03080e416f1afe4ed0d2a8f9f054157c95c5a8d4c8f28a3b267b683208551da4

Analysis

max time kernel
147s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26-07-2024 07:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7333593246047b81aa06a59345d27abd_JaffaCakes118.exe
Size

1021KB
MD5

7333593246047b81aa06a59345d27abd
SHA1

641c26e549f75262778715a6c7420f9bba5a443e
SHA256

03080e416f1afe4ed0d2a8f9f054157c95c5a8d4c8f28a3b267b683208551da4
SHA512

b1287d4a83cd74acf117895c9e5f144209f6d615f1510bf8ca73535ee27169697811686bdf9d1806fe78b6ace1ae7500c200215bfecc6d4be3030ebf3bc36504
SSDEEP

24576:7TSPqYdAAsseHzAV7LSQbx3pMqPjH2BmAdwIEj:sqYdDSb4pMqPjswI

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1788	SasPBHackV8.9.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7333593246047b81aa06a59345d27abd_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7333593246047b81aa06a59345d27abd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SasPBHackV8.9.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4500	msedge.exe
4500	msedge.exe
4920	msedge.exe
4920	msedge.exe
2236	msedge.exe
2236	msedge.exe
5128	msedge.exe
5128	msedge.exe
5524	identity_helper.exe
5524	identity_helper.exe
5684	msedge.exe
5684	msedge.exe
5684	msedge.exe
5684	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1848	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1848	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1788	SasPBHackV8.9.exe
1788	SasPBHackV8.9.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 1788	5036	7333593246047b81aa06a59345d27abd_JaffaCakes118.exe	84
PID 5036 wrote to memory of 1788	5036	7333593246047b81aa06a59345d27abd_JaffaCakes118.exe	84
PID 5036 wrote to memory of 1788	5036	7333593246047b81aa06a59345d27abd_JaffaCakes118.exe	84
PID 1788 wrote to memory of 3720	1788	SasPBHackV8.9.exe	97
PID 1788 wrote to memory of 3720	1788	SasPBHackV8.9.exe	97
PID 1788 wrote to memory of 2236	1788	SasPBHackV8.9.exe	98
PID 1788 wrote to memory of 2236	1788	SasPBHackV8.9.exe	98
PID 3720 wrote to memory of 1264	3720	msedge.exe	99
PID 3720 wrote to memory of 1264	3720	msedge.exe	99
PID 2236 wrote to memory of 2760	2236	msedge.exe	100
PID 2236 wrote to memory of 2760	2236	msedge.exe	100
PID 1788 wrote to memory of 448	1788	SasPBHackV8.9.exe	101
PID 1788 wrote to memory of 448	1788	SasPBHackV8.9.exe	101
PID 448 wrote to memory of 4360	448	msedge.exe	102
PID 448 wrote to memory of 4360	448	msedge.exe	102
PID 3720 wrote to memory of 2528	3720	msedge.exe	103
PID 3720 wrote to memory of 2528	3720	msedge.exe	103
PID 3720 wrote to memory of 2528	3720	msedge.exe	103
PID 3720 wrote to memory of 2528	3720	msedge.exe	103
PID 3720 wrote to memory of 2528	3720	msedge.exe	103
PID 3720 wrote to memory of 2528	3720	msedge.exe	103
PID 3720 wrote to memory of 2528	3720	msedge.exe	103
PID 3720 wrote to memory of 2528	3720	msedge.exe	103
PID 3720 wrote to memory of 2528	3720	msedge.exe	103
PID 3720 wrote to memory of 2528	3720	msedge.exe	103
PID 3720 wrote to memory of 2528	3720	msedge.exe	103
PID 3720 wrote to memory of 2528	3720	msedge.exe	103
PID 3720 wrote to memory of 2528	3720	msedge.exe	103
PID 3720 wrote to memory of 2528	3720	msedge.exe	103
PID 3720 wrote to memory of 2528	3720	msedge.exe	103
PID 3720 wrote to memory of 2528	3720	msedge.exe	103
PID 3720 wrote to memory of 2528	3720	msedge.exe	103
PID 3720 wrote to memory of 2528	3720	msedge.exe	103
PID 3720 wrote to memory of 2528	3720	msedge.exe	103
PID 3720 wrote to memory of 2528	3720	msedge.exe	103
PID 3720 wrote to memory of 2528	3720	msedge.exe	103
PID 3720 wrote to memory of 2528	3720	msedge.exe	103
PID 3720 wrote to memory of 2528	3720	msedge.exe	103
PID 3720 wrote to memory of 2528	3720	msedge.exe	103
PID 3720 wrote to memory of 2528	3720	msedge.exe	103
PID 3720 wrote to memory of 2528	3720	msedge.exe	103
PID 3720 wrote to memory of 2528	3720	msedge.exe	103
PID 3720 wrote to memory of 2528	3720	msedge.exe	103
PID 3720 wrote to memory of 2528	3720	msedge.exe	103
PID 3720 wrote to memory of 2528	3720	msedge.exe	103
PID 3720 wrote to memory of 2528	3720	msedge.exe	103
PID 3720 wrote to memory of 2528	3720	msedge.exe	103
PID 3720 wrote to memory of 2528	3720	msedge.exe	103
PID 3720 wrote to memory of 2528	3720	msedge.exe	103
PID 3720 wrote to memory of 2528	3720	msedge.exe	103
PID 3720 wrote to memory of 2528	3720	msedge.exe	103
PID 3720 wrote to memory of 2528	3720	msedge.exe	103
PID 3720 wrote to memory of 2528	3720	msedge.exe	103
PID 3720 wrote to memory of 2528	3720	msedge.exe	103
PID 3720 wrote to memory of 2528	3720	msedge.exe	103
PID 3720 wrote to memory of 4920	3720	msedge.exe	104
PID 3720 wrote to memory of 4920	3720	msedge.exe	104
PID 2236 wrote to memory of 2668	2236	msedge.exe	105
PID 2236 wrote to memory of 2668	2236	msedge.exe	105
PID 2236 wrote to memory of 2668	2236	msedge.exe	105
PID 2236 wrote to memory of 2668	2236	msedge.exe	105
PID 2236 wrote to memory of 2668	2236	msedge.exe	105
PID 2236 wrote to memory of 2668	2236	msedge.exe	105
PID 2236 wrote to memory of 2668	2236	msedge.exe	105

C:\Users\Admin\AppData\Local\Temp\7333593246047b81aa06a59345d27abd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7333593246047b81aa06a59345d27abd_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SasPBHackV8.9.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SasPBHackV8.9.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://tinggalenter.blogspot.com/
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3720
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fffe37f46f8,0x7fffe37f4708,0x7fffe37f4718
      4⤵
      PID:1264
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1952,6084948703828002474,4828125502247274165,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
      4⤵
      PID:2528
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1952,6084948703828002474,4828125502247274165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4920
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://2502280e.linkbucks.com/url/http://tinggalenter.blogspot.com/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2236
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7fffe37f46f8,0x7fffe37f4708,0x7fffe37f4718
      4⤵
      PID:2760
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2220,6984026705898121567,12902145393494253357,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:2
      4⤵
      PID:2668
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2220,6984026705898121567,12902145393494253357,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4500
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2220,6984026705898121567,12902145393494253357,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2612 /prefetch:8
      4⤵
      PID:1156
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,6984026705898121567,12902145393494253357,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
      4⤵
      PID:3640
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,6984026705898121567,12902145393494253357,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
      4⤵
      PID:1684
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,6984026705898121567,12902145393494253357,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3888 /prefetch:1
      4⤵
      PID:1592
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,6984026705898121567,12902145393494253357,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4036 /prefetch:1
      4⤵
      PID:5176
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,6984026705898121567,12902145393494253357,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1
      4⤵
      PID:5292
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,6984026705898121567,12902145393494253357,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:1
      4⤵
      PID:5580
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,6984026705898121567,12902145393494253357,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
      4⤵
      PID:5824
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,6984026705898121567,12902145393494253357,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6060 /prefetch:8
      4⤵
      PID:6120
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,6984026705898121567,12902145393494253357,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6060 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5524
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,6984026705898121567,12902145393494253357,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
      4⤵
      PID:5564
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,6984026705898121567,12902145393494253357,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:1
      4⤵
      PID:5492
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,6984026705898121567,12902145393494253357,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
      4⤵
      PID:5572
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,6984026705898121567,12902145393494253357,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1
      4⤵
      PID:4380
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,6984026705898121567,12902145393494253357,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3888 /prefetch:1
      4⤵
      PID:1272
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,6984026705898121567,12902145393494253357,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6372 /prefetch:1
      4⤵
      PID:5720
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,6984026705898121567,12902145393494253357,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1844 /prefetch:1
      4⤵
      PID:5716
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,6984026705898121567,12902145393494253357,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6340 /prefetch:1
      4⤵
      PID:832
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2220,6984026705898121567,12902145393494253357,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3576 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5684
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://tinggalenter.com/
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:448
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fffe37f46f8,0x7fffe37f4708,0x7fffe37f4718
      4⤵
      PID:4360
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,5914936343967569351,8509403105976762280,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5128

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4b4 0x4fc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1848

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3004

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
60ead4145eb78b972baf6c6270ae6d72

SHA1
e71f4507bea5b518d9ee9fb2d523c5a11adea842

SHA256
b9e99e7387a915275e8fe4ac0b0c0cd330b4632814d5c9c446beb2755f1309a7

SHA512
8cdbafd2783048f5f54f22e13f6ef890936d5b986b0bb3fa86d2420a5bfecf7bedc56f46e6d5f126eae79f492315843c134c441084b912296e269f384a73ccde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1f9d180c0bcf71b48e7bc8302f85c28f

SHA1
ade94a8e51c446383dc0a45edf5aad5fa20edf3c

SHA256
a17d56c41d524453a78e3f06e0d0b0081e79d090a4b75d0b693ddbc39f6f7fdc

SHA512
282863df0e51288049587886ed37ad1cf5b6bfeed86454ea3b9f2bb7f0a1c591f3540c62712ebfcd6f1095e1977446dd5b13b904bb52b6d5c910a1efc208c785

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
21KB

MD5
05da0ba82e7797f5544acefcb87bf1b2

SHA1
42872e7c218983b293da9b8330c621cdbe1a6267

SHA256
12a685f5bde1a018f98b700782377d1640f7a1ce6a7f5da3900911ec382c787d

SHA512
7cb503efc6ce9b3c0aef5a3542c4a95e7d3bc16cdaec394905ebb8c79ca05c4b7317e668201a1db2b7ebee5d79d57ee28c5e1e3159c3b744f3309b19b84b6a7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

Filesize
45KB

MD5
e9d439802e86f4bd21b443d97de8689d

SHA1
43be680996fbf959b86f441f5575251b15bbad3e

SHA256
13d296d36b1cebae0065599048c3a1f181c6dc435d4af2dcbae6d9461ed839cf

SHA512
530f42ee9576c18d8865b5f81b8dca6bc1e657cdc73c3e45cd27588edc201a20a55712ff2c9e92b05e24edc02549ffcc06b3eef1315faa55a1cbecbfac434fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
600B

MD5
9ba216a9e1a0eb585dfe79c09a641412

SHA1
66567c72e67a53480fa8139180bb4df8827fe13b

SHA256
a129f4245ec44928e1e0574049a392914ae3915bf60bed36684dd9c510923599

SHA512
2e12b32ea09ae55904650b0a76646268f7caf213edd912bf6507125f762563f93d7834bd5a7d43c9a28054adf187bb08281b63dbb33cd97037a01cc4bad1c8e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
684a434ed30cb33aafaedf3f1c577ca1

SHA1
c8eb02df104e78f16d8571df91de51a1a24e474d

SHA256
b252e6e76b882c03755c592a49622709f0be933e3da35013ae1fe91233eac6dd

SHA512
ff222ea66ca259450b18a6e153fdd653b69db718302ac95a4a3cfb1a457cd7748dcc1d70a802a6559a8ba3cdd3b7ca9e0894a516ec1f28814a3eb500ea3b5e97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e3464a8d5243b55baaebc02dd13c97a5

SHA1
f464708ea7d6759db73b2cd6f4cc89a13f39bc48

SHA256
45fe9167c1f1117c9c47e3cd01dade21c8a7b065f1e64fdf445bbaff59efa341

SHA512
12cf691b11a406aa356f3ad6e7fdecab4ae69d1fefdcc1df1fca1f6dcda4745e658cce39a3c30a52c82fc27acb3b84607da1d8e15c63cdb278084692c07eadb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
022c3e288cc895c6148558e9c7471b84

SHA1
e65d437bd68c74a82a32ea86baedf4f6ca456c04

SHA256
cbfefdd02a2891551fbee0d90d9eb1932e501b3a6d189fdef0ad08e53e5dc4fe

SHA512
a0ab5697582da18f45ff6d3929867e11b9ea82a4316b7200b480db525b1338e4df02ec2545bc621e9e7436e799644733382f2afd9cfed61ce37bac0b6454a0ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8470ed0386e04f54962b888faecde0d0

SHA1
db7959d54c81efd26076f8d758b705f4e6555b93

SHA256
851ef1dae0cf54533ab2efe6bd11dda4db4cc6e8798b8f93e3a2eb6be0a94f24

SHA512
897dc951617e3ab584773811049d1b82f86f743609a2b43021da099039ffc69342b308c479fd3b33b35154bb4287a3ec05fb9e25cfc8df15759667e082948d6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
ebff4789f3b259ebac5ac1c8f73bee9a

SHA1
b09f63ebd1b3d3034afdbc8751cba746a2c1dcf3

SHA256
3a633af1845944a48b50e838a5ba150000f9002480b9e88ac07ce798d3830a18

SHA512
c55212ec75e0297e83fb0b612e7a81cb80c503bda3d2a2d5e30f595575552c9a76596d7285566fad9fa18c578d80a1b3ae148a30be853dc0bdf15818fa0b509f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b659e8e0e62db598b86475c95dbeff50

SHA1
5ee700e6065580808e9cb429e682812b650882f8

SHA256
f4d723becb32740e01818d0c7c3b5e3c3087065bc137e436f13caf1af0458281

SHA512
303b156071ff82abd4a4502ee92299a854e712feb4f031068ab908c8e64a4a65c0e1af1924cbb2b2ded982c7709b0c18690a68c8c2303099aaf2660a314d8b78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
6af4157bd24bcc923b11af5bd2c0634c

SHA1
da8db353b1099b3dbfa5296227d3b5913be48cff

SHA256
0d73af9763bf6f3a398b52b10b685655ceb553a94c98668303ab9aa9cb402cd9

SHA512
3618cf7718efbfb7a498a0c007628eff26d6c92d0aea9e205e80cfaa51c519d48e53663f71d46738abf6913b86d2e9890a9d912d2389275944a8bfb208d072d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SasPBHackV8.9.exe

Filesize
204KB

MD5
8f16808f8b8cbb489e0b7dda9a9ffbad

SHA1
8478cc1f2052e5c9d57a142d2067b5c461e644a0

SHA256
34d3bbdc2a7b037b86edfa9fe988aa8e067eeefb20f814152ff776ef591a0675

SHA512
dec82eb87f9d471fda418dab11040b40e5ad6d06fc461ebb4b9cc41f99ee4e853b9d5523bf2f0f88423fca84ca33ad7394bafd39ab66e31d331371b18bd9f368

Download Submit