983c84c48b7d5d93326fdc9d0d081578d1fd11a0de5b6e2b73cc26c233f39d1e

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/08/2024, 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83d8f170c4a5c738273fb92777d892f0_JaffaCakes118.exe
Size

171KB
MD5

83d8f170c4a5c738273fb92777d892f0
SHA1

0c1d3afb4ff683ce96148073e1229a83d95ed686
SHA256

983c84c48b7d5d93326fdc9d0d081578d1fd11a0de5b6e2b73cc26c233f39d1e
SHA512

80515b00c60b6a9a1c889a0bfdbbbd1153ca16e2e719869a7b097bda27a01b59339e6fd1fcd6eb10c1701c07d9157c56c4ddc99e2887c39419c0cbb3fd852a28
SSDEEP

3072:dTCZkWQNbv4iJrbmsma69uwirQUV6PStuzJ8bNRXbtmfTFbC6dMo7G6+7H5mac6j:dqkztvFrfd8iLozJI3t0FVEbH5ma0lIZ

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmplayer = "C:\\MessengerPlus\\mplayer2.exe"	83d8f170c4a5c738273fb92777d892f0_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3652	5072	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	83d8f170c4a5c738273fb92777d892f0_JaffaCakes118.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Download	83d8f170c4a5c738273fb92777d892f0_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	83d8f170c4a5c738273fb92777d892f0_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "00000001"	83d8f170c4a5c738273fb92777d892f0_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
5072	83d8f170c4a5c738273fb92777d892f0_JaffaCakes118.exe
5072	83d8f170c4a5c738273fb92777d892f0_JaffaCakes118.exe
5072	83d8f170c4a5c738273fb92777d892f0_JaffaCakes118.exe
5072	83d8f170c4a5c738273fb92777d892f0_JaffaCakes118.exe
5072	83d8f170c4a5c738273fb92777d892f0_JaffaCakes118.exe
5072	83d8f170c4a5c738273fb92777d892f0_JaffaCakes118.exe
5072	83d8f170c4a5c738273fb92777d892f0_JaffaCakes118.exe
5072	83d8f170c4a5c738273fb92777d892f0_JaffaCakes118.exe
5072	83d8f170c4a5c738273fb92777d892f0_JaffaCakes118.exe
5072	83d8f170c4a5c738273fb92777d892f0_JaffaCakes118.exe
5072	83d8f170c4a5c738273fb92777d892f0_JaffaCakes118.exe
5072	83d8f170c4a5c738273fb92777d892f0_JaffaCakes118.exe
5072	83d8f170c4a5c738273fb92777d892f0_JaffaCakes118.exe
5072	83d8f170c4a5c738273fb92777d892f0_JaffaCakes118.exe
5072	83d8f170c4a5c738273fb92777d892f0_JaffaCakes118.exe
5072	83d8f170c4a5c738273fb92777d892f0_JaffaCakes118.exe
5072	83d8f170c4a5c738273fb92777d892f0_JaffaCakes118.exe
5072	83d8f170c4a5c738273fb92777d892f0_JaffaCakes118.exe
5072	83d8f170c4a5c738273fb92777d892f0_JaffaCakes118.exe
5072	83d8f170c4a5c738273fb92777d892f0_JaffaCakes118.exe
5072	83d8f170c4a5c738273fb92777d892f0_JaffaCakes118.exe
5072	83d8f170c4a5c738273fb92777d892f0_JaffaCakes118.exe
5072	83d8f170c4a5c738273fb92777d892f0_JaffaCakes118.exe
5072	83d8f170c4a5c738273fb92777d892f0_JaffaCakes118.exe
5072	83d8f170c4a5c738273fb92777d892f0_JaffaCakes118.exe
5072	83d8f170c4a5c738273fb92777d892f0_JaffaCakes118.exe
5072	83d8f170c4a5c738273fb92777d892f0_JaffaCakes118.exe
5072	83d8f170c4a5c738273fb92777d892f0_JaffaCakes118.exe
5072	83d8f170c4a5c738273fb92777d892f0_JaffaCakes118.exe
5072	83d8f170c4a5c738273fb92777d892f0_JaffaCakes118.exe
5072	83d8f170c4a5c738273fb92777d892f0_JaffaCakes118.exe
5072	83d8f170c4a5c738273fb92777d892f0_JaffaCakes118.exe
5072	83d8f170c4a5c738273fb92777d892f0_JaffaCakes118.exe
5072	83d8f170c4a5c738273fb92777d892f0_JaffaCakes118.exe
5072	83d8f170c4a5c738273fb92777d892f0_JaffaCakes118.exe
5072	83d8f170c4a5c738273fb92777d892f0_JaffaCakes118.exe
5072	83d8f170c4a5c738273fb92777d892f0_JaffaCakes118.exe
5072	83d8f170c4a5c738273fb92777d892f0_JaffaCakes118.exe
944	msedge.exe
944	msedge.exe
4036	msedge.exe
4036	msedge.exe
4044	identity_helper.exe
4044	identity_helper.exe
5276	msedge.exe
5276	msedge.exe
5276	msedge.exe
5276	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2756	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2756	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5072	83d8f170c4a5c738273fb92777d892f0_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 4036	5072	83d8f170c4a5c738273fb92777d892f0_JaffaCakes118.exe	95
PID 5072 wrote to memory of 4036	5072	83d8f170c4a5c738273fb92777d892f0_JaffaCakes118.exe	95
PID 4036 wrote to memory of 3504	4036	msedge.exe	96
PID 4036 wrote to memory of 3504	4036	msedge.exe	96
PID 4036 wrote to memory of 404	4036	msedge.exe	97
PID 4036 wrote to memory of 404	4036	msedge.exe	97
PID 4036 wrote to memory of 404	4036	msedge.exe	97
PID 4036 wrote to memory of 404	4036	msedge.exe	97
PID 4036 wrote to memory of 404	4036	msedge.exe	97
PID 4036 wrote to memory of 404	4036	msedge.exe	97
PID 4036 wrote to memory of 404	4036	msedge.exe	97
PID 4036 wrote to memory of 404	4036	msedge.exe	97
PID 4036 wrote to memory of 404	4036	msedge.exe	97
PID 4036 wrote to memory of 404	4036	msedge.exe	97
PID 4036 wrote to memory of 404	4036	msedge.exe	97
PID 4036 wrote to memory of 404	4036	msedge.exe	97
PID 4036 wrote to memory of 404	4036	msedge.exe	97
PID 4036 wrote to memory of 404	4036	msedge.exe	97
PID 4036 wrote to memory of 404	4036	msedge.exe	97
PID 4036 wrote to memory of 404	4036	msedge.exe	97
PID 4036 wrote to memory of 404	4036	msedge.exe	97
PID 4036 wrote to memory of 404	4036	msedge.exe	97
PID 4036 wrote to memory of 404	4036	msedge.exe	97
PID 4036 wrote to memory of 404	4036	msedge.exe	97
PID 4036 wrote to memory of 404	4036	msedge.exe	97
PID 4036 wrote to memory of 404	4036	msedge.exe	97
PID 4036 wrote to memory of 404	4036	msedge.exe	97
PID 4036 wrote to memory of 404	4036	msedge.exe	97
PID 4036 wrote to memory of 404	4036	msedge.exe	97
PID 4036 wrote to memory of 404	4036	msedge.exe	97
PID 4036 wrote to memory of 404	4036	msedge.exe	97
PID 4036 wrote to memory of 404	4036	msedge.exe	97
PID 4036 wrote to memory of 404	4036	msedge.exe	97
PID 4036 wrote to memory of 404	4036	msedge.exe	97
PID 4036 wrote to memory of 404	4036	msedge.exe	97
PID 4036 wrote to memory of 404	4036	msedge.exe	97
PID 4036 wrote to memory of 404	4036	msedge.exe	97
PID 4036 wrote to memory of 404	4036	msedge.exe	97
PID 4036 wrote to memory of 404	4036	msedge.exe	97
PID 4036 wrote to memory of 404	4036	msedge.exe	97
PID 4036 wrote to memory of 404	4036	msedge.exe	97
PID 4036 wrote to memory of 404	4036	msedge.exe	97
PID 4036 wrote to memory of 404	4036	msedge.exe	97
PID 4036 wrote to memory of 404	4036	msedge.exe	97
PID 4036 wrote to memory of 944	4036	msedge.exe	98
PID 4036 wrote to memory of 944	4036	msedge.exe	98
PID 4036 wrote to memory of 1692	4036	msedge.exe	99
PID 4036 wrote to memory of 1692	4036	msedge.exe	99
PID 4036 wrote to memory of 1692	4036	msedge.exe	99
PID 4036 wrote to memory of 1692	4036	msedge.exe	99
PID 4036 wrote to memory of 1692	4036	msedge.exe	99
PID 4036 wrote to memory of 1692	4036	msedge.exe	99
PID 4036 wrote to memory of 1692	4036	msedge.exe	99
PID 4036 wrote to memory of 1692	4036	msedge.exe	99
PID 4036 wrote to memory of 1692	4036	msedge.exe	99
PID 4036 wrote to memory of 1692	4036	msedge.exe	99
PID 4036 wrote to memory of 1692	4036	msedge.exe	99
PID 4036 wrote to memory of 1692	4036	msedge.exe	99
PID 4036 wrote to memory of 1692	4036	msedge.exe	99
PID 4036 wrote to memory of 1692	4036	msedge.exe	99
PID 4036 wrote to memory of 1692	4036	msedge.exe	99
PID 4036 wrote to memory of 1692	4036	msedge.exe	99
PID 4036 wrote to memory of 1692	4036	msedge.exe	99
PID 4036 wrote to memory of 1692	4036	msedge.exe	99

C:\Users\Admin\AppData\Local\Temp\83d8f170c4a5c738273fb92777d892f0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\83d8f170c4a5c738273fb92777d892f0_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 396
  2⤵
  - Program crash
  PID:3652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.youtube.com/watch?v=FvCdqOQZQuk
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4036
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa903446f8,0x7ffa90344708,0x7ffa90344718
    3⤵
    PID:3504
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,13427433530595811810,7429644385534683244,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2044 /prefetch:2
    3⤵
    PID:404
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,13427433530595811810,7429644385534683244,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:944
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2036,13427433530595811810,7429644385534683244,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8
    3⤵
    PID:1692
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,13427433530595811810,7429644385534683244,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
    3⤵
    PID:556
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,13427433530595811810,7429644385534683244,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
    3⤵
    PID:772
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,13427433530595811810,7429644385534683244,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:1
    3⤵
    PID:4380
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,13427433530595811810,7429644385534683244,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3932 /prefetch:1
    3⤵
    PID:4280
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2036,13427433530595811810,7429644385534683244,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5132 /prefetch:8
    3⤵
    PID:2864
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,13427433530595811810,7429644385534683244,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5720 /prefetch:8
    3⤵
    PID:4584
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,13427433530595811810,7429644385534683244,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5720 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4044
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,13427433530595811810,7429644385534683244,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
    3⤵
    PID:4496
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,13427433530595811810,7429644385534683244,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
    3⤵
    PID:1688
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,13427433530595811810,7429644385534683244,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
    3⤵
    PID:4540
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,13427433530595811810,7429644385534683244,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
    3⤵
    PID:516
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,13427433530595811810,7429644385534683244,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4100 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5072 -ip 5072
1⤵
PID:5108

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5080

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4960

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1788

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x240 0x244
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
38f59a47b777f2fc52088e96ffb2baaf

SHA1
267224482588b41a96d813f6d9e9d924867062db

SHA256
13569c5681c71dc42ab57d34879f5a567d7b94afe0e8f6d7c6f6c1314fb0087b

SHA512
4657d13e1bb7cdd7e83f5f2562f5598cca12edf839626ae96da43e943b5550fab46a14b9018f1bec90de88cc714f637605531ccda99deb9e537908ddb826113b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ab8ce148cb7d44f709fb1c460d03e1b0

SHA1
44d15744015155f3e74580c93317e12d2cc0f859

SHA256
014006a90e43ea9a1903b08b843a5aab8ad3823d22e26e5b113fad5f9fa620ff

SHA512
f685423b1eaee18a2a06030b4b2977335f62499c0041c142a92f6e6f846c2b9ce54324b6ae94efbbb303282dcda70e2b1597c748fddc251c0b3122a412c2d7c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
5f628fceb4c76bf6fc5f4caaf66be308

SHA1
e1b52424c4d64427742680d3e6d1be773de44cb4

SHA256
fd781b19c867da5d4447200b5a58747dbbcc55b348d2eb3b5686eeb9e906f4ba

SHA512
f9cef8119886280aa305265f8c97232d83b0211b9ee3a5d4b9690cc663f9151da43b18960c31062ebe7c0ebe346e0cdc8df0220604efed04ed2d4a85b433b0d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
3d3641b1bf5520478fb2910d88067959

SHA1
1e55f563b8a2129730752b3c946cc750813b67e6

SHA256
7c5addcdeb7343b6e524fa6df5e7a8f12b75bdd92a2fa60f726431b890037f72

SHA512
b37fa2c8639c87cc59c6c759b39306b6d9ef9a399357edc1e442d8824b801af92b80e087283b703c035d92ba5c15317332f367e2f653a62dff882bcac32f6689

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
9e945ccd87f976f2ccea3cf8bcd23735

SHA1
914f48fe2cd2fecfaa99978c87ded22e72c8255d

SHA256
d5f01de966c70565aab4bfd71107000e89973ea882f67ceb211de3ac7a1f5a30

SHA512
0f831b13fba7fea2d179dfd0d6c2b8e5fa964ec7b0beade0a029093fa5489ffe66af019bf8fb9b92b28745255abee11641422bb325b56636259b9c3451d756da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a4dcfd65f753e0a3fe2d6ad183c214e4

SHA1
5694cf478489220f357a5c92222e455bb62d5555

SHA256
ecca1418612eb073951f463fc3a7f25517f05f0a3765ec5eefd9f071e76d8a2b

SHA512
07305cdbc5a617ef94b768468e73232173456cc1fbc769576c3fd93c9e9d1be8563910f99217ff31e177744a582afeba4493092daf22cc62d1087d25671242d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ad612d816bcf55ced9cbaf64b125278c

SHA1
ab6267697df74fc71d08aa597c15421cbf1fdc5e

SHA256
f32076b89d954b09a65e86e39fd28cb9780a4d8c43740e0f4ce3da2e4ec97233

SHA512
a0eb6d93e98ab04d43a0700510e295c6c07fa1bc90b163d7a33b009eee591abd98594f76dc1705091c996cb64bb8d3362c9bc71d8bb0796ce3efff2e998999d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\517ce73b-f5ef-4c82-967c-8835187f7998\index-dir\the-real-index

Filesize
2KB

MD5
8d9b0628abacbc1afe7210fb950a5766

SHA1
46a4729b08fb90e1dadd39c6ad8181e085f77911

SHA256
2eb7409f3a5f4c38f56418ed55062d290c04c0ffd79b04535a6cb912a4d0ff69

SHA512
b0271eed58bc199046cb145db767118dde81b1095303f23e645ed430ab19600d6a27b73854282107404bd6e4dcd9ce3e82f8a6f5e2b600208e97bd0cf48a77ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\517ce73b-f5ef-4c82-967c-8835187f7998\index-dir\the-real-index~RFe585d3e.TMP

Filesize
48B

MD5
da22053587a801a7cf28b6fda3cba0f1

SHA1
1931628ed768a8f229fc1e5a37bf5e6a5304be7d

SHA256
179b4b62de24093cebd854ff784db3cd6072cf37ed639975a8ae6f2cd13540b0

SHA512
efede264e8d3817700af283e640b528e8b952f270043a87d236ffd81a405abd371172b3b81a07abf3ee7992b6cd48363f536763d323a864b11eb36100e907941

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
119302f90d475b385148998003798ecb

SHA1
d5c0d29939a30cf98327b438948616e9417d9795

SHA256
96beb3f9245fb8a9a4ca9081c1e0e83e042f92a0174e1c1c5f805bfc1855c777

SHA512
49126c68ceacfdac449b67ba63caea57812c2c283aa015c0c51caf0a561384e7a7c3ec7a2f67828b53ccf54ebdf1abb3d569fe583131484a74450d89ac8a7c81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
f22dd013faae15452ed12be54c87e0e0

SHA1
f3014aa97f9f5c7f5ed75f45a787ec0c9ef09401

SHA256
0eff29ffd1436595ca52b7bd88530375e762518946140316459315a1c590b62c

SHA512
40113a8c9b902c3b3da75f0e8f197de01282c6be995003d2af9831a9ed8dcaf41f88d6451c17c0b04301e4574d42fe48a4b1f53a526beb2193e5d35983af803d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
497a76a14b0e356b2a7947ca27d18442

SHA1
ea8e5732a9abc366852a37ae14af3e6b03ab4e76

SHA256
6b5d0d88ce59b54aac7eb9a235b3a44f73673d69fd3a7d381c80caf1b4621420

SHA512
febe8ad5b6925f2a33fd3758943cc7758b24118fb2539e203af3f9c73de9c1dd8483ab328cc7c316307a68aea3a181f43ec406204feb26459cd5c2dabde2c578

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe5807fa.TMP

Filesize
89B

MD5
e319b0b4a25ad13430fe44d9de472a0a

SHA1
dfda10c856c51c1264492bbd5c1f537ae0f78b34

SHA256
f1ea63b1d2faee2d5758e73387aae010248c52a8f19b40a3b0a2d299b65b0586

SHA512
511c85d5a0c21219bea0bfa24bde2619c91c76c7db32c9f74c447208247709f184624a87b1d2fe64f0d322a45b15cf23dbac5183b339b48b0713ec69675e35a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
d7769c98726bbdfe825c6004dcd9a1c8

SHA1
62b6446bc8520b452a901ec51f6e5d174378b1c9

SHA256
f7945d3c0756f0e9c9cf775b1131440a900971e9f5b8976c0fd58642278e51bf

SHA512
177107b4a332f4b3577e80522e9c8f70c98883294ef75e6629419feb2724dd936bc151f5872522d875335ba0844c9753474a0bd429022a0ef0931976789548b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe585733.TMP

Filesize
48B

MD5
41a82508f71ddaa88bf62552a7f6fb97

SHA1
7cc0c5caad3fd1d2c891b8d7db5b0b333978bbb8

SHA256
be092205402721424421a734e4a2d8d1e4315956c42432ec2c1593dcf98b5f4d

SHA512
17c08d93009a6d6dcba74b4d2c1c7ecd857834811cd9d113c5615aad6f9776cc34f4c430f99e7ed90c1182612670c4a7736a48c1246e6a61bf00b4dbedd72457

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5f25dccd02b6689909cdebae2da3f5c1

SHA1
a6f31589ea04937eac1f832cf0cea0ab0f8ee96b

SHA256
e089d4aa4d338e21a03ee4d6c154c17b9704cc403a899648e7cb9a8433b9b8c3

SHA512
b68842ca4b9307c41b4fa163574010daf8ac5643db073580dd612d993fd293226bdbf4adfc845c801c9381af95c03d8bbcd064d17f958370813635ddf3b6cf70

Download Submit
memory/5072-0-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/5072-7-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/5072-8-0x00000000005B0000-0x00000000005F6000-memory.dmp

Filesize
280KB

Download
memory/5072-3-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/5072-2-0x00000000005B0000-0x00000000005F6000-memory.dmp

Filesize
280KB

Download