18191af541ed382fad167699b2a7cfec1afa826d45e9a1bfaaa13016040ac4c6

Analysis

max time kernel
147s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26/07/2024, 12:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

741b0447d41b8a85a5ce2f74f28de1d3_JaffaCakes118.exe
Size

388KB
MD5

741b0447d41b8a85a5ce2f74f28de1d3
SHA1

bd488ce1fc760ee4e7769111947a47257b418d0c
SHA256

18191af541ed382fad167699b2a7cfec1afa826d45e9a1bfaaa13016040ac4c6
SHA512

585c998f0fc874aeb2c163474fab98dca19198515939597f8446be39d67ccfe79e12bbea4c1f784c72938be83d0bc645eeefa86634469fd03b6d934afffd8260
SSDEEP

6144:29fidbNy4unGJHbRtfsaRZS05wvyxWjWv960XIu8mIfMGu6SlefZIm:3sn4/RZH5w6xfvbHIXu2fZr

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1564	hpset.exe
1356	hpset.tmp

Loads dropped DLL 1 IoCs

pid	Process
3920	rundll32.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Progra~1\TaoBao\is-I7J15.tmp	hpset.tmp

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	741b0447d41b8a85a5ce2f74f28de1d3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hpset.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hpset.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Regedit.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Internet Explorer\Main	Regedit.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.hae123.com"	Regedit.exe

Runs regedit.exe 1 IoCs

pid	Process
5028	Regedit.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2176	msedge.exe
2176	msedge.exe
320	msedge.exe
320	msedge.exe
2460	identity_helper.exe
2460	identity_helper.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
320	msedge.exe
320	msedge.exe
320	msedge.exe
320	msedge.exe
320	msedge.exe
320	msedge.exe
320	msedge.exe
320	msedge.exe
320	msedge.exe
320	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
320	msedge.exe
320	msedge.exe
320	msedge.exe
320	msedge.exe
320	msedge.exe
320	msedge.exe
320	msedge.exe
320	msedge.exe
320	msedge.exe
320	msedge.exe
320	msedge.exe
320	msedge.exe
320	msedge.exe
320	msedge.exe
320	msedge.exe
320	msedge.exe
320	msedge.exe
320	msedge.exe
320	msedge.exe
320	msedge.exe
320	msedge.exe
320	msedge.exe
320	msedge.exe
320	msedge.exe
320	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
320	msedge.exe
320	msedge.exe
320	msedge.exe
320	msedge.exe
320	msedge.exe
320	msedge.exe
320	msedge.exe
320	msedge.exe
320	msedge.exe
320	msedge.exe
320	msedge.exe
320	msedge.exe
320	msedge.exe
320	msedge.exe
320	msedge.exe
320	msedge.exe
320	msedge.exe
320	msedge.exe
320	msedge.exe
320	msedge.exe
320	msedge.exe
320	msedge.exe
320	msedge.exe
320	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2724 wrote to memory of 3920	2724	741b0447d41b8a85a5ce2f74f28de1d3_JaffaCakes118.exe	84
PID 2724 wrote to memory of 3920	2724	741b0447d41b8a85a5ce2f74f28de1d3_JaffaCakes118.exe	84
PID 2724 wrote to memory of 3920	2724	741b0447d41b8a85a5ce2f74f28de1d3_JaffaCakes118.exe	84
PID 2724 wrote to memory of 1564	2724	741b0447d41b8a85a5ce2f74f28de1d3_JaffaCakes118.exe	85
PID 2724 wrote to memory of 1564	2724	741b0447d41b8a85a5ce2f74f28de1d3_JaffaCakes118.exe	85
PID 2724 wrote to memory of 1564	2724	741b0447d41b8a85a5ce2f74f28de1d3_JaffaCakes118.exe	85
PID 1564 wrote to memory of 1356	1564	hpset.exe	86
PID 1564 wrote to memory of 1356	1564	hpset.exe	86
PID 1564 wrote to memory of 1356	1564	hpset.exe	86
PID 1356 wrote to memory of 5028	1356	hpset.tmp	88
PID 1356 wrote to memory of 5028	1356	hpset.tmp	88
PID 1356 wrote to memory of 5028	1356	hpset.tmp	88
PID 1356 wrote to memory of 320	1356	hpset.tmp	90
PID 1356 wrote to memory of 320	1356	hpset.tmp	90
PID 1356 wrote to memory of 2104	1356	hpset.tmp	91
PID 1356 wrote to memory of 2104	1356	hpset.tmp	91
PID 1356 wrote to memory of 2104	1356	hpset.tmp	91
PID 320 wrote to memory of 3376	320	msedge.exe	93
PID 320 wrote to memory of 3376	320	msedge.exe	93
PID 320 wrote to memory of 468	320	msedge.exe	95
PID 320 wrote to memory of 468	320	msedge.exe	95
PID 320 wrote to memory of 468	320	msedge.exe	95
PID 320 wrote to memory of 468	320	msedge.exe	95
PID 320 wrote to memory of 468	320	msedge.exe	95
PID 320 wrote to memory of 468	320	msedge.exe	95
PID 320 wrote to memory of 468	320	msedge.exe	95
PID 320 wrote to memory of 468	320	msedge.exe	95
PID 320 wrote to memory of 468	320	msedge.exe	95
PID 320 wrote to memory of 468	320	msedge.exe	95
PID 320 wrote to memory of 468	320	msedge.exe	95
PID 320 wrote to memory of 468	320	msedge.exe	95
PID 320 wrote to memory of 468	320	msedge.exe	95
PID 320 wrote to memory of 468	320	msedge.exe	95
PID 320 wrote to memory of 468	320	msedge.exe	95
PID 320 wrote to memory of 468	320	msedge.exe	95
PID 320 wrote to memory of 468	320	msedge.exe	95
PID 320 wrote to memory of 468	320	msedge.exe	95
PID 320 wrote to memory of 468	320	msedge.exe	95
PID 320 wrote to memory of 468	320	msedge.exe	95
PID 320 wrote to memory of 468	320	msedge.exe	95
PID 320 wrote to memory of 468	320	msedge.exe	95
PID 320 wrote to memory of 468	320	msedge.exe	95
PID 320 wrote to memory of 468	320	msedge.exe	95
PID 320 wrote to memory of 468	320	msedge.exe	95
PID 320 wrote to memory of 468	320	msedge.exe	95
PID 320 wrote to memory of 468	320	msedge.exe	95
PID 320 wrote to memory of 468	320	msedge.exe	95
PID 320 wrote to memory of 468	320	msedge.exe	95
PID 320 wrote to memory of 468	320	msedge.exe	95
PID 320 wrote to memory of 468	320	msedge.exe	95
PID 320 wrote to memory of 468	320	msedge.exe	95
PID 320 wrote to memory of 468	320	msedge.exe	95
PID 320 wrote to memory of 468	320	msedge.exe	95
PID 320 wrote to memory of 468	320	msedge.exe	95
PID 320 wrote to memory of 468	320	msedge.exe	95
PID 320 wrote to memory of 468	320	msedge.exe	95
PID 320 wrote to memory of 468	320	msedge.exe	95
PID 320 wrote to memory of 468	320	msedge.exe	95
PID 320 wrote to memory of 468	320	msedge.exe	95
PID 320 wrote to memory of 2176	320	msedge.exe	96
PID 320 wrote to memory of 2176	320	msedge.exe	96
PID 320 wrote to memory of 3960	320	msedge.exe	97
PID 320 wrote to memory of 3960	320	msedge.exe	97
PID 320 wrote to memory of 3960	320	msedge.exe	97

C:\Users\Admin\AppData\Local\Temp\741b0447d41b8a85a5ce2f74f28de1d3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\741b0447d41b8a85a5ce2f74f28de1d3_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\Thunder\thunder5.db,Setup3
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3920
- C:\Users\Admin\AppData\Local\Temp\hpset.exe
  "C:\Users\Admin\AppData\Local\Temp\hpset.exe" /sp- /verysilent
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1564
- - C:\Users\Admin\AppData\Local\Temp\is-KTKMR.tmp\hpset.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-KTKMR.tmp\hpset.tmp" /SL5="$70112,51900,51712,C:\Users\Admin\AppData\Local\Temp\hpset.exe" /sp- /verysilent
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1356
  - - C:\Windows\SysWOW64\Regedit.exe
      "C:\Windows\Regedit.exe" -s C:\Progra~1\TaoBao\info.desc
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Modifies Internet Explorer start page
      Runs regedit.exe
      PID:5028
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.ttver.com/taobao8.htm
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:320
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffacd1a46f8,0x7ffacd1a4708,0x7ffacd1a4718
        5⤵
        
        PID:3376
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,3664199916227672355,8555114807591628421,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
        5⤵
        
        PID:468
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,3664199916227672355,8555114807591628421,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2176
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,3664199916227672355,8555114807591628421,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8
        5⤵
        
        PID:3960
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3664199916227672355,8555114807591628421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
        5⤵
        
        PID:4556
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3664199916227672355,8555114807591628421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
        5⤵
        
        PID:3544
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3664199916227672355,8555114807591628421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4264 /prefetch:1
        5⤵
        
        PID:4644
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3664199916227672355,8555114807591628421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:1
        5⤵
        
        PID:4380
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,3664199916227672355,8555114807591628421,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 /prefetch:8
        5⤵
        
        PID:3920
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,3664199916227672355,8555114807591628421,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2460
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3664199916227672355,8555114807591628421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:1
        5⤵
        
        PID:3196
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3664199916227672355,8555114807591628421,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:1
        5⤵
        
        PID:4548
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3664199916227672355,8555114807591628421,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1
        5⤵
        
        PID:3884
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3664199916227672355,8555114807591628421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
        5⤵
        
        PID:3544
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3664199916227672355,8555114807591628421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3060 /prefetch:1
        5⤵
        
        PID:3132
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3664199916227672355,8555114807591628421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1048 /prefetch:1
        5⤵
        
        PID:1072
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,3664199916227672355,8555114807591628421,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6136 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2432
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\hpset.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2104

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1344

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\TaoBao\info.desc

Filesize
280B

MD5
a0fd44bf16c285a195d371ba2404dc0a

SHA1
1880991f3f49d2f35e86ce2575d7535517a10f28

SHA256
686ea1ff46449d5412e6454ca7329a6f03e777714e35d502640c61ac16849613

SHA512
3477a190eda4b3fd79319ebeab24c3a62cdaffeb4d58f65488713f23e370f8a906365985dad5a8bd39a5d2e047c6f1da40af1d952cb3899c9809a32fb03b970a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
54f1b76300ce15e44e5cc1a3947f5ca9

SHA1
c978bfaa6ec6dae05464c6426eaa6cb3c3e2f3b7

SHA256
43dec5d87b7ee892a3d99cb61f772ba403882ac0772423f36034e84244c1ca24

SHA512
ac26e5676c675be329eb62b5d5a36a0e6014ab8a6366684b0fc2a59ae5f061f596f462b82eb4e9f135d2235a0cbd4af96680d234eecc873a8397fd81507d277a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c00b0d6e0f836dfa596c6df9d3b2f8f2

SHA1
69ad27d9b4502630728f98917f67307e9dd12a30

SHA256
578481cd359c669455e24983b13723c25584f58925b47283cb580019ef3142b1

SHA512
0e098ab5f5772fec17880e228a0dccbbaa06dc1af14e0fd827f361599c61899fe07d612a7f7b049ff6661d27fdc495566dd20fc28ceed022b87c212bf00be5da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a78cae7972b726c256dda991a20e8546

SHA1
96b37b02d05dfd52ac40690e05491409a546be6c

SHA256
c858fc458692738efa8ae5e9e9e0e112b62023c74bd97242580949d9bf32dfe8

SHA512
b9d6d9abc7fd8e2d386d01033faf12a57acf4aa7e95e889bb348d8e3f61cce5d3e2f96d3b4f21b9317ec4b59edaf3a10f538dc8c9be3100ed807e0cafafb420b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3be1f6d10a40c12e30eb24dc4049c722

SHA1
57b27d42bffff8a4ed644ae910c9c6a2d395cd86

SHA256
3b48fc05164e5176ce38eb69c4fe47a899731495e9f8d35e4811cd6088729a73

SHA512
d5e4cad42be149010c6e2689393e680549668b9a8f30950b80dbb6c0086ec771e0233ff2bb45ff68744edd7e9cd36ac7f68da64f0995615220066a58ddb833e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fa8fb507b28f84d07d20f03952998f12

SHA1
c43ec3f06a2a9a0ac3c18bbcd7fd55bd83a2efec

SHA256
bbca5c8bfc5e4f78bae2a73c4485891840cb56e008da5175cdede66246816fbf

SHA512
e55fa8355a0b62f3816a5abc813914883964ba910926f9bf40f6cb34300181a60749a0b47d6f4c00f11fe7cbef9a3f0234182bc749ffb7f484fe9a581792f857

Download Submit
C:\Users\Admin\AppData\Local\Temp\Thunder\install.tmp

Filesize
294KB

MD5
bfbba702ca31bbb1b082521e87a9067a

SHA1
bf29549b99db4b9f8112f9831c56db44cfb08eb3

SHA256
bc4395e036c59c363b497040c7fdad191d2c3db6c1f18796302c1fa88cff6b6b

SHA512
2bbb166b7eb65d9975e3cb2a08b4b9d5678a7b28ce3d18a996b26471307ed1b19af9c2dc5f494ed3d77cd4f8d0f24d6c2729091b307d89b855586d44c27e8fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Thunder\thunder5.db

Filesize
97KB

MD5
d0d885964308597800717eb6a9116de2

SHA1
d9afe4db4107f87e9983df572592b7769f454541

SHA256
787dede6822d294b735bcb0a9ed2c9f556319cc384aafbda845f061b72c2506c

SHA512
0933a79963c284cd8f90941b36a702ec05d539d0655b822c7c1d5da8f6a251db139934c6850279a2c52407876b014c97c8b6ef5b77c840eae0b419329d521a52

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpset.exe

Filesize
294KB

MD5
3c29a1cd8a1eb1ca9c4c50b1ab803d6c

SHA1
98328dfd141a0ea8e786e3788d5871b58f81fbcf

SHA256
fd66b2d5e0f29935eae46820a4ead3d720be63fc1b2a77fadc3b6148e1209811

SHA512
1127efbadf1a1f06347b7fee4822636e34b889c965eaca4a54339df2176cf8c6c8b7edc2d950b5f09c8b4236e381f28357d1e6cdb720f4c006bc4d72cf9538c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KTKMR.tmp\hpset.tmp

Filesize
706KB

MD5
1a6c2b578c69b9388e22d38afa16a7fb

SHA1
186370d5438b1f5f3d75891aa8412e8edd00981c

SHA256
86ac18632bfdca026df9fe12a1d4df2de64bbdc1d2d7e42d2dcbf7809cbbebb3

SHA512
fb868c629cd0255b7620c9260bb5712b6622f53f0b7de3d6125c295e02d16f03584ce3a90eccb02b65ce9825885aa1bca5f68c7cc09dc0c09e7c208fcef54714

Download Submit
memory/1356-33-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1356-24-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1564-34-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1564-14-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/1564-12-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download