	msedge.exe	88
PID 3260 wrote to memory of 3532	3260	msedge.exe	88
PID 3260 wrote to memory of 3532	3260	msedge.exe	88
PID 3260 wrote to memory of 3532	3260	msedge.exe	88
PID 3260 wrote to memory of 3532	3260	msedge.exe	88
PID 3260 wrote to memory of 4792	3260	msedge.exe	89
PID 3260 wrote to memory of 4792	3260	msedge.exe	89
PID 3260 wrote to memory of 2972	3260	msedge.exe	90
PID 3260 wrote to memory of 2972	3260	msedge.exe	90
PID 3260 wrote to memory of 2972	3260	msedge.exe	90
PID 3260 wrote to memory of 2972	3260	msedge.exe	90
PID 3260 wrote to memory of 2972	3260	msedge.exe	90
PID 3260 wrote to memory of 2972	3260	msedge.exe	90
PID 3260 wrote to memory of 2972	3260	msedge.exe	90
PID 3260 wrote to memory of 2972	3260	msedge.exe	90
PID 3260 wrote to memory of 2972	3260	msedge.exe	90
PID 3260 wrote to memory of 2972	3260	msedge.exe	90
PID 3260 wrote to memory of 2972	3260	msedge.exe	90
PID 3260 wrote to memory of 2972	3260	msedge.exe	90
PID 3260 wrote to memory of 2972	3260	msedge.exe	90
PID 3260 wrote to memory of 2972	3260	msedge.exe	90
PID 3260 wrote to memory of 2972	3260	msedge.exe	90
PID 3260 wrote to memory of 2972	3260	msedge.exe	90
PID 3260 wrote to memory of 2972	3260	msedge.exe	90
PID 3260 wrote to memory of 2972	3260	msedge.exe	90

C:\Users\Admin\AppData\Local\Temp\4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4d48147aff1bb8ab18255b32d11c29d7_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.youtube.com/watch?v=ZvizXaqutWM
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3260
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x40,0x108,0x7ffdb52e46f8,0x7ffdb52e4708,0x7ffdb52e4718
    3⤵
    PID:1468
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,3273027459356499971,8953145328236480989,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
    3⤵
    PID:3532
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,3273027459356499971,8953145328236480989,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2456 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4792
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,3273027459356499971,8953145328236480989,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
    3⤵
    PID:2972
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3273027459356499971,8953145328236480989,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
    3⤵
    PID:2940
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3273027459356499971,8953145328236480989,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
    3⤵
    PID:4316
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3273027459356499971,8953145328236480989,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1
    3⤵
    PID:2696
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3273027459356499971,8953145328236480989,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:1
    3⤵
    PID:2896
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2080,3273027459356499971,8953145328236480989,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5236 /prefetch:8
    3⤵
    PID:5052
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,3273027459356499971,8953145328236480989,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5912 /prefetch:8
    3⤵
    PID:4212
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,3273027459356499971,8953145328236480989,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5912 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4244
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3273027459356499971,8953145328236480989,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
    3⤵
    PID:2548
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3273027459356499971,8953145328236480989,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
    3⤵
    PID:3496
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3273027459356499971,8953145328236480989,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
    3⤵
    PID:2816
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3273027459356499971,8953145328236480989,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
    3⤵
    PID:2960
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,3273027459356499971,8953145328236480989,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4624 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3652

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1632

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2516

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:208

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x41c 0x538
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6c86c838cf1dc704d2be375f04e1e6c6

SHA1
ad2911a13a3addc86cc46d4329b2b1621cbe7e35

SHA256
dff0886331bb45ec7711af92ab10be76291fde729dff23ca3270c86fb6e606bb

SHA512
a120248263919c687f09615fed56c7cac825c8c93c104488632cebc1abfa338c39ebdc191e5f0c45ff30f054f08d4c02d12b013de6322490197606ce0c0b4f37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
27f3335bf37563e4537db3624ee378da

SHA1
57543abc3d97c2a2b251b446820894f4b0111aeb

SHA256
494425284ba12ee2fb07890e268be7890b258e1b1e5ecfa4a4dbc3411ab93b1a

SHA512
2bef861f9d2d916272f6014110fdee84afced515710c9d69b3c310f6bf41728d1b2d41fee3c86441ff96c08c7d474f9326e992b9164b9a3f13627f7d24d0c485

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
5fb5d676766ac3990051cc692493a908

SHA1
a801fb569ba98ba6a5025c421bcb892a6d1c5cb1

SHA256
26467286d85045b74a321092bd67ba3f498babfdefa856b09ef6d1a46acbe82f

SHA512
ed8ca0ea2d228c68495bf6018acf292bab78407b623e5db74aa79150586ffdd1d2b81ab8bb3798a069f96f5222a66a882c1227f40c886a0acc0b5a9ced25eb0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
99375fde19a78fa7add84adb18285aa2

SHA1
1ea9b8dfcbce16bb6715af7cf880cb6f5c088274

SHA256
8fcb6e8822637864380f6f12b51132fe23fc05a03cb65d586d50cedd323277fa

SHA512
fa9b8f08966f595f85aadf7892616af38dcf79d46473df4008e40a6dd634a77005abe0eb58f7732e71138e665baeb506495c25b3814d68749e6aa045c0715957

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
bd8514340218b36c60cf93c65e979ba7

SHA1
20a4e1eb98989d0ce87bdec7aabc84db687ef385

SHA256
daf2eaac47974f306516a9df5abca4fad53485d0dd707da33aede36b475c4d8b

SHA512
f1978b1e62029dd3dbe57467d53138588a231553fa48ec5da2007ca28f2e100fac517279c705e0b679f36aafbea909ceee0941419710655e1b0f938c7c16338e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f00e271dd4458c91e9fcebcab30e0fd3

SHA1
44a11a73851e5b623bd28e7ba16d15f69caf6d0c

SHA256
7cee7c1b2186fd3ad7ab2d200f936d883af1d438cac5db3826ce91d0fc34518c

SHA512
b66c5478ea3be22167dee953cdae627234642cc82d87392537ced15b08f39506116fa73a7c3a7e3aff4a6e99c08f244c349022bbbc35d6492f2f9797273fe1c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
131b69338f2e2ac35db525cab82264fe

SHA1
1a445635a1c96576296c8c9b40a605e294c34a49

SHA256
d75675626c91393b1d9f7420fec7a7fed2580dcacc6213a63dc1b8fbf5c5cae4

SHA512
ffaa803eb8b5fd8f4dd2f0d2469e81a62b084edaf848f5706d945881dbb0cbca596d3ab7460a5bb9e784c18b82743197b3b787afef668ee4b73990339770ad04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\042d7d01-46d9-47a7-811b-4d27e6e1e837\index-dir\the-real-index

Filesize
2KB

MD5
be2a043246b7fcccac163bff37b9ea08

SHA1
10c975e8f0258ff925335e98e8e9a61633c600a5

SHA256
08da4332e860fba843960b828d34f5306eb27a8e3c68ff40345db17cad7c3253

SHA512
6f48680a4b6143e5eaabd2aa156602f0eb26850e98836788de541ab80f0bb043784adafa5d8d624c439260c08d0c8680d6d049ac29d53140454d5082c489bcb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\042d7d01-46d9-47a7-811b-4d27e6e1e837\index-dir\the-real-index~RFe57e83d.TMP

Filesize
48B

MD5
b16ec3467a2ac09a3d4e94d074c0c2c8

SHA1
28b4042353c21ddffdd0955fbddfd2cee6142baa

SHA256
f81bbf4aae96d22b46c8558702f0046263895fbd33db3481cff87a161df00819

SHA512
b2957b7c890ac9c592a7fa4ad3ac13d596d3de6ef5399dc8670fdd43e222fbc577262b4a9b35065702a7be6bb23369d0352f73b966c23943a2b9c444a7eb8550

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
200530acbaf8659fb4f0749e3c69c05f

SHA1
41580253af119469e451d7dba632b48d0ac6c32c

SHA256
56a29e4b7a789fb50234661b8a200453ce84ecd329a6760b6f85e0a38f4ebf91

SHA512
6bbf94167f4807074678c197d7b54f6d92857dbe5b1c409bd29f5e3ac3b2f75c19cd5558e566496ceeb625e80e68777dfeb4a7f1a11990e25956001f32654fad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
c35f9cc465ddab8df90b626769dff606

SHA1
6762c3f06aae2b71960b0fa1a2590affd4cec9d4

SHA256
7ecbd44b9f193c992846acfc6ac2caf2926c4fd9dd2552b0e3fb2c9abb3b6d61

SHA512
8d408061d51219082dce6f7191c6f40996d81af06c9ad5a4721b3b24ebf3233865c37d98cca90d99d7a79aa9087df3981cc2e907a2e83ea85cc86ac4540f86e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
c8363309aeae8c6acb50f7ba262ab922

SHA1
3b3ecd32081866561e06abdab8afe9430f34233d

SHA256
e4da96d1d02b7fd1e5683e2585480fa95c404ed86d5d18d53c6fa87b926b35cd

SHA512
cfee7978e6d36d8baf27fdc68e986323f4cbf17b43121a8f3c55c491e21a73c028f8143be4731c6f478636d3847fbfe3b3da3def3b625cfba5abf0219b50e276

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe5791d0.TMP

Filesize
89B

MD5
bbc4c02a4ddf5a785bcbe7c3d6f7e2b5

SHA1
4ae1db895da995dacba8c6a6589c71631130d43c

SHA256
79e78147a8e2d3b4852bb3999026045b328b24a6ee88154727c98f082fc1773a

SHA512
983adb76ad74a2878d9b7d250f45b527974a0051b3ef769e71a33d5acfb382818c4fbf83c52bdfd4b27d43ae5566d6d7129bbe9389bf9de93a283edd5946a437

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
eeb6e8bbdd426e9de104d21f80509af8

SHA1
32843690907c2162f10a51b5272040ff82714300

SHA256
1cf01ba4810b89f19041a7a935f38cd9f50df7c26dca2412006da9fc344be690

SHA512
2944a3f297ccf8e2744755425bfdd0182f78b22538904980131774e84c331de5bcdc3bdecc9822a693848a6295245cb937ecb868b0f85bc09d209eba37d29910

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57e0bb.TMP

Filesize
48B

MD5
8614f3be52704ef8adfabcd16a2bf051

SHA1
85eb442f82c3f7a68bbd1212f9113b10dca14725

SHA256
19eac79fcf723bd0d202955524f9cc3eb964896dd4de31621ffc7303b298bc53

SHA512
2371ac1fba99b575237acb1b95f11b7a67e76d44b3b2ea81bf99db2d73205aa5f04c4a7adc15f9997e050756fef88dbf1acaebb78932fd236ade39caad77489c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b88f557b55f0ef6c3ee7ddc7f9652890

SHA1
1919d72c18475fc044c914510bd0148291261f0d

SHA256
1cc755fc3e032f1aa86395e4c23b6d4722fc825aad00d69edc8da172d738b875

SHA512
7e0fa47aeba0c8fe6caa7265455c0a830aa4090154885d1cd1168abf66878265bbdb432b1f3a95ad0d21a14efe83cb739944cf6853628ae9c2d17b07896242ed

Download Submit
memory/4200-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4200-3-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download