a864166ee1b7bc386f5c9425b0fdd928b783906bd02cd7b8f786b0fc45c70291

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240729-en
resource tags

arch:x64arch:x86image:win10v2004-20240729-enlocale:en-usos:windows10-2004-x64system
submitted
27-07-2024 15:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe
Size

712KB
MD5

78a26822a19d69d1cc71043a751a00d7
SHA1

7f936bc2287a496708296266b5cb38b1748f7998
SHA256

a864166ee1b7bc386f5c9425b0fdd928b783906bd02cd7b8f786b0fc45c70291
SHA512

c5b04e693cff05797b1a8480f1fc00b1a70f39ed51bbde38f706720e395280b3983f11c8e7cfd51a4bed65579117b6dbb7592a28e3997f11be57d3a489fa8410
SSDEEP

12288:f6gXRxLMjBBndVElsUHxFcFYwJFboyQJJCBIPNJ2:ZXRxYFVdVEsyFceotoyS

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3304	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\9f980b9a6b3d413cbb40c96faf463ad4$dpx$.tmp\job.xml	expand.exe
File opened for modification	C:\Windows\SysWOW64\Beauty.ico	expand.exe
File opened for modification	C:\Windows\SysWOW64\{B05F73C1-F5F5-4255-84D5-32F878618A78}	expand.exe
File opened for modification	C:\Windows\SysWOW64\9f980b9a6b3d413cbb40c96faf463ad4$dpx$.tmp	expand.exe
File opened for modification	C:\Windows\SysWOW64\taobao.ico	expand.exe
File created	C:\Windows\SysWOW64\9f980b9a6b3d413cbb40c96faf463ad4$dpx$.tmp\a189d5e77a2cee479c66b498b0e4b563.tmp	expand.exe
File opened for modification	C:\Windows\SysWOW64\taskmgr.exe	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\9f980b9a6b3d413cbb40c96faf463ad4$dpx$.tmp\235eb8a853398e4b9644c5c7371fec32.tmp	expand.exe
File created	C:\Windows\SysWOW64\9f980b9a6b3d413cbb40c96faf463ad4$dpx$.tmp\347211d9b8597a4187d9215148e203a2.tmp	expand.exe
File created	C:\Windows\SysWOW64\9f980b9a6b3d413cbb40c96faf463ad4$dpx$.tmp\5b0157ad2dad964396ec9eaa51269ddf.tmp	expand.exe
File opened for modification	C:\Windows\SysWOW64\Film.ico	expand.exe
File created	C:\Windows\SysWOW64\safe.ico	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\9f980b9a6b3d413cbb40c96faf463ad4$dpx$.tmp\46f80d446cc6ce478bb00074e3820f77.tmp	expand.exe
File opened for modification	C:\Windows\SysWOW64\Video.ico	expand.exe
File opened for modification	C:\Windows\SysWOW64\Music.ico	expand.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7z.exe	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1432	3304	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	expand.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1204	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe
1204	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe
1204	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe
1204	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe
1204	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe
1204	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe
1204	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe
1204	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe
1204	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe
1204	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe
1204	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe
1204	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe
1204	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe
1204	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe
4232	msedge.exe
4232	msedge.exe
1508	msedge.exe
1508	msedge.exe
5064	identity_helper.exe
5064	identity_helper.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1204	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe
Token: SeDebugPrivilege	3304	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1204	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe
1204	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe
3304	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe
3304	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe
3304	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 3304	1204	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe	85
PID 1204 wrote to memory of 3304	1204	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe	85
PID 1204 wrote to memory of 3304	1204	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe	85
PID 1204 wrote to memory of 3344	1204	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe	90
PID 1204 wrote to memory of 3344	1204	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe	90
PID 1204 wrote to memory of 3344	1204	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe	90
PID 1204 wrote to memory of 3312	1204	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe	92
PID 1204 wrote to memory of 3312	1204	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe	92
PID 1204 wrote to memory of 3312	1204	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe	92
PID 3312 wrote to memory of 2484	3312	cmd.exe	94
PID 3312 wrote to memory of 2484	3312	cmd.exe	94
PID 3312 wrote to memory of 2484	3312	cmd.exe	94
PID 3492 wrote to memory of 1508	3492	explorer.exe	95
PID 3492 wrote to memory of 1508	3492	explorer.exe	95
PID 1508 wrote to memory of 4392	1508	msedge.exe	97
PID 1508 wrote to memory of 4392	1508	msedge.exe	97
PID 1508 wrote to memory of 4416	1508	msedge.exe	98
PID 1508 wrote to memory of 4416	1508	msedge.exe	98
PID 1508 wrote to memory of 4416	1508	msedge.exe	98
PID 1508 wrote to memory of 4416	1508	msedge.exe	98
PID 1508 wrote to memory of 4416	1508	msedge.exe	98
PID 1508 wrote to memory of 4416	1508	msedge.exe	98
PID 1508 wrote to memory of 4416	1508	msedge.exe	98
PID 1508 wrote to memory of 4416	1508	msedge.exe	98
PID 1508 wrote to memory of 4416	1508	msedge.exe	98
PID 1508 wrote to memory of 4416	1508	msedge.exe	98
PID 1508 wrote to memory of 4416	1508	msedge.exe	98
PID 1508 wrote to memory of 4416	1508	msedge.exe	98
PID 1508 wrote to memory of 4416	1508	msedge.exe	98
PID 1508 wrote to memory of 4416	1508	msedge.exe	98
PID 1508 wrote to memory of 4416	1508	msedge.exe	98
PID 1508 wrote to memory of 4416	1508	msedge.exe	98
PID 1508 wrote to memory of 4416	1508	msedge.exe	98
PID 1508 wrote to memory of 4416	1508	msedge.exe	98
PID 1508 wrote to memory of 4416	1508	msedge.exe	98
PID 1508 wrote to memory of 4416	1508	msedge.exe	98
PID 1508 wrote to memory of 4416	1508	msedge.exe	98
PID 1508 wrote to memory of 4416	1508	msedge.exe	98
PID 1508 wrote to memory of 4416	1508	msedge.exe	98
PID 1508 wrote to memory of 4416	1508	msedge.exe	98
PID 1508 wrote to memory of 4416	1508	msedge.exe	98
PID 1508 wrote to memory of 4416	1508	msedge.exe	98
PID 1508 wrote to memory of 4416	1508	msedge.exe	98
PID 1508 wrote to memory of 4416	1508	msedge.exe	98
PID 1508 wrote to memory of 4416	1508	msedge.exe	98
PID 1508 wrote to memory of 4416	1508	msedge.exe	98
PID 1508 wrote to memory of 4416	1508	msedge.exe	98
PID 1508 wrote to memory of 4416	1508	msedge.exe	98
PID 1508 wrote to memory of 4416	1508	msedge.exe	98
PID 1508 wrote to memory of 4416	1508	msedge.exe	98
PID 1508 wrote to memory of 4416	1508	msedge.exe	98
PID 1508 wrote to memory of 4416	1508	msedge.exe	98
PID 1508 wrote to memory of 4416	1508	msedge.exe	98
PID 1508 wrote to memory of 4416	1508	msedge.exe	98
PID 1508 wrote to memory of 4416	1508	msedge.exe	98
PID 1508 wrote to memory of 4416	1508	msedge.exe	98
PID 1508 wrote to memory of 4232	1508	msedge.exe	99
PID 1508 wrote to memory of 4232	1508	msedge.exe	99
PID 1508 wrote to memory of 1792	1508	msedge.exe	100
PID 1508 wrote to memory of 1792	1508	msedge.exe	100
PID 1508 wrote to memory of 1792	1508	msedge.exe	100
PID 1508 wrote to memory of 1792	1508	msedge.exe	100
PID 1508 wrote to memory of 1792	1508	msedge.exe	100
PID 1508 wrote to memory of 1792	1508	msedge.exe	100

C:\Users\Admin\AppData\Local\Temp\78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1204
- C:\ProgramData\Microsoft\Windows\Start Menu\78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe
  "C:\ProgramData\Microsoft\Windows\Start Menu\78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3304
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3304 -s 1952
    3⤵
    - Program crash
    PID:1432
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe http://www.779dh.com/?ukt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3344
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\9SfGp.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3312
- - C:\Windows\SysWOW64\expand.exe
    expand.exe "C:\Users\Admin\AppData\Local\Temp\ico.cab" -F:*.* "C:\Windows\system32"
    3⤵
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3304 -ip 3304
1⤵
PID:1636

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:3492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.779dh.com/?ukt
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc4cbe46f8,0x7ffc4cbe4708,0x7ffc4cbe4718
    3⤵
    PID:4392
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,5151742412463880774,8887176572273136155,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
    3⤵
    PID:4416
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,5151742412463880774,8887176572273136155,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4232
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,5151742412463880774,8887176572273136155,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
    3⤵
    PID:1792
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,5151742412463880774,8887176572273136155,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
    3⤵
    PID:4864
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,5151742412463880774,8887176572273136155,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
    3⤵
    PID:1016
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,5151742412463880774,8887176572273136155,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4408 /prefetch:1
    3⤵
    PID:2676
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,5151742412463880774,8887176572273136155,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:1
    3⤵
    PID:1644
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,5151742412463880774,8887176572273136155,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 /prefetch:8
    3⤵
    PID:4408
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,5151742412463880774,8887176572273136155,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5064
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,5151742412463880774,8887176572273136155,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4416 /prefetch:1
    3⤵
    PID:4272
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,5151742412463880774,8887176572273136155,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4408 /prefetch:1
    3⤵
    PID:3628
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,5151742412463880774,8887176572273136155,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3696 /prefetch:1
    3⤵
    PID:1872
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,5151742412463880774,8887176572273136155,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
    3⤵
    PID:3972
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,5151742412463880774,8887176572273136155,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2032 /prefetch:1
    3⤵
    PID:2808
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,5151742412463880774,8887176572273136155,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4188 /prefetch:1
    3⤵
    PID:3376
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,5151742412463880774,8887176572273136155,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4224 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1468

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4988

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe

Filesize
712KB

MD5
78a26822a19d69d1cc71043a751a00d7

SHA1
7f936bc2287a496708296266b5cb38b1748f7998

SHA256
a864166ee1b7bc386f5c9425b0fdd928b783906bd02cd7b8f786b0fc45c70291

SHA512
c5b04e693cff05797b1a8480f1fc00b1a70f39ed51bbde38f706720e395280b3983f11c8e7cfd51a4bed65579117b6dbb7592a28e3997f11be57d3a489fa8410

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
368c244e384ff4d49f8c2e7b8bea96d2

SHA1
69ce5a9daeaf1e26bba509f9569dc68b9a455c51

SHA256
6f8cb8fe96a0e80be05e02f0f504e40d20e7f5db23fd0edee0e56bcffa1059a3

SHA512
ac460f1b35bcdefa89104e26379fc5639499607be6559353665a73ee8dd41822699d767532d48cffc67c755b75042294c29e93062d4eab22ca6bcbe054108a5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8004d5759305b326cebfa4d67dee5f25

SHA1
36b9a94959977f79dd0a14380ba0516d09f8fcaa

SHA256
21f35e2ac53a817389d7027e99018450993fc66e37f916e454bff9eed95562d7

SHA512
7afba827395c1a5438091bd2762a097f6ea098fcbf3db99f90f9bc442afee7a7841a6e0e83f9cbf017cda0e52d35da93f8efd60cec73638baea5eaf1c85b7089

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
519cebe6bd9f77cac53e1378a170abb5

SHA1
cf9a271c31c2a8cdc4749c84d0002f1dc75341e8

SHA256
ba8039fb070150fce268898c9fc877b71297be20f437a7dfbb81ae9c4a5fa9f5

SHA512
0354ed377d7f2f8614d275913fdebd73cee2cc0034395c94d2a068453399374e3400b4ec7eea26d26d9847b0d7eaa011cb61d061e01f6bde71d16b4df8960275

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d0b484fa9c454cec83ce22d1ee6176eb

SHA1
27af60db8fc4f2f7a86accc82f6d373e961ff678

SHA256
19c7364db2de04633a4c76dad657eda22d51dad07c5e69a293d378fa150eea0b

SHA512
bd085cf87689ef37ca853c7ae1df76ab2d45caa89cd5f38490a922ffd85ac56273ffc665343264945d3a5172e98de7ae0d39f6fb9b64db4fdac78efc583ec803

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
22a9b91ede2fbacb90cb11c9ad8194c5

SHA1
58ca931f8411e3a99d47cc002d3cc22065d8f48b

SHA256
7599af6fb3bb7993d47711156dde1db87637c8d887015e9b04ac2530c6d967d3

SHA512
b3083983bc566a10b778fcf18b7230932d30024fca47f55ab56407f1bde770d31727f5eb54ba1d87d019ef86e216b8c5b7cec853fb8da60865750a668245945f

Download Submit
C:\Users\Admin\AppData\Local\Temp\9SfGp.bat

Filesize
102B

MD5
1d195a138c3cc7c2099100779d273198

SHA1
998a370276c102c52dc86c5a78490a9609977b34

SHA256
cd1d36b93ddaf2327f1e46a620d32104509a5b4e16d226534b04dc910bca761e

SHA512
137c6dbc7a577945ac91ea67dbc2e51d7a3b7d3116f7b94da7c0dc1bbd4190ac3ebbe29b5c0d759051cd584cb7e0ce2a75401c5325de5ff0f3ea7f0df180d655

Download Submit
\??\c:\users\admin\appdata\local\temp\ico.cab

Filesize
15KB

MD5
dbdc54e84c7d8dd5045b4404dcfaf1eb

SHA1
bd7db05e8cb833788c0fd02d90aee3e7729c743c

SHA256
b92db05a6360c50bbd3fa2c180007b104c5ec042403d14aaeb7629b3e9f36554

SHA512
0d76ed2cfc11033378cb7c7d99d4bf7d936b52e790826be3b6941f93e3c20a516ccbf9c65c2a7e444f496c7aa3d33c413f2d12bf6202b3b45ccdbfbc447e696d

Download Submit
memory/1204-20-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/1204-21-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/1204-0-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/1204-1-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/1204-2-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/1204-3-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/3304-19-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/3304-8-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/3304-9-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/3304-10-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/3304-11-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download