630afea181b3cee4e3ad4ddc6f3e3d9bad277dadf75002a020529e553d45488a

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-08-2024 12:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aafa209f2e54ede4c6b13969d852cf98_JaffaCakes118.exe
Size

1.3MB
MD5

aafa209f2e54ede4c6b13969d852cf98
SHA1

9f001870f43fe2f107c11212b4d1b916d50cdd4b
SHA256

630afea181b3cee4e3ad4ddc6f3e3d9bad277dadf75002a020529e553d45488a
SHA512

b98908af30841d2b054b23a38fc8b646a8784c1d88df37722d730dafd687346b04eb4b4ae4f01320e15b554c3855a315adad04c25451316858c40fc0c4c34287
SSDEEP

24576:vK9mfgoKvASnt3LBDal8Xw00Rt8YpMgYtC:w2Intt+OEdMg

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	aafa209f2e54ede4c6b13969d852cf98_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
3252	svhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rundll32 .exe"	aafa209f2e54ede4c6b13969d852cf98_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4436 set thread context of 3252	4436	aafa209f2e54ede4c6b13969d852cf98_JaffaCakes118.exe	88

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aafa209f2e54ede4c6b13969d852cf98_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
4436	aafa209f2e54ede4c6b13969d852cf98_JaffaCakes118.exe
4436	aafa209f2e54ede4c6b13969d852cf98_JaffaCakes118.exe
4436	aafa209f2e54ede4c6b13969d852cf98_JaffaCakes118.exe
4436	aafa209f2e54ede4c6b13969d852cf98_JaffaCakes118.exe
4436	aafa209f2e54ede4c6b13969d852cf98_JaffaCakes118.exe
4436	aafa209f2e54ede4c6b13969d852cf98_JaffaCakes118.exe
4436	aafa209f2e54ede4c6b13969d852cf98_JaffaCakes118.exe
4436	aafa209f2e54ede4c6b13969d852cf98_JaffaCakes118.exe
4436	aafa209f2e54ede4c6b13969d852cf98_JaffaCakes118.exe
976	msedge.exe
976	msedge.exe
4572	msedge.exe
4572	msedge.exe
1052	identity_helper.exe
1052	identity_helper.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe
1544	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4436	aafa209f2e54ede4c6b13969d852cf98_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4436 wrote to memory of 3884	4436	aafa209f2e54ede4c6b13969d852cf98_JaffaCakes118.exe	87
PID 4436 wrote to memory of 3884	4436	aafa209f2e54ede4c6b13969d852cf98_JaffaCakes118.exe	87
PID 4436 wrote to memory of 3884	4436	aafa209f2e54ede4c6b13969d852cf98_JaffaCakes118.exe	87
PID 4436 wrote to memory of 3252	4436	aafa209f2e54ede4c6b13969d852cf98_JaffaCakes118.exe	88
PID 4436 wrote to memory of 3252	4436	aafa209f2e54ede4c6b13969d852cf98_JaffaCakes118.exe	88
PID 4436 wrote to memory of 3252	4436	aafa209f2e54ede4c6b13969d852cf98_JaffaCakes118.exe	88
PID 4436 wrote to memory of 3252	4436	aafa209f2e54ede4c6b13969d852cf98_JaffaCakes118.exe	88
PID 4436 wrote to memory of 3252	4436	aafa209f2e54ede4c6b13969d852cf98_JaffaCakes118.exe	88
PID 4436 wrote to memory of 3252	4436	aafa209f2e54ede4c6b13969d852cf98_JaffaCakes118.exe	88
PID 4436 wrote to memory of 3252	4436	aafa209f2e54ede4c6b13969d852cf98_JaffaCakes118.exe	88
PID 4436 wrote to memory of 3252	4436	aafa209f2e54ede4c6b13969d852cf98_JaffaCakes118.exe	88
PID 3252 wrote to memory of 4572	3252	svhost.exe	93
PID 3252 wrote to memory of 4572	3252	svhost.exe	93
PID 4572 wrote to memory of 1480	4572	msedge.exe	94
PID 4572 wrote to memory of 1480	4572	msedge.exe	94
PID 4572 wrote to memory of 4808	4572	msedge.exe	95
PID 4572 wrote to memory of 4808	4572	msedge.exe	95
PID 4572 wrote to memory of 4808	4572	msedge.exe	95
PID 4572 wrote to memory of 4808	4572	msedge.exe	95
PID 4572 wrote to memory of 4808	4572	msedge.exe	95
PID 4572 wrote to memory of 4808	4572	msedge.exe	95
PID 4572 wrote to memory of 4808	4572	msedge.exe	95
PID 4572 wrote to memory of 4808	4572	msedge.exe	95
PID 4572 wrote to memory of 4808	4572	msedge.exe	95
PID 4572 wrote to memory of 4808	4572	msedge.exe	95
PID 4572 wrote to memory of 4808	4572	msedge.exe	95
PID 4572 wrote to memory of 4808	4572	msedge.exe	95
PID 4572 wrote to memory of 4808	4572	msedge.exe	95
PID 4572 wrote to memory of 4808	4572	msedge.exe	95
PID 4572 wrote to memory of 4808	4572	msedge.exe	95
PID 4572 wrote to memory of 4808	4572	msedge.exe	95
PID 4572 wrote to memory of 4808	4572	msedge.exe	95
PID 4572 wrote to memory of 4808	4572	msedge.exe	95
PID 4572 wrote to memory of 4808	4572	msedge.exe	95
PID 4572 wrote to memory of 4808	4572	msedge.exe	95
PID 4572 wrote to memory of 4808	4572	msedge.exe	95
PID 4572 wrote to memory of 4808	4572	msedge.exe	95
PID 4572 wrote to memory of 4808	4572	msedge.exe	95
PID 4572 wrote to memory of 4808	4572	msedge.exe	95
PID 4572 wrote to memory of 4808	4572	msedge.exe	95
PID 4572 wrote to memory of 4808	4572	msedge.exe	95
PID 4572 wrote to memory of 4808	4572	msedge.exe	95
PID 4572 wrote to memory of 4808	4572	msedge.exe	95
PID 4572 wrote to memory of 4808	4572	msedge.exe	95
PID 4572 wrote to memory of 4808	4572	msedge.exe	95
PID 4572 wrote to memory of 4808	4572	msedge.exe	95
PID 4572 wrote to memory of 4808	4572	msedge.exe	95
PID 4572 wrote to memory of 4808	4572	msedge.exe	95
PID 4572 wrote to memory of 4808	4572	msedge.exe	95
PID 4572 wrote to memory of 4808	4572	msedge.exe	95
PID 4572 wrote to memory of 4808	4572	msedge.exe	95
PID 4572 wrote to memory of 4808	4572	msedge.exe	95
PID 4572 wrote to memory of 4808	4572	msedge.exe	95
PID 4572 wrote to memory of 4808	4572	msedge.exe	95
PID 4572 wrote to memory of 4808	4572	msedge.exe	95
PID 4572 wrote to memory of 976	4572	msedge.exe	96
PID 4572 wrote to memory of 976	4572	msedge.exe	96
PID 4572 wrote to memory of 4468	4572	msedge.exe	97
PID 4572 wrote to memory of 4468	4572	msedge.exe	97
PID 4572 wrote to memory of 4468	4572	msedge.exe	97
PID 4572 wrote to memory of 4468	4572	msedge.exe	97
PID 4572 wrote to memory of 4468	4572	msedge.exe	97
PID 4572 wrote to memory of 4468	4572	msedge.exe	97
PID 4572 wrote to memory of 4468	4572	msedge.exe	97

C:\Users\Admin\AppData\Local\Temp\aafa209f2e54ede4c6b13969d852cf98_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\aafa209f2e54ede4c6b13969d852cf98_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4436
- C:\Users\Admin\AppData\Local\Temp\winamp\svhost.exe
  C:\Users\Admin\AppData\Local\Temp\\winamp\svhost.exe
  2⤵
  PID:3884
- C:\Users\Admin\AppData\Local\Temp\winamp\svhost.exe
  C:\Users\Admin\AppData\Local\Temp\\winamp\svhost.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3252
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svhost.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4572
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdf34746f8,0x7ffdf3474708,0x7ffdf3474718
      4⤵
      PID:1480
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,2254647845829865714,3774293241594479391,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2
      4⤵
      PID:4808
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,2254647845829865714,3774293241594479391,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2452 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:976
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,2254647845829865714,3774293241594479391,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:8
      4⤵
      PID:4468
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,2254647845829865714,3774293241594479391,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
      4⤵
      PID:4580
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,2254647845829865714,3774293241594479391,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
      4⤵
      PID:1100
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,2254647845829865714,3774293241594479391,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:1
      4⤵
      PID:4344
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,2254647845829865714,3774293241594479391,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
      4⤵
      PID:5036
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,2254647845829865714,3774293241594479391,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1052
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,2254647845829865714,3774293241594479391,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
      4⤵
      PID:220
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,2254647845829865714,3774293241594479391,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
      4⤵
      PID:4568
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,2254647845829865714,3774293241594479391,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
      4⤵
      PID:2624
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,2254647845829865714,3774293241594479391,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
      4⤵
      PID:3244
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,2254647845829865714,3774293241594479391,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
      4⤵
      PID:4752
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,2254647845829865714,3774293241594479391,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
      4⤵
      PID:5048
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,2254647845829865714,3774293241594479391,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1796 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1544
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svhost.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
    3⤵
    PID:388
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdf34746f8,0x7ffdf3474708,0x7ffdf3474718
      4⤵
      PID:844

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4568

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
719923124ee00fb57378e0ebcbe894f7

SHA1
cc356a7d27b8b27dc33f21bd4990f286ee13a9f9

SHA256
aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808

SHA512
a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7114a6cd851f9bf56cf771c37d664a2

SHA1
769c5d04fd83e583f15ab1ef659de8f883ecab8a

SHA256
d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e

SHA512
33bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
a03e1f6f5402a4a7e680d9ca23e96422

SHA1
aa0d465c706d2b3ea553432c01c9a8c527d4f6e7

SHA256
975fe28b70bb6e5c6265da1bfaa2540c25da713dcc686d4ea9db0b72920626c6

SHA512
4e0606503e5cde3b5f0ba2b3ba698c9bc463b7b4283650865968bbb764ad03994c07316061effae35905e46c2df6459f43939730ff7650355748218b0198acdf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
437B

MD5
05592d6b429a6209d372dba7629ce97c

SHA1
b4d45e956e3ec9651d4e1e045b887c7ccbdde326

SHA256
3aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd

SHA512
caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3bb4ca57a08ce34175b471d4efc6cf02

SHA1
8f5c82ae1e64dcb08335161d97896e2cbc7ff478

SHA256
48856bdd2e398b52db41395a34361cbc35d4cb204dc72f3a4794fea276897139

SHA512
44ffb82d82a2a7366716ef1b7805a03a2bd730bbd99c4a189955d95a55505a3b15eb3eb78b8a64df5984f0ea31d6b886f77517c9992c3feec41cc2f78de3b3c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
48237e53d49f8f49017fe64283b47a3e

SHA1
50bb9b0c5534697f2954a85325cfcc221469b86f

SHA256
2dcd22a1d43e038d9ed3d0ec8c04fe5967c1e897b1166a99c95ad78db64351bc

SHA512
c135db37763e5af0cb5c56e6b3a2fd16e15ee3146f43c8b23b350789cb7f757a4612a96246a99f40b89d6fdb524752f4455a668bda87522fc330316d02fee5d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
184d49cabb8984a20f9acc485e1cea9a

SHA1
3a223b20881d374add30b160c1641d833f6cd401

SHA256
747412021fc30fb788e09a85c0cb039298665f901b7a880dd48fb8385f515bb6

SHA512
4e2e8ee691ad89caf2a215b7cd7bef32fba36b9aae8b39c760f786016e61b161c925ff542fb4670d233851e9ad4faea308b3bd34b2524000a060a41145e9cb05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
3e89dce05cc4b8f76525dfb33e2cb3db

SHA1
8ee0ee6d0dede086b3288f88e82ec0e327350ce7

SHA256
6c867d4cb6808b6a42eb0bc38679fc95ac8f7ecaceb0d170f30967b12a8a10fa

SHA512
5b09cb6a3221a21cf61ea8d45ea4b834fa2166cde5a6ac89e3fe94f19aaa374435deb515234eef9bc2d9ab4b55bfcbfd01182e4ac76ed720a41f855578e1d389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580644.TMP

Filesize
371B

MD5
73b077ee5e63107e9a343c3368c785de

SHA1
ac597efea26d339d15d77a4529218f946df8a7aa

SHA256
b6e1f01a36fa8cb73821c0cf6165ce105455ba14ebc56decfd16d07e13105102

SHA512
4629fe93d18d650951512ddf9d322ed8550b108ad7ae77f8252e791fffd76e709c3a2b2dd556d04f61147c69f9721054b9f2ef32d9f178c0b620453c098c7ec6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ac5002f8504325204942d06fd7cba10f

SHA1
2efcefa73b56557ade3f9f5a263220e7715ad44e

SHA256
cca501eadd7ce3651f9a52ff67c244cc8fdef690ea33acde7ac38742ddf7d5b6

SHA512
dd87a3f9cbb717b80351a7a39b1e49c8e26e4b2c70d35ed53d214982d4e09231d1d437859c87da8a4c8ea4538a50f3de51f5e9d9800996e734b46bc332211c3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\winamp\svhost.exe

Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
memory/3252-10-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4436-14-0x00000000753C0000-0x0000000075971000-memory.dmp

Filesize
5.7MB

Download
memory/4436-0-0x00000000753C2000-0x00000000753C3000-memory.dmp

Filesize
4KB

Download
memory/4436-2-0x00000000753C0000-0x0000000075971000-memory.dmp

Filesize
5.7MB

Download
memory/4436-1-0x00000000753C0000-0x0000000075971000-memory.dmp

Filesize
5.7MB

Download