58befa41335f186baf79c6aa1d965246ee7a1f1dd4a71fda244ae5f11d54a043

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23/07/2024, 01:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

659d7db1b24a178796ec5bf41e7ab418_JaffaCakes118.exe
Size

171KB
MD5

659d7db1b24a178796ec5bf41e7ab418
SHA1

4c7673458afae573da22c2700baa25176aa9b5fe
SHA256

58befa41335f186baf79c6aa1d965246ee7a1f1dd4a71fda244ae5f11d54a043
SHA512

f494723f4061da8f3a98272a8935bc60fd43e3dd8c5c6aeec92f4bdf63f9967803876a139d3dc379cbc2b4b36ef02379e26708a85b2f7784da634d9c44f4e679
SSDEEP

3072:yJkHsMya1N8hqjUYWr4wF1yXFHu/sjj+eLpI8KgEK7jSKXf3v4S:6kHsFqYn915sjXLW8Kcj5n4

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmplayer = "C:\\MessengerPlus\\mplayer2.exe"	659d7db1b24a178796ec5bf41e7ab418_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1080	1164	WerFault.exe	83

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	659d7db1b24a178796ec5bf41e7ab418_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "00000001"	659d7db1b24a178796ec5bf41e7ab418_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Microsoft\Internet Explorer\Download	659d7db1b24a178796ec5bf41e7ab418_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
1164	659d7db1b24a178796ec5bf41e7ab418_JaffaCakes118.exe
1164	659d7db1b24a178796ec5bf41e7ab418_JaffaCakes118.exe
1164	659d7db1b24a178796ec5bf41e7ab418_JaffaCakes118.exe
1164	659d7db1b24a178796ec5bf41e7ab418_JaffaCakes118.exe
1164	659d7db1b24a178796ec5bf41e7ab418_JaffaCakes118.exe
1164	659d7db1b24a178796ec5bf41e7ab418_JaffaCakes118.exe
1164	659d7db1b24a178796ec5bf41e7ab418_JaffaCakes118.exe
1164	659d7db1b24a178796ec5bf41e7ab418_JaffaCakes118.exe
1164	659d7db1b24a178796ec5bf41e7ab418_JaffaCakes118.exe
1164	659d7db1b24a178796ec5bf41e7ab418_JaffaCakes118.exe
1164	659d7db1b24a178796ec5bf41e7ab418_JaffaCakes118.exe
1164	659d7db1b24a178796ec5bf41e7ab418_JaffaCakes118.exe
1164	659d7db1b24a178796ec5bf41e7ab418_JaffaCakes118.exe
1164	659d7db1b24a178796ec5bf41e7ab418_JaffaCakes118.exe
1164	659d7db1b24a178796ec5bf41e7ab418_JaffaCakes118.exe
1164	659d7db1b24a178796ec5bf41e7ab418_JaffaCakes118.exe
1164	659d7db1b24a178796ec5bf41e7ab418_JaffaCakes118.exe
1164	659d7db1b24a178796ec5bf41e7ab418_JaffaCakes118.exe
1164	659d7db1b24a178796ec5bf41e7ab418_JaffaCakes118.exe
1164	659d7db1b24a178796ec5bf41e7ab418_JaffaCakes118.exe
1164	659d7db1b24a178796ec5bf41e7ab418_JaffaCakes118.exe
1164	659d7db1b24a178796ec5bf41e7ab418_JaffaCakes118.exe
1164	659d7db1b24a178796ec5bf41e7ab418_JaffaCakes118.exe
1164	659d7db1b24a178796ec5bf41e7ab418_JaffaCakes118.exe
1164	659d7db1b24a178796ec5bf41e7ab418_JaffaCakes118.exe
1164	659d7db1b24a178796ec5bf41e7ab418_JaffaCakes118.exe
1164	659d7db1b24a178796ec5bf41e7ab418_JaffaCakes118.exe
1164	659d7db1b24a178796ec5bf41e7ab418_JaffaCakes118.exe
1164	659d7db1b24a178796ec5bf41e7ab418_JaffaCakes118.exe
1164	659d7db1b24a178796ec5bf41e7ab418_JaffaCakes118.exe
1164	659d7db1b24a178796ec5bf41e7ab418_JaffaCakes118.exe
1164	659d7db1b24a178796ec5bf41e7ab418_JaffaCakes118.exe
1164	659d7db1b24a178796ec5bf41e7ab418_JaffaCakes118.exe
1164	659d7db1b24a178796ec5bf41e7ab418_JaffaCakes118.exe
1164	659d7db1b24a178796ec5bf41e7ab418_JaffaCakes118.exe
1164	659d7db1b24a178796ec5bf41e7ab418_JaffaCakes118.exe
1164	659d7db1b24a178796ec5bf41e7ab418_JaffaCakes118.exe
1164	659d7db1b24a178796ec5bf41e7ab418_JaffaCakes118.exe
4064	msedge.exe
4064	msedge.exe
3052	msedge.exe
3052	msedge.exe
4556	identity_helper.exe
4556	identity_helper.exe
3132	msedge.exe
3132	msedge.exe
3132	msedge.exe
3132	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1296	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1296	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1164	659d7db1b24a178796ec5bf41e7ab418_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1164 wrote to memory of 3052	1164	659d7db1b24a178796ec5bf41e7ab418_JaffaCakes118.exe	95
PID 1164 wrote to memory of 3052	1164	659d7db1b24a178796ec5bf41e7ab418_JaffaCakes118.exe	95
PID 3052 wrote to memory of 3416	3052	msedge.exe	96
PID 3052 wrote to memory of 3416	3052	msedge.exe	96
PID 3052 wrote to memory of 440	3052	msedge.exe	97
PID 3052 wrote to memory of 440	3052	msedge.exe	97
PID 3052 wrote to memory of 440	3052	msedge.exe	97
PID 3052 wrote to memory of 440	3052	msedge.exe	97
PID 3052 wrote to memory of 440	3052	msedge.exe	97
PID 3052 wrote to memory of 440	3052	msedge.exe	97
PID 3052 wrote to memory of 440	3052	msedge.exe	97
PID 3052 wrote to memory of 440	3052	msedge.exe	97
PID 3052 wrote to memory of 440	3052	msedge.exe	97
PID 3052 wrote to memory of 440	3052	msedge.exe	97
PID 3052 wrote to memory of 440	3052	msedge.exe	97
PID 3052 wrote to memory of 440	3052	msedge.exe	97
PID 3052 wrote to memory of 440	3052	msedge.exe	97
PID 3052 wrote to memory of 440	3052	msedge.exe	97
PID 3052 wrote to memory of 440	3052	msedge.exe	97
PID 3052 wrote to memory of 440	3052	msedge.exe	97
PID 3052 wrote to memory of 440	3052	msedge.exe	97
PID 3052 wrote to memory of 440	3052	msedge.exe	97
PID 3052 wrote to memory of 440	3052	msedge.exe	97
PID 3052 wrote to memory of 440	3052	msedge.exe	97
PID 3052 wrote to memory of 440	3052	msedge.exe	97
PID 3052 wrote to memory of 440	3052	msedge.exe	97
PID 3052 wrote to memory of 440	3052	msedge.exe	97
PID 3052 wrote to memory of 440	3052	msedge.exe	97
PID 3052 wrote to memory of 440	3052	msedge.exe	97
PID 3052 wrote to memory of 440	3052	msedge.exe	97
PID 3052 wrote to memory of 440	3052	msedge.exe	97
PID 3052 wrote to memory of 440	3052	msedge.exe	97
PID 3052 wrote to memory of 440	3052	msedge.exe	97
PID 3052 wrote to memory of 440	3052	msedge.exe	97
PID 3052 wrote to memory of 440	3052	msedge.exe	97
PID 3052 wrote to memory of 440	3052	msedge.exe	97
PID 3052 wrote to memory of 440	3052	msedge.exe	97
PID 3052 wrote to memory of 440	3052	msedge.exe	97
PID 3052 wrote to memory of 440	3052	msedge.exe	97
PID 3052 wrote to memory of 440	3052	msedge.exe	97
PID 3052 wrote to memory of 440	3052	msedge.exe	97
PID 3052 wrote to memory of 440	3052	msedge.exe	97
PID 3052 wrote to memory of 440	3052	msedge.exe	97
PID 3052 wrote to memory of 440	3052	msedge.exe	97
PID 3052 wrote to memory of 4064	3052	msedge.exe	98
PID 3052 wrote to memory of 4064	3052	msedge.exe	98
PID 3052 wrote to memory of 1104	3052	msedge.exe	99
PID 3052 wrote to memory of 1104	3052	msedge.exe	99
PID 3052 wrote to memory of 1104	3052	msedge.exe	99
PID 3052 wrote to memory of 1104	3052	msedge.exe	99
PID 3052 wrote to memory of 1104	3052	msedge.exe	99
PID 3052 wrote to memory of 1104	3052	msedge.exe	99
PID 3052 wrote to memory of 1104	3052	msedge.exe	99
PID 3052 wrote to memory of 1104	3052	msedge.exe	99
PID 3052 wrote to memory of 1104	3052	msedge.exe	99
PID 3052 wrote to memory of 1104	3052	msedge.exe	99
PID 3052 wrote to memory of 1104	3052	msedge.exe	99
PID 3052 wrote to memory of 1104	3052	msedge.exe	99
PID 3052 wrote to memory of 1104	3052	msedge.exe	99
PID 3052 wrote to memory of 1104	3052	msedge.exe	99
PID 3052 wrote to memory of 1104	3052	msedge.exe	99
PID 3052 wrote to memory of 1104	3052	msedge.exe	99
PID 3052 wrote to memory of 1104	3052	msedge.exe	99
PID 3052 wrote to memory of 1104	3052	msedge.exe	99

C:\Users\Admin\AppData\Local\Temp\659d7db1b24a178796ec5bf41e7ab418_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\659d7db1b24a178796ec5bf41e7ab418_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1164
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1164 -s 388
  2⤵
  - Program crash
  PID:1080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.youtube.com/watch?v=FvCdqOQZQuk
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8df646f8,0x7ffa8df64708,0x7ffa8df64718
    3⤵
    PID:3416
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,3515894879784779169,11244765513594914657,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1964 /prefetch:2
    3⤵
    PID:440
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,3515894879784779169,11244765513594914657,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2492 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4064
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,3515894879784779169,11244765513594914657,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2952 /prefetch:8
    3⤵
    PID:1104
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3515894879784779169,11244765513594914657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
    3⤵
    PID:1672
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3515894879784779169,11244765513594914657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
    3⤵
    PID:1500
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3515894879784779169,11244765513594914657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:1
    3⤵
    PID:4720
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3515894879784779169,11244765513594914657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
    3⤵
    PID:3504
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1908,3515894879784779169,11244765513594914657,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4820 /prefetch:8
    3⤵
    PID:4940
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,3515894879784779169,11244765513594914657,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5808 /prefetch:8
    3⤵
    PID:1244
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,3515894879784779169,11244765513594914657,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5808 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4556
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3515894879784779169,11244765513594914657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
    3⤵
    PID:1532
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3515894879784779169,11244765513594914657,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
    3⤵
    PID:1984
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3515894879784779169,11244765513594914657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
    3⤵
    PID:1244
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3515894879784779169,11244765513594914657,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
    3⤵
    PID:220
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,3515894879784779169,11244765513594914657,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5140 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1164 -ip 1164
1⤵
PID:4964

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1556

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4664

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1420

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x450 0x15c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
60ead4145eb78b972baf6c6270ae6d72

SHA1
e71f4507bea5b518d9ee9fb2d523c5a11adea842

SHA256
b9e99e7387a915275e8fe4ac0b0c0cd330b4632814d5c9c446beb2755f1309a7

SHA512
8cdbafd2783048f5f54f22e13f6ef890936d5b986b0bb3fa86d2420a5bfecf7bedc56f46e6d5f126eae79f492315843c134c441084b912296e269f384a73ccde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1f9d180c0bcf71b48e7bc8302f85c28f

SHA1
ade94a8e51c446383dc0a45edf5aad5fa20edf3c

SHA256
a17d56c41d524453a78e3f06e0d0b0081e79d090a4b75d0b693ddbc39f6f7fdc

SHA512
282863df0e51288049587886ed37ad1cf5b6bfeed86454ea3b9f2bb7f0a1c591f3540c62712ebfcd6f1095e1977446dd5b13b904bb52b6d5c910a1efc208c785

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
0fea87d0cadb2779f0747d880f2f0558

SHA1
99bbf7918a97295a71d0051cfd034ee85124fb4f

SHA256
cca2ec7184f42fe7122dd6af3e057b31549f356557dbefafdba2796d3fadef54

SHA512
de54fb775f7862e786eaf04ea93fe3b82ec7f9b5df63ccb7d5dcef511570bc1eea37f2329b27561e0c43d720885ac8d9679b6b93b6fc629795b28edeb7820660

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
fe4c60b0598e69330c1e35ef6b8e8104

SHA1
3b5bb34ca54d6d5669e2e23230b48c9264402350

SHA256
97366686f731079e62b70e2e13a9e7dc5c27372452d6e2dbbd8d0719fd702c8a

SHA512
0b615202ebc83829ed845c2c72c3616d02b5edcfc73265bc69b34cfeb5bdfa3fea7ddf7a9b4742da188365bb4bee9d114ff889a6d0ef5aae6d8697af4841ff4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
eb1a14f99a832406b4e5c4a83ef5462d

SHA1
6c4370ff3959c33314a685eff72ca675bd030950

SHA256
871ac1ea7dc8d8f9fc4ed17d7588630805f391bce3b66fcf0b2a9bed87a48b28

SHA512
fd4257ba60e15b5edb1d25205d89557b64ae5a656249d9df8ba96e584449532bef2b3fa4682fe2b4dc45cfaf3449d3ee0033f042dd7b924e42d342336891743c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
cad9ac8d027b2393a38a24b20e099af9

SHA1
8d5887ab2970720b8f04dc1b723589d949690ba8

SHA256
3501aaeb650aad14ae472f43354f4b7f99fb3cf13caf7d560f4965f95f9a03f4

SHA512
4c89f18b3f17f02eec2eded85917b75c6f74c0aa49777fc6c9155cbe8eb7db91c10ca584112431112884623279ebe4636b6118bcd79127d9fafa30ea6c23cb7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
85e78f3e9cefd433a65e0bd93df0c38c

SHA1
45135a859eee48408e18ba4f153458b419894b9b

SHA256
602581b4a48c938eedcfba68265ba59acfd250c0af476896ea26154bdf658e55

SHA512
d49b7058ab17982fb47cc47a4ae2a91075d5c22ab9b72f0bee12fcc4f2b6d47dac4472b599eb700a1cc3faa69f95fb51f62cf82f4b79b443ddfbf14f3a75a7f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\c9d11fd6-8009-4aa6-8828-f750dea17f0e\index-dir\the-real-index

Filesize
2KB

MD5
3dfa995e920dcdca8499530e8b053259

SHA1
cdf2bcbc7eae449596964b0dade581dc221f3829

SHA256
cc54120df81fe969a75eacd5646888ab8a9dae0635f233c78d3aa8b46026332e

SHA512
d787ede0edfae357196cb26bd9ecefa8a57dc3a01349255f5ef71de9896ebdc104825154ab5bfce7a9c04bbb16438bbb7dd54ed1ba596bd7ef1df521650d8a89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\c9d11fd6-8009-4aa6-8828-f750dea17f0e\index-dir\the-real-index~RFe58394b.TMP

Filesize
48B

MD5
84e7e2a06cffe4d49ebb5434555faef9

SHA1
63251f139aa23e0dae16cd6ae8fb7a6bdbca5c78

SHA256
b9a68bec708b59532eacbad034e21beb1875b67151bfcd4d4cb178dee9d5f8a4

SHA512
b94bdbba22df86c1af60553e7e0d7997a65d7d7f2b0733c9d769e4c8e7d69c7629eb38510e50f4259346a85fc8ef3bfe60004c194478b07acfa8787d8da1a764

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
8752f1e213f707a296ba51bde465275a

SHA1
bcaf5d7f2f707863d5692bf7ffc9a92c309a138b

SHA256
0abe018b3854d1a1e84e4909cfeee13427dfd20f4eee41b3b551256228180563

SHA512
127b86e9b307c2fce3990cd13cbd6c7ed76990e84ec1a6396027f80715b8fe083fa84f19469e99613317b273542bc2d10652637e04ba923a137c4617b5d0fdea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
88ec26cc4756c9abcafcd854c7a0372a

SHA1
a85726afb79c370f33fd9301b0ccf11bc5b1ff2a

SHA256
1d2452e83a94e1a117c483663636f5f2460dded41940656e7c2485a0d8b392c3

SHA512
9e7c11761e30df885f78bec6f28177b76d3a9931b96fb42e695475eff2b1b74725960db3b4370d5514e16881d17ce065859e76deb38f7938cea499f9448ec504

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
d4062b992d9441b1e4f0f7ab74d83b32

SHA1
0a1e750006874df8a5d83ddda510a31e803c6643

SHA256
97ad96ae0bc2dc49ba549b6fff71b46ddefd05065e01b44da263404c45b1baf8

SHA512
a8a7f8a230979db61b4b4d8409fa84d77ac1e59f79a1ad20c12d0fb1267f892c4942c1bb5dee1eeb87ca19368bc4501d5b44757f3d98423e146e53e4d2123dda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe57e34b.TMP

Filesize
89B

MD5
b8910d2d47c907d82dbbe3b3c6e9adf3

SHA1
0bea748ad73d5ad5261ef65638890ea72894fd91

SHA256
8aa1436782e339816c4d89843e263dbc262db0026474e525fb9f724911523a8f

SHA512
c29e02d1d1cd0bd836ac2f1f111033036bfa74a9fd9e6bfd2ba24d553f8299ddc59f009b39499a41d6517fb940980defed91f8a3c42577049866e11d9b84616c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
43eb735ba440ee565aca999797188828

SHA1
100a6ec527ee8633c19128754a949ee95aeac127

SHA256
5d4dc2ad522c2debb7b58e92aea9e98d42f09fe0968ec7e9a3d2dd0036b957eb

SHA512
19e512340a5f4114ffdcc87ce1f66b05f39dfa66db0b55a3c588816bdba0f843fa1098b5a168ceb96743c2c41b0ca18372cf990f23c2e76887562044d1a9d8d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe583246.TMP

Filesize
48B

MD5
5c774cf7d55b3b6d33b47d8590e4a7b0

SHA1
44c0a725633f155d7c17f94184ec2df0b9613df2

SHA256
7995e52a9bb822451b5fd8f359ae7a22ef5c9c6412d9bf7529cf0f5a56ad085d

SHA512
3e2ff7344b87d3a8c40798c12a5c8f4253bb462da43568370e88ccb6c4b2a503184111ca10c5e5a6a57bce0f214bb751bd729589e112702fefbb4c255b0f7125

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
48f4e0060b13f804c6c01aa2986fa6fd

SHA1
a423c86c640f62f98be35fdbe254d0fba618aac8

SHA256
3b1bb922ed4b3e34b96735769753ef3f4771dd32ee4159a44cb781424fc21e44

SHA512
801242923d8028f780a2da91ba09f54e0648746b6cefcaa53df1a76b29cbb5d33b8ae9b2ab06f20d7893dfc7b287e0de657dc92051096185534a1bb96fe6db07

Download Submit
memory/1164-0-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1164-8-0x00000000005F0000-0x0000000000636000-memory.dmp

Filesize
280KB

Download
memory/1164-7-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1164-3-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1164-2-0x00000000005F0000-0x0000000000636000-memory.dmp

Filesize
280KB

Download
memory/1164-1-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download