28c9daf07aad36d10de2bab37eddc4ed5bb43abe83f552d54858f1802f4ea058

Analysis

max time kernel
146s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23/07/2024, 08:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66d77529c265f75e24041501aa808af2_JaffaCakes118.exe
Size

296KB
MD5

66d77529c265f75e24041501aa808af2
SHA1

a58b711db163f6de743cc6b47d7c0b3e1ab91cf9
SHA256

28c9daf07aad36d10de2bab37eddc4ed5bb43abe83f552d54858f1802f4ea058
SHA512

80b682e4acfbbb9b420f2a4897bd01ae253496924439d2762ea22e68dc9edbc139e5e846861557345e28be7a3112623606e590a5057e77b09023da2b69fd55a1
SSDEEP

1536:T/FxMG+EHZ9GigvPMcHGfyWufuZGjs+RGdUDqBhecbBNKZKCmOqUyodD:TNx1KD631ecbn5x6D

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	66d77529c265f75e24041501aa808af2_JaffaCakes118.exe
File opened (read-only)	\??\X:	66d77529c265f75e24041501aa808af2_JaffaCakes118.exe
File opened (read-only)	\??\Y:	66d77529c265f75e24041501aa808af2_JaffaCakes118.exe
File opened (read-only)	\??\E:	66d77529c265f75e24041501aa808af2_JaffaCakes118.exe
File opened (read-only)	\??\H:	66d77529c265f75e24041501aa808af2_JaffaCakes118.exe
File opened (read-only)	\??\K:	66d77529c265f75e24041501aa808af2_JaffaCakes118.exe
File opened (read-only)	\??\Q:	66d77529c265f75e24041501aa808af2_JaffaCakes118.exe
File opened (read-only)	\??\R:	66d77529c265f75e24041501aa808af2_JaffaCakes118.exe
File opened (read-only)	\??\W:	66d77529c265f75e24041501aa808af2_JaffaCakes118.exe
File opened (read-only)	\??\B:	66d77529c265f75e24041501aa808af2_JaffaCakes118.exe
File opened (read-only)	\??\L:	66d77529c265f75e24041501aa808af2_JaffaCakes118.exe
File opened (read-only)	\??\M:	66d77529c265f75e24041501aa808af2_JaffaCakes118.exe
File opened (read-only)	\??\P:	66d77529c265f75e24041501aa808af2_JaffaCakes118.exe
File opened (read-only)	\??\S:	66d77529c265f75e24041501aa808af2_JaffaCakes118.exe
File opened (read-only)	\??\J:	66d77529c265f75e24041501aa808af2_JaffaCakes118.exe
File opened (read-only)	\??\T:	66d77529c265f75e24041501aa808af2_JaffaCakes118.exe
File opened (read-only)	\??\U:	66d77529c265f75e24041501aa808af2_JaffaCakes118.exe
File opened (read-only)	\??\Z:	66d77529c265f75e24041501aa808af2_JaffaCakes118.exe
File opened (read-only)	\??\A:	66d77529c265f75e24041501aa808af2_JaffaCakes118.exe
File opened (read-only)	\??\G:	66d77529c265f75e24041501aa808af2_JaffaCakes118.exe
File opened (read-only)	\??\I:	66d77529c265f75e24041501aa808af2_JaffaCakes118.exe
File opened (read-only)	\??\N:	66d77529c265f75e24041501aa808af2_JaffaCakes118.exe
File opened (read-only)	\??\O:	66d77529c265f75e24041501aa808af2_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1004	msedge.exe
1004	msedge.exe
4776	msedge.exe
4776	msedge.exe
3008	msedge.exe
3008	msedge.exe
2400	identity_helper.exe
2400	identity_helper.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3092	66d77529c265f75e24041501aa808af2_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	3092	66d77529c265f75e24041501aa808af2_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3092	66d77529c265f75e24041501aa808af2_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3092 wrote to memory of 4776	3092	66d77529c265f75e24041501aa808af2_JaffaCakes118.exe	87
PID 3092 wrote to memory of 4776	3092	66d77529c265f75e24041501aa808af2_JaffaCakes118.exe	87
PID 4776 wrote to memory of 2020	4776	msedge.exe	88
PID 4776 wrote to memory of 2020	4776	msedge.exe	88
PID 3092 wrote to memory of 3148	3092	66d77529c265f75e24041501aa808af2_JaffaCakes118.exe	89
PID 3092 wrote to memory of 3148	3092	66d77529c265f75e24041501aa808af2_JaffaCakes118.exe	89
PID 3148 wrote to memory of 4576	3148	msedge.exe	90
PID 3148 wrote to memory of 4576	3148	msedge.exe	90
PID 4776 wrote to memory of 5068	4776	msedge.exe	91
PID 4776 wrote to memory of 5068	4776	msedge.exe	91
PID 4776 wrote to memory of 5068	4776	msedge.exe	91
PID 4776 wrote to memory of 5068	4776	msedge.exe	91
PID 4776 wrote to memory of 5068	4776	msedge.exe	91
PID 4776 wrote to memory of 5068	4776	msedge.exe	91
PID 4776 wrote to memory of 5068	4776	msedge.exe	91
PID 4776 wrote to memory of 5068	4776	msedge.exe	91
PID 4776 wrote to memory of 5068	4776	msedge.exe	91
PID 4776 wrote to memory of 5068	4776	msedge.exe	91
PID 4776 wrote to memory of 5068	4776	msedge.exe	91
PID 4776 wrote to memory of 5068	4776	msedge.exe	91
PID 4776 wrote to memory of 5068	4776	msedge.exe	91
PID 4776 wrote to memory of 5068	4776	msedge.exe	91
PID 4776 wrote to memory of 5068	4776	msedge.exe	91
PID 4776 wrote to memory of 5068	4776	msedge.exe	91
PID 4776 wrote to memory of 5068	4776	msedge.exe	91
PID 4776 wrote to memory of 5068	4776	msedge.exe	91
PID 4776 wrote to memory of 5068	4776	msedge.exe	91
PID 4776 wrote to memory of 5068	4776	msedge.exe	91
PID 4776 wrote to memory of 5068	4776	msedge.exe	91
PID 4776 wrote to memory of 5068	4776	msedge.exe	91
PID 4776 wrote to memory of 5068	4776	msedge.exe	91
PID 4776 wrote to memory of 5068	4776	msedge.exe	91
PID 4776 wrote to memory of 5068	4776	msedge.exe	91
PID 4776 wrote to memory of 5068	4776	msedge.exe	91
PID 4776 wrote to memory of 5068	4776	msedge.exe	91
PID 4776 wrote to memory of 5068	4776	msedge.exe	91
PID 4776 wrote to memory of 5068	4776	msedge.exe	91
PID 4776 wrote to memory of 5068	4776	msedge.exe	91
PID 4776 wrote to memory of 5068	4776	msedge.exe	91
PID 4776 wrote to memory of 5068	4776	msedge.exe	91
PID 4776 wrote to memory of 5068	4776	msedge.exe	91
PID 4776 wrote to memory of 5068	4776	msedge.exe	91
PID 4776 wrote to memory of 5068	4776	msedge.exe	91
PID 4776 wrote to memory of 5068	4776	msedge.exe	91
PID 4776 wrote to memory of 5068	4776	msedge.exe	91
PID 4776 wrote to memory of 5068	4776	msedge.exe	91
PID 4776 wrote to memory of 5068	4776	msedge.exe	91
PID 4776 wrote to memory of 5068	4776	msedge.exe	91
PID 4776 wrote to memory of 1004	4776	msedge.exe	92
PID 4776 wrote to memory of 1004	4776	msedge.exe	92
PID 4776 wrote to memory of 3720	4776	msedge.exe	93
PID 4776 wrote to memory of 3720	4776	msedge.exe	93
PID 4776 wrote to memory of 3720	4776	msedge.exe	93
PID 4776 wrote to memory of 3720	4776	msedge.exe	93
PID 4776 wrote to memory of 3720	4776	msedge.exe	93
PID 4776 wrote to memory of 3720	4776	msedge.exe	93
PID 4776 wrote to memory of 3720	4776	msedge.exe	93
PID 4776 wrote to memory of 3720	4776	msedge.exe	93
PID 4776 wrote to memory of 3720	4776	msedge.exe	93
PID 4776 wrote to memory of 3720	4776	msedge.exe	93
PID 4776 wrote to memory of 3720	4776	msedge.exe	93
PID 4776 wrote to memory of 3720	4776	msedge.exe	93
PID 4776 wrote to memory of 3720	4776	msedge.exe	93
PID 4776 wrote to memory of 3720	4776	msedge.exe	93

C:\Users\Admin\AppData\Local\Temp\66d77529c265f75e24041501aa808af2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\66d77529c265f75e24041501aa808af2_JaffaCakes118.exe"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://garasiinspiredcommunity.blogspot.com/
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4776
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcbc3746f8,0x7ffcbc374708,0x7ffcbc374718
    3⤵
    PID:2020
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,12847689819072608338,15622407199892819518,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
    3⤵
    PID:5068
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,12847689819072608338,15622407199892819518,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1004
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,12847689819072608338,15622407199892819518,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
    3⤵
    PID:3720
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12847689819072608338,15622407199892819518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3132 /prefetch:1
    3⤵
    PID:3392
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12847689819072608338,15622407199892819518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3140 /prefetch:1
    3⤵
    PID:1768
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12847689819072608338,15622407199892819518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3904 /prefetch:1
    3⤵
    PID:3140
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12847689819072608338,15622407199892819518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:1
    3⤵
    PID:5096
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12847689819072608338,15622407199892819518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
    3⤵
    PID:3424
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,12847689819072608338,15622407199892819518,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5608 /prefetch:8
    3⤵
    PID:3268
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,12847689819072608338,15622407199892819518,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5608 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2400
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12847689819072608338,15622407199892819518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2252 /prefetch:1
    3⤵
    PID:1924
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12847689819072608338,15622407199892819518,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
    3⤵
    PID:4344
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12847689819072608338,15622407199892819518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
    3⤵
    PID:4492
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12847689819072608338,15622407199892819518,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
    3⤵
    PID:2316
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,12847689819072608338,15622407199892819518,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1048 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/EVAL.CINTA.ANANDA
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3148
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd8,0x104,0x7ffcbc3746f8,0x7ffcbc374708,0x7ffcbc374718
    3⤵
    PID:4576
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1440,17879397901786719646,10095460730687593628,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3008

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4548

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b28ef7d9f6d74f055cc49876767c886c

SHA1
d6b3267f36c340979f8fc3e012fdd02c468740bf

SHA256
fa6804456884789f4bdf9c3f5a4a8f29e0ededde149c4384072f3d8cc85bcc37

SHA512
491f893c8f765e5d629bce8dd5067cef4e2ebc558d43bfb05e358bca43e1a66ee1285519bc266fd0ff5b5e09769a56077b62ac55fa8797c1edf6205843356e75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
584971c8ba88c824fd51a05dddb45a98

SHA1
b7c9489b4427652a9cdd754d1c1b6ac4034be421

SHA256
e2d8de6c2323bbb3863ec50843d9b58a22e911fd626d31430658b9ea942cd307

SHA512
5dbf1a4631a04d1149d8fab2b8e0e43ccd97b7212de43b961b9128a8bf03329164fdeb480154a8ffea5835f28417a7d2b115b8bf8d578d00b13c3682aa5ca726

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
912B

MD5
2e623c3c410836b87b7a402f6ae2b9e9

SHA1
d04533f23672af7420ce10ef1d569e119282df9e

SHA256
0cf8dfc0628d8acd6522dac9b8d8d9c4d0081a10276a051b580311097abe978e

SHA512
db18de1f5fb14bb3d5e866aafff6d5ebc500af4348ef736bb4e99287c30d4dad60fce4ac69e4ba17e14f6410dcc562601debab09892662eebad8d7f94a1a7afb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
8e50252d1707d8a20b37ea77acc0a440

SHA1
2c981d0d3a5c867346302ec2f1ce742f8954e22e

SHA256
4cb2daad29cd4e385033dc452f8b1c658a41d556f6f1c4f190b02e99e3f1b979

SHA512
107af229d5812d557a54bbc59ea6351bec0b52016443391e26bd04c1cf2ba7c0c197472417787455d616d04cb8aca2620c63d058b47e343df9f99353af062f00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
06ba87f1e98f2dbe561982d10e134e57

SHA1
23aaf346282050962bf8f281c8a5b765a3c41f9e

SHA256
ec3bdff2c043d124ab1280f79d379666a0d12031c3ec9e7b2f58e3850e501709

SHA512
36829eb49597a99c363af34461c15578cd722cd275978ded6eb32ea19fb8143898206184b264358738a1626633cc5e540bb3f00fd8bac7b7ec9646699b8cf965

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
82e3923b36e4451ea5f8253014e29623

SHA1
af691478e97da3d4d7c91ee6d95b86720fe5ec7f

SHA256
719ee57122b7718528f6e6ec6c0c3cc7505fa04d3d1d1aa33f72573d607cfc5e

SHA512
4cc2cbe1517f12682f6670fab1542e1de95daa8b5903055cc643d927738d697a5b4b9a5af97e9aa6b13c443eb0c65a2a023375972ce43b9f68f95b0514ffa697

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
705B

MD5
88d3a90a2951e1b55e595cdf7fcb94b1

SHA1
fff6e1584db4d3e1b0d5601d17b57266bed7c8cc

SHA256
3cad92233472b0df5c280cb3479f61ddaf07e018a1e861e2723690aa5ee1e834

SHA512
aeb0d61889019dfb2f82e8f8c5c7d2493ed27f814ce07ca0ba51f509e7c842b302dace746963ce8bb67e17c088d9af8866d435bea970968f1cc0517f42e4c0bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
703B

MD5
26da08f308f81aa41d6122fa69fe84a0

SHA1
4c14dfd81e873912300ec891a3bcbc99c8b3669b

SHA256
6174e096f530d7845344a3dc1c4c44f0f813e82aac83d00abc5b47e199157340

SHA512
88bc39b2b812499fa8109c31a5328b4256b4b101d69d0d3a078609a2d60a02e5824cb0f4fc76bf33861e5a096a7aee0150ca376ba0bac499ebaf94816617a13e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
705B

MD5
20a4793eed3cc7f8886b82bd0ffdf3fc

SHA1
b5b0bfcc1fdc34405c4403eb5cc4747078e0c026

SHA256
7283319b7add03d3673cf4dcda1174c5db0724d43c09ab56ffe216101d658561

SHA512
2bf943b0090d67e656f83a1db018806b00abaf3d60fbef72e19c57c45de8867a0410e70670f960421eead9b0bfbb0ea7a45ea36631ead92f5c8b2a13fd5cca93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e7a1.TMP

Filesize
705B

MD5
833bac1ea958750cc20005a32eb90268

SHA1
22c087a3d2e676e7c4c4c417ec55c39999537a52

SHA256
b3c257be5b000b3a16fe01b1e96c8363665e2f4424bad28bf6d66e3490b8eddd

SHA512
9c87a18bd550aa40f3f8e9e638c7a9aa5ef3230b4d5eddefe71afa9a9f8821dfcebc9be6f1c002590059b43573b1a7e7f0a051b09f64e6b5f7b2a12e1ec2626f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
1d969066f083887783736f0f3c7f54dd

SHA1
3b1914c6f489effe885da34e4f484c9d025a9251

SHA256
8c7b517737a1bba8623032bf18cf8f0cc6bc5683b18c78cada72515c062c1a71

SHA512
dbe6a64fdaa7ece6f44c531a2cfd2b558209ac27db0c131c8abe6e3da562b3e247f24f82e81e7ea4e5488fb2481b2e9e1e3d682681e0d0972bfa640e578a0797

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5af30ca547f24b794eaa4dc1c1ab5d05

SHA1
73de07e05b6d9aa3b793d7f0ce9455d3d97c5ff2

SHA256
ed850f03d6ccbd66e124728dc93f2cab15fa09bcc3b8ed032bfcc8d1927a910e

SHA512
9cab30bd9abc455287922bc3e697d54108e5ae7178d0bd5f4481937854c237ac4b0fa956dd8c963b796bbc20e1b01a52131e19baa52700cd4e50bf5e602e7b6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
64KB

MD5
2f2dc2ce16a74370548165802d8fbb8d

SHA1
46943a119db90f7df2304a923a0ab07e5fab5b47

SHA256
e9f6521f2090ad982b162686f8c3dd989e436d3c6f8f6f2b0f3bc47f4a6e6142

SHA512
96dc141222d44cd9a261cec6ecfa47d1b6dc96e7234904ab877cd2855f9a027ac1108d59bb408725d6e87c03d5ea5f289bba4eb82df2ed67135676f007c7d8b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit