83f5c60633475ae50b42629dea84314f74094c3770d72329af762c1cc74680be

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23/07/2024, 15:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

681148ac866ee08182ffe71934df313c_JaffaCakes118.exe
Size

135KB
MD5

681148ac866ee08182ffe71934df313c
SHA1

cb025f81ace932cfdc46e70140faeeee030ae626
SHA256

83f5c60633475ae50b42629dea84314f74094c3770d72329af762c1cc74680be
SHA512

a3927f29238dbbfcde3d091146a2b094814a9c170ad89433adb78f2ba6f95e789b14428cb7dd87303adbe4ccc528f656693534c081a0ca504db96a1a2f905296
SSDEEP

1536:I0Y0qkc5IvFz70yiVdqDkhSchSWiSDWP/OsWQH6CazASXhXSWLlWT3PmcsYN/Xzx:IMqQFdiVdubWibOQNi3MWL4FksNYFfPK

Score

10^/10

defense_evasion discovery evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	plugin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	watcher.exe

Executes dropped EXE 2 IoCs

pid	Process
1964	plugin.exe
3968	watcher.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Module = "%ALLUSERSPROFILE%\\Media\\plugin.exe"	681148ac866ee08182ffe71934df313c_JaffaCakes118.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	plugin.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	plugin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	watcher.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	watcher.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\ProgramData\Media\plugin.exe:Zone.Identifier	cmd.exe
File created	C:\ProgramData\Media\watcher.exe:Zone.Identifier	cmd.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	watcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	681148ac866ee08182ffe71934df313c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	plugin.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\ProgramData\Media\plugin.exe:Zone.Identifier	cmd.exe
File created	C:\ProgramData\Media\watcher.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1964	plugin.exe
1964	plugin.exe
3968	watcher.exe
3968	watcher.exe
3968	watcher.exe
3968	watcher.exe
3968	watcher.exe
3968	watcher.exe
3968	watcher.exe
3968	watcher.exe
3968	watcher.exe
3968	watcher.exe
3968	watcher.exe
3968	watcher.exe
3968	watcher.exe
3968	watcher.exe
3968	watcher.exe
3968	watcher.exe
3968	watcher.exe
3968	watcher.exe
3968	watcher.exe
3968	watcher.exe
3968	watcher.exe
3968	watcher.exe
3968	watcher.exe
3968	watcher.exe
3968	watcher.exe
3968	watcher.exe
3968	watcher.exe
3968	watcher.exe
3968	watcher.exe
3968	watcher.exe
3968	watcher.exe
3968	watcher.exe
3968	watcher.exe
3968	watcher.exe
3968	watcher.exe
3968	watcher.exe
3968	watcher.exe
3968	watcher.exe
3968	watcher.exe
3968	watcher.exe
3968	watcher.exe
3968	watcher.exe
3968	watcher.exe
3968	watcher.exe
3968	watcher.exe
3968	watcher.exe
3968	watcher.exe
3968	watcher.exe
3968	watcher.exe
3968	watcher.exe
3968	watcher.exe
3968	watcher.exe
3968	watcher.exe
3968	watcher.exe
3968	watcher.exe
3968	watcher.exe
3968	watcher.exe
3968	watcher.exe
3968	watcher.exe
3968	watcher.exe
3968	watcher.exe
3968	watcher.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1964	plugin.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 740 wrote to memory of 724	740	681148ac866ee08182ffe71934df313c_JaffaCakes118.exe	84
PID 740 wrote to memory of 724	740	681148ac866ee08182ffe71934df313c_JaffaCakes118.exe	84
PID 740 wrote to memory of 724	740	681148ac866ee08182ffe71934df313c_JaffaCakes118.exe	84
PID 740 wrote to memory of 2536	740	681148ac866ee08182ffe71934df313c_JaffaCakes118.exe	85
PID 740 wrote to memory of 2536	740	681148ac866ee08182ffe71934df313c_JaffaCakes118.exe	85
PID 740 wrote to memory of 2536	740	681148ac866ee08182ffe71934df313c_JaffaCakes118.exe	85
PID 740 wrote to memory of 1964	740	681148ac866ee08182ffe71934df313c_JaffaCakes118.exe	88
PID 740 wrote to memory of 1964	740	681148ac866ee08182ffe71934df313c_JaffaCakes118.exe	88
PID 740 wrote to memory of 1964	740	681148ac866ee08182ffe71934df313c_JaffaCakes118.exe	88
PID 1964 wrote to memory of 3968	1964	plugin.exe	89
PID 1964 wrote to memory of 3968	1964	plugin.exe	89
PID 1964 wrote to memory of 3968	1964	plugin.exe	89
PID 724 wrote to memory of 2892	724	cmd.exe	90
PID 724 wrote to memory of 2892	724	cmd.exe	90
PID 2892 wrote to memory of 3656	2892	msedge.exe	92
PID 2892 wrote to memory of 3656	2892	msedge.exe	92
PID 2892 wrote to memory of 1084	2892	msedge.exe	93
PID 2892 wrote to memory of 1084	2892	msedge.exe	93
PID 2892 wrote to memory of 1084	2892	msedge.exe	93
PID 2892 wrote to memory of 1084	2892	msedge.exe	93
PID 2892 wrote to memory of 1084	2892	msedge.exe	93
PID 2892 wrote to memory of 1084	2892	msedge.exe	93
PID 2892 wrote to memory of 1084	2892	msedge.exe	93
PID 2892 wrote to memory of 1084	2892	msedge.exe	93
PID 2892 wrote to memory of 1084	2892	msedge.exe	93
PID 2892 wrote to memory of 1084	2892	msedge.exe	93
PID 2892 wrote to memory of 1084	2892	msedge.exe	93
PID 2892 wrote to memory of 1084	2892	msedge.exe	93
PID 2892 wrote to memory of 1084	2892	msedge.exe	93
PID 2892 wrote to memory of 1084	2892	msedge.exe	93
PID 2892 wrote to memory of 1084	2892	msedge.exe	93
PID 2892 wrote to memory of 1084	2892	msedge.exe	93
PID 2892 wrote to memory of 1084	2892	msedge.exe	93
PID 2892 wrote to memory of 1084	2892	msedge.exe	93
PID 2892 wrote to memory of 1084	2892	msedge.exe	93
PID 2892 wrote to memory of 1084	2892	msedge.exe	93
PID 2892 wrote to memory of 1084	2892	msedge.exe	93
PID 2892 wrote to memory of 1084	2892	msedge.exe	93
PID 2892 wrote to memory of 1084	2892	msedge.exe	93
PID 2892 wrote to memory of 1084	2892	msedge.exe	93
PID 2892 wrote to memory of 1084	2892	msedge.exe	93
PID 2892 wrote to memory of 1084	2892	msedge.exe	93
PID 2892 wrote to memory of 1084	2892	msedge.exe	93
PID 2892 wrote to memory of 1084	2892	msedge.exe	93
PID 2892 wrote to memory of 1084	2892	msedge.exe	93
PID 2892 wrote to memory of 1084	2892	msedge.exe	93
PID 2892 wrote to memory of 1084	2892	msedge.exe	93
PID 2892 wrote to memory of 1084	2892	msedge.exe	93
PID 2892 wrote to memory of 1084	2892	msedge.exe	93
PID 2892 wrote to memory of 1084	2892	msedge.exe	93
PID 2892 wrote to memory of 1084	2892	msedge.exe	93
PID 2892 wrote to memory of 1084	2892	msedge.exe	93
PID 2892 wrote to memory of 1084	2892	msedge.exe	93
PID 2892 wrote to memory of 1084	2892	msedge.exe	93
PID 2892 wrote to memory of 1084	2892	msedge.exe	93
PID 2892 wrote to memory of 1084	2892	msedge.exe	93
PID 2892 wrote to memory of 2724	2892	msedge.exe	94
PID 2892 wrote to memory of 2724	2892	msedge.exe	94
PID 2892 wrote to memory of 408	2892	msedge.exe	95
PID 2892 wrote to memory of 408	2892	msedge.exe	95
PID 2892 wrote to memory of 408	2892	msedge.exe	95
PID 2892 wrote to memory of 408	2892	msedge.exe	95
PID 2892 wrote to memory of 408	2892	msedge.exe	95
PID 2892 wrote to memory of 408	2892	msedge.exe	95

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	plugin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	plugin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	watcher.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	watcher.exe

C:\Users\Admin\AppData\Local\Temp\681148ac866ee08182ffe71934df313c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\681148ac866ee08182ffe71934df313c_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:740
- C:\Windows\SysWOW64\cmd.exe
  /c start http://youporn.ru
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:724
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://youporn.ru/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fffb29b46f8,0x7fffb29b4708,0x7fffb29b4718
      4⤵
      PID:3656
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,2119068492303011526,5260376986454149600,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1884 /prefetch:2
      4⤵
      PID:1084
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,2119068492303011526,5260376986454149600,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 /prefetch:3
      4⤵
      PID:2724
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1876,2119068492303011526,5260376986454149600,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
      4⤵
      PID:408
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,2119068492303011526,5260376986454149600,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
      4⤵
      PID:876
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,2119068492303011526,5260376986454149600,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
      4⤵
      PID:560
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,2119068492303011526,5260376986454149600,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
      4⤵
      PID:4488
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,2119068492303011526,5260376986454149600,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
      4⤵
      PID:4380
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,2119068492303011526,5260376986454149600,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
      4⤵
      PID:1436
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,2119068492303011526,5260376986454149600,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
      4⤵
      PID:3028
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,2119068492303011526,5260376986454149600,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:1
      4⤵
      PID:4600
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,2119068492303011526,5260376986454149600,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4160 /prefetch:1
      4⤵
      PID:696
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,2119068492303011526,5260376986454149600,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1
      4⤵
      PID:1920
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1876,2119068492303011526,5260376986454149600,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3296 /prefetch:8
      4⤵
      PID:4928
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1876,2119068492303011526,5260376986454149600,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3296 /prefetch:8
      4⤵
      PID:4116
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,2119068492303011526,5260376986454149600,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1776 /prefetch:2
      4⤵
      PID:5136
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\ProgramData\Media\rdb.bat
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:2536
- C:\ProgramData\Media\plugin.exe
  -wait
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1964
- - C:\ProgramData\Media\watcher.exe
    C:\ProgramData\Media\watcher.exe
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - System policy modification
    PID:3968

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:712

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Media\plugin.exe

Filesize
135KB

MD5
681148ac866ee08182ffe71934df313c

SHA1
cb025f81ace932cfdc46e70140faeeee030ae626

SHA256
83f5c60633475ae50b42629dea84314f74094c3770d72329af762c1cc74680be

SHA512
a3927f29238dbbfcde3d091146a2b094814a9c170ad89433adb78f2ba6f95e789b14428cb7dd87303adbe4ccc528f656693534c081a0ca504db96a1a2f905296

Download Submit
C:\ProgramData\Media\rdb.bat

Filesize
97B

MD5
5303b5018a6cd19200b98d31ab04f25d

SHA1
8285eb92f131111e40d2dc864d3b386dad6b9129

SHA256
464648d492af6bb50cf65ddcbdca3e90d4b224ccc6f4ce3944d439b6c32da524

SHA512
654aed00850f6b7e424a5ec5acad086a51fb54f5f944238979f43fa1aac430661250210fe5f38dcd78e46311adc7e6b282cb5c41bebfe5a7d297afd6db6de21b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
328B

MD5
111a8a02efa5d7748282a92f7626ead6

SHA1
ca018ccd927665bc98eadb590aad5b7f87838155

SHA256
89f4bda0b127a7f5464143329755f4eed5d6d686489aedacab22306cacb12b00

SHA512
a8918f09515b41c98ad0407fde639bad99e9a50fd9c1aae4e8f72185c9c4c104b6d25fd837a0b201d47b5b471bd8706c8a88375460730b6aff170eb87ac49478

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
54aadd2d8ec66e446f1edb466b99ba8d

SHA1
a94f02b035dc918d8d9a46e6886413f15be5bff0

SHA256
1971045943002ef01930add9ba1a96a92ddc10d6c581ce29e33c38c2120b130e

SHA512
7e077f903463da60b5587aed4f5352060df400ebda713b602b88c15cb2f91076531ea07546a9352df772656065e0bf27bd285905a60f036a5c5951076d35e994

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2f842025e22e522658c640cfc7edc529

SHA1
4c2b24b02709acdd159f1b9bbeb396e52af27033

SHA256
1191573f2a7c12f0b9b8460e06dc36ca5386305eb8c883ebbbc8eb15f4d8e23e

SHA512
6e4393fd43984722229020ef662fc5981f253de31f13f30fadd6660bbc9ededcbfd163f132f6adaf42d435873322a5d0d3eea60060cf0e7f2e256262632c5d05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
2bfea31f9ff5b0260a55940cec0863e1

SHA1
9a0a69e9b424fd0a2919d0ca702ebb817f3a9b96

SHA256
5566727eb38bae7e30e310ef4c957689732abddabda75ce1fe1d55231e3863e7

SHA512
2886b24fe53ea78340ed12922cbe9d0af8f642c5f62eb4d099be4d91927e75eafd25955b14541b83969d2e440d0926c4840a48f9704d34f0437b70f3a3ef80f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
a5acbf2e6ca02c5a305e17f8aa032a00

SHA1
6c4377247e752691e0f731ab80310479e395cad8

SHA256
8ceab8c04fabf2a24337166e4526a893ebffa616084f361fdd96dd4bc97fe8b4

SHA512
9e6914ed13da907762b7096093d3d065dcc8ec27cc1a83625d2c633080bc683f6c575a1bbb82e0cae830945cfb2ef717c2514a2e64d4bc08c7ebaef4bb557e9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
34bb6b52a4e2b28d39b93ab96ed2bb8d

SHA1
1ee092a493ac2a0d6b6a53b6ee11bb224b0ee048

SHA256
3a94e193b25611dbf485a6ae9c6906160e3e0e959a520902480021f08c1fca31

SHA512
34231b40eafd1e79acd8674f023c0e74bf739f5b71ff0c0c584e634c08829688071d21e9bc9cf43b0a6dea3cc657665d014a422c3130099cc15928cdf83baab8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9daf14f3809c09a54429a1583afcd1eb

SHA1
d26e0d48c47a4e5c3c0043f2080ad49a8cb04f96

SHA256
1df7583f1e8840154c410b6b8c2411482054504be19f8b649656408ba549eeb2

SHA512
efb7c48456968e751bee619e473e026826a2fe836459b2e7376b7dcb70036c415c9dc0fee31b777a221a031d4633530bb187ce76ef005c881a3a909e968380b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
de3b61f251051013affee426b154205c

SHA1
78df32266e0b292ba6066e08d950e63bcef81d3b

SHA256
4d54f904c4031933ea5932fd6dc7a6da45f159b2fb29b477c8328d47d0bc21fd

SHA512
4ccfee7b057962e157f138419ab69a605fb6a2157fba3340e958e9b2a54e0c4e0b88dccf0167d832326038ee2bf6c7a23243ed9314affc94c54d407f7f8b7f80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
4be3bca9f91fa3256c79218dd1bfe41f

SHA1
94303ae12ead8b3e99faf1c5e600b10cf0f65d43

SHA256
e6adf4ab04338e63fc737d318941cee3f4284310b8ee65224e65911dcb7947ed

SHA512
ee8390c821318734194aadceb8249fef388ae6163307d5dd67e21ced3258e60d0bf96b974ed61809de77669c8439790ad266dc80ca5cee677db14b43cfc94c75

Download Submit