41ff6eeda8766e623202832a2aa59930a7f5bf93131d07f857bfd5c62dddb531

Analysis

max time kernel
146s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-08-2024 04:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b2256cfa0d4a19142547ad688440f266_JaffaCakes118.exe
Size

436KB
MD5

b2256cfa0d4a19142547ad688440f266
SHA1

d73e07bd617b73a814f830f6bb8e69dd623a272b
SHA256

41ff6eeda8766e623202832a2aa59930a7f5bf93131d07f857bfd5c62dddb531
SHA512

182a55034cb54131d3c80968e9b3dccf69cc53772db5817724822f4cb0dffc946bbcfe57c823a3331c2deb221c51201dac769b8683dbf486fb4ff4fc8c720af8
SSDEEP

6144:dyPEIHbPHHTxi9x2NCY5oo6KW4DnUO/z5ciMZ+fUvY6ly9Z94BOq97iWZ:6HbvHTxi9QCYUYDhlciMAfIx+uBhk

Score

7^/10

discovery vmprotect

Malware Config

Signatures

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/4916-0-0x0000000000400000-0x0000000000553000-memory.dmp	vmprotect
behavioral2/memory/4916-2-0x0000000000400000-0x0000000000553000-memory.dmp	vmprotect
behavioral2/memory/4916-155-0x0000000000400000-0x0000000000553000-memory.dmp	vmprotect

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b2256cfa0d4a19142547ad688440f266_JaffaCakes118.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	b2256cfa0d4a19142547ad688440f266_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	b2256cfa0d4a19142547ad688440f266_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\IESettingSync	b2256cfa0d4a19142547ad688440f266_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	b2256cfa0d4a19142547ad688440f266_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
4916	b2256cfa0d4a19142547ad688440f266_JaffaCakes118.exe
4916	b2256cfa0d4a19142547ad688440f266_JaffaCakes118.exe
4916	b2256cfa0d4a19142547ad688440f266_JaffaCakes118.exe
4916	b2256cfa0d4a19142547ad688440f266_JaffaCakes118.exe
4916	b2256cfa0d4a19142547ad688440f266_JaffaCakes118.exe
4916	b2256cfa0d4a19142547ad688440f266_JaffaCakes118.exe
4916	b2256cfa0d4a19142547ad688440f266_JaffaCakes118.exe
4916	b2256cfa0d4a19142547ad688440f266_JaffaCakes118.exe
4916	b2256cfa0d4a19142547ad688440f266_JaffaCakes118.exe
4916	b2256cfa0d4a19142547ad688440f266_JaffaCakes118.exe
4916	b2256cfa0d4a19142547ad688440f266_JaffaCakes118.exe
4916	b2256cfa0d4a19142547ad688440f266_JaffaCakes118.exe
4916	b2256cfa0d4a19142547ad688440f266_JaffaCakes118.exe
4916	b2256cfa0d4a19142547ad688440f266_JaffaCakes118.exe
4916	b2256cfa0d4a19142547ad688440f266_JaffaCakes118.exe
4916	b2256cfa0d4a19142547ad688440f266_JaffaCakes118.exe
4916	b2256cfa0d4a19142547ad688440f266_JaffaCakes118.exe
4916	b2256cfa0d4a19142547ad688440f266_JaffaCakes118.exe
4916	b2256cfa0d4a19142547ad688440f266_JaffaCakes118.exe
4916	b2256cfa0d4a19142547ad688440f266_JaffaCakes118.exe
4916	b2256cfa0d4a19142547ad688440f266_JaffaCakes118.exe
4916	b2256cfa0d4a19142547ad688440f266_JaffaCakes118.exe
4916	b2256cfa0d4a19142547ad688440f266_JaffaCakes118.exe
4916	b2256cfa0d4a19142547ad688440f266_JaffaCakes118.exe
4916	b2256cfa0d4a19142547ad688440f266_JaffaCakes118.exe
4916	b2256cfa0d4a19142547ad688440f266_JaffaCakes118.exe
4916	b2256cfa0d4a19142547ad688440f266_JaffaCakes118.exe
4916	b2256cfa0d4a19142547ad688440f266_JaffaCakes118.exe
4916	b2256cfa0d4a19142547ad688440f266_JaffaCakes118.exe
4916	b2256cfa0d4a19142547ad688440f266_JaffaCakes118.exe
4916	b2256cfa0d4a19142547ad688440f266_JaffaCakes118.exe
4916	b2256cfa0d4a19142547ad688440f266_JaffaCakes118.exe
3004	msedge.exe
3004	msedge.exe
1032	msedge.exe
1032	msedge.exe
2352	msedge.exe
2352	msedge.exe
4572	identity_helper.exe
4572	identity_helper.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4916	b2256cfa0d4a19142547ad688440f266_JaffaCakes118.exe
4916	b2256cfa0d4a19142547ad688440f266_JaffaCakes118.exe
4916	b2256cfa0d4a19142547ad688440f266_JaffaCakes118.exe
4916	b2256cfa0d4a19142547ad688440f266_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4916 wrote to memory of 1032	4916	b2256cfa0d4a19142547ad688440f266_JaffaCakes118.exe	89
PID 4916 wrote to memory of 1032	4916	b2256cfa0d4a19142547ad688440f266_JaffaCakes118.exe	89
PID 1032 wrote to memory of 2456	1032	msedge.exe	90
PID 1032 wrote to memory of 2456	1032	msedge.exe	90
PID 4916 wrote to memory of 4104	4916	b2256cfa0d4a19142547ad688440f266_JaffaCakes118.exe	91
PID 4916 wrote to memory of 4104	4916	b2256cfa0d4a19142547ad688440f266_JaffaCakes118.exe	91
PID 4104 wrote to memory of 4164	4104	msedge.exe	92
PID 4104 wrote to memory of 4164	4104	msedge.exe	92
PID 1032 wrote to memory of 3868	1032	msedge.exe	93
PID 1032 wrote to memory of 3868	1032	msedge.exe	93
PID 1032 wrote to memory of 3868	1032	msedge.exe	93
PID 1032 wrote to memory of 3868	1032	msedge.exe	93
PID 1032 wrote to memory of 3868	1032	msedge.exe	93
PID 1032 wrote to memory of 3868	1032	msedge.exe	93
PID 1032 wrote to memory of 3868	1032	msedge.exe	93
PID 1032 wrote to memory of 3868	1032	msedge.exe	93
PID 1032 wrote to memory of 3868	1032	msedge.exe	93
PID 1032 wrote to memory of 3868	1032	msedge.exe	93
PID 1032 wrote to memory of 3868	1032	msedge.exe	93
PID 1032 wrote to memory of 3868	1032	msedge.exe	93
PID 1032 wrote to memory of 3868	1032	msedge.exe	93
PID 1032 wrote to memory of 3868	1032	msedge.exe	93
PID 1032 wrote to memory of 3868	1032	msedge.exe	93
PID 1032 wrote to memory of 3868	1032	msedge.exe	93
PID 1032 wrote to memory of 3868	1032	msedge.exe	93
PID 1032 wrote to memory of 3868	1032	msedge.exe	93
PID 1032 wrote to memory of 3868	1032	msedge.exe	93
PID 1032 wrote to memory of 3868	1032	msedge.exe	93
PID 1032 wrote to memory of 3868	1032	msedge.exe	93
PID 1032 wrote to memory of 3868	1032	msedge.exe	93
PID 1032 wrote to memory of 3868	1032	msedge.exe	93
PID 1032 wrote to memory of 3868	1032	msedge.exe	93
PID 1032 wrote to memory of 3868	1032	msedge.exe	93
PID 1032 wrote to memory of 3868	1032	msedge.exe	93
PID 1032 wrote to memory of 3868	1032	msedge.exe	93
PID 1032 wrote to memory of 3868	1032	msedge.exe	93
PID 1032 wrote to memory of 3868	1032	msedge.exe	93
PID 1032 wrote to memory of 3868	1032	msedge.exe	93
PID 1032 wrote to memory of 3868	1032	msedge.exe	93
PID 1032 wrote to memory of 3868	1032	msedge.exe	93
PID 1032 wrote to memory of 3868	1032	msedge.exe	93
PID 1032 wrote to memory of 3868	1032	msedge.exe	93
PID 1032 wrote to memory of 3868	1032	msedge.exe	93
PID 1032 wrote to memory of 3868	1032	msedge.exe	93
PID 1032 wrote to memory of 3868	1032	msedge.exe	93
PID 1032 wrote to memory of 3868	1032	msedge.exe	93
PID 1032 wrote to memory of 3868	1032	msedge.exe	93
PID 1032 wrote to memory of 3868	1032	msedge.exe	93
PID 1032 wrote to memory of 3004	1032	msedge.exe	94
PID 1032 wrote to memory of 3004	1032	msedge.exe	94
PID 1032 wrote to memory of 4268	1032	msedge.exe	95
PID 1032 wrote to memory of 4268	1032	msedge.exe	95
PID 1032 wrote to memory of 4268	1032	msedge.exe	95
PID 1032 wrote to memory of 4268	1032	msedge.exe	95
PID 1032 wrote to memory of 4268	1032	msedge.exe	95
PID 1032 wrote to memory of 4268	1032	msedge.exe	95
PID 1032 wrote to memory of 4268	1032	msedge.exe	95
PID 1032 wrote to memory of 4268	1032	msedge.exe	95
PID 1032 wrote to memory of 4268	1032	msedge.exe	95
PID 1032 wrote to memory of 4268	1032	msedge.exe	95
PID 1032 wrote to memory of 4268	1032	msedge.exe	95
PID 1032 wrote to memory of 4268	1032	msedge.exe	95
PID 1032 wrote to memory of 4268	1032	msedge.exe	95
PID 1032 wrote to memory of 4268	1032	msedge.exe	95

C:\Users\Admin\AppData\Local\Temp\b2256cfa0d4a19142547ad688440f266_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b2256cfa0d4a19142547ad688440f266_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://union.80.com/iclk/?zoneid=497&uid=1567
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1032
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbd72046f8,0x7ffbd7204708,0x7ffbd7204718
    3⤵
    PID:2456
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,13117337841896638677,5270697806706100253,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
    3⤵
    PID:3868
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,13117337841896638677,5270697806706100253,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3004
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,13117337841896638677,5270697806706100253,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:8
    3⤵
    PID:4268
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,13117337841896638677,5270697806706100253,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
    3⤵
    PID:1648
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,13117337841896638677,5270697806706100253,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
    3⤵
    PID:4808
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,13117337841896638677,5270697806706100253,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4008 /prefetch:1
    3⤵
    PID:4372
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,13117337841896638677,5270697806706100253,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3836 /prefetch:1
    3⤵
    PID:3236
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,13117337841896638677,5270697806706100253,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
    3⤵
    PID:4396
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,13117337841896638677,5270697806706100253,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4040 /prefetch:1
    3⤵
    PID:4576
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,13117337841896638677,5270697806706100253,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4892 /prefetch:8
    3⤵
    PID:2352
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,13117337841896638677,5270697806706100253,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4892 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4572
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,13117337841896638677,5270697806706100253,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
    3⤵
    PID:3760
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,13117337841896638677,5270697806706100253,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
    3⤵
    PID:1132
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,13117337841896638677,5270697806706100253,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
    3⤵
    PID:4540
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,13117337841896638677,5270697806706100253,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4140 /prefetch:1
    3⤵
    PID:3404
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,13117337841896638677,5270697806706100253,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2216 /prefetch:1
    3⤵
    PID:216
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,13117337841896638677,5270697806706100253,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2132 /prefetch:1
    3⤵
    PID:5100
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,13117337841896638677,5270697806706100253,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6064 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://union.80.com/iclk/?zoneid=498&uid=1567
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4104
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbd72046f8,0x7ffbd7204708,0x7ffbd7204718
    3⤵
    PID:4164
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,17172849301817439425,18413945934649409519,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://union.80.com/iclk/?zoneid=499&uid=1567
  2⤵
  PID:2276
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbd72046f8,0x7ffbd7204708,0x7ffbd7204718
    3⤵
    PID:728

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:392

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9ebc024cdb324eb41f33c6ec63d1458d

SHA1
f623e96981ee63c1b6879f682c4364fd5c2265e5

SHA256
23b9bd7316816043f42a80784e7f247f3afebd3dbe370fbc702189a6a0dddb1f

SHA512
6971b6430bc01a36c48bc1e41cf8c4bed65a2890837f7778a896072159940ae739d11834176cc7be6cf6fa0f2ea9e6764c30cd23beadcc88c390e5573bbad097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
709c6f4a32b317f6487b598788b6353d

SHA1
50f44d43be9630018f0bd2acb1528df07cd05b7f

SHA256
353aff71e8cf078c88c836e66d86be266ddbe36496a597b9b5a5a87d21eae83b

SHA512
4f33792eb73a792c88e8e2dc8bef7b00a2af7b1b91f4bab0cd5076dd2cb9abbb752eb7e60a4c6204d15f9bca1562915f2468b94e5f01f79279e1e7469055f0a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9b060ad696e49b40e8c8f30e7fd845f9

SHA1
3c2ca7c8e33c2efe763d22ffaaaf69fa80304417

SHA256
8d20b4541f265a3cb836fc518c7ea4e62307012a82a64ff6cd8a5134e0d9c183

SHA512
a7095e05a0b526da62596750f7c5e421870e0b386956dee56f32a5f224bfcc8abaefed22d3b5bc7d762969324d2e3019416e91f45402d3b25c8e4016635bc099

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
012b0d1e64a20eb6556e70c89255364d

SHA1
471cdf54ab3403b76c8fa97fac86ac5aa966f8c2

SHA256
0373138ce85e603f2cfe93f6848912976ddc77576b4059542d1d4d48536e27b5

SHA512
48bec7671ea0308d6a96dbf9c3df8bdd3c0cba26c1460a15e0db1133b458c8325a983e131f36b2d965c1f9f74fc54e1cad908400ab156e55f6d81fff4dbddd77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
494a861dfe3fb61b7f6e9a8e1f92d179

SHA1
903db9c91a888cdd2a359e921ea2c1a958228aa9

SHA256
46ffd9cec0b1524402f64218ea9584cb751cd61e56eae54ac0ad61c55273c690

SHA512
f97bfb87546ee38f100ef52f6ee6d102d05feb378a940954a1953f5dc301e6ae7a91de2b2176dcac165a61abf867e06e3e31572a378b1abd9ea2768de76e7175

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
3KB

MD5
913f07425cb7a56f2b09707653899ef7

SHA1
d3a15c085530e87c47005b0e9419789d56d00291

SHA256
8997c969f69906ef67dff32489ee74f724d4e475db02b179c45b61598c450aed

SHA512
194cd11068fdf7410173065df1e5fe51625e685bd8258a62b39eb29ef37f87638ad0f969ed0233b61b0809ff0269e91965a63751297a7517fcc155d4ff5e0c95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
353435e12c8741984223c0674cc872f0

SHA1
c17819d808cb3811be220b644ba8ad428a49714f

SHA256
ce392fcd913ce6c89544e43fc9219643e59a7e98675c671b1db5183344aba538

SHA512
b602db171c015ce7f961d8e493531dffe22c152c97dd1b7bf64830377ce96f6120cd7c4ddda8f009bb93ded8361de10badc90709b750c96cba1958551ac2f2c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\B9AWTLKS\info_48[1]

Filesize
4KB

MD5
5565250fcc163aa3a79f0b746416ce69

SHA1
b97cc66471fcdee07d0ee36c7fb03f342c231f8f

SHA256
51129c6c98a82ea491f89857c31146ecec14c4af184517450a7a20c699c84859

SHA512
e60ea153b0fece4d311769391d3b763b14b9a140105a36a13dad23c2906735eaab9092236deb8c68ef078e8864d6e288bef7ef1731c1e9f1ad9b0170b95ac134

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KQ3665LB\bullet[2]

Filesize
447B

MD5
26f971d87ca00e23bd2d064524aef838

SHA1
7440beff2f4f8fabc9315608a13bf26cabad27d9

SHA256
1d8e5fd3c1fd384c0a7507e7283c7fe8f65015e521b84569132a7eabedc9d41d

SHA512
c62eb51be301bb96c80539d66a73cd17ca2021d5d816233853a37db72e04050271e581cc99652f3d8469b390003ca6c62dad2a9d57164c620b7777ae99aa1b15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KQ3665LB\dnserrordiagoff[1]

Filesize
1KB

MD5
7e81a79f38695e467a49ee41dd24146d

SHA1
035e110c36bf3072525b05394f73d1ba54d0d316

SHA256
a705d1e0916a79b0d6e60c41a9ce301ed95b3fc00e927f940ab27061c208a536

SHA512
53c5f2f2b9ad8b555f9ae6644941cf2016108e803ea6ab2c7418e31e66874dea5a2bc04be0fa9766e7206617879520e730e9e3e0de136bae886c2e786082d622

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KQ3665LB\errorPageStrings[1]

Filesize
4KB

MD5
d65ec06f21c379c87040b83cc1abac6b

SHA1
208d0a0bb775661758394be7e4afb18357e46c8b

SHA256
a1270e90cea31b46432ec44731bf4400d22b38eb2855326bf934fe8f1b169a4f

SHA512
8a166d26b49a5d95aea49bc649e5ea58786a2191f4d2adac6f5fbb7523940ce4482d6a2502aa870a931224f215cb2010a8c9b99a2c1820150e4d365cab28299e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KQ3665LB\httpErrorPagesScripts[1]

Filesize
11KB

MD5
9234071287e637f85d721463c488704c

SHA1
cca09b1e0fba38ba29d3972ed8dcecefdef8c152

SHA256
65cc039890c7ceb927ce40f6f199d74e49b8058c3f8a6e22e8f916ad90ea8649

SHA512
87d691987e7a2f69ad8605f35f94241ab7e68ad4f55ad384f1f0d40dc59ffd1432c758123661ee39443d624c881b01dcd228a67afb8700fe5e66fc794a6c0384

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KQ3665LB\navcancl[1]

Filesize
2KB

MD5
4bcfe9f8db04948cddb5e31fe6a7f984

SHA1
42464c70fc16f3f361c2419751acd57d51613cdf

SHA256
bee0439fcf31de76d6e2d7fd377a24a34ac8763d5bf4114da5e1663009e24228

SHA512
bb0ef3d32310644285f4062ad5f27f30649c04c5a442361a5dbe3672bd8cb585160187070872a31d9f30b70397d81449623510365a371e73bda580e00eef0e4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\T369AOZZ\ErrorPageTemplate[1]

Filesize
2KB

MD5
f4fe1cb77e758e1ba56b8a8ec20417c5

SHA1
f4eda06901edb98633a686b11d02f4925f827bf0

SHA256
8d018639281b33da8eb3ce0b21d11e1d414e59024c3689f92be8904eb5779b5f

SHA512
62514ab345b6648c5442200a8e9530dfb88a0355e262069e0a694289c39a4a1c06c6143e5961074bfac219949102a416c09733f24e8468984b96843dc222b436

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\T369AOZZ\NewErrorPageTemplate[1]

Filesize
1KB

MD5
dfeabde84792228093a5a270352395b6

SHA1
e41258c9576721025926326f76063c2305586f76

SHA256
77b138ab5d0a90ff04648c26addd5e414cc178165e3b54a4cb3739da0f58e075

SHA512
e256f603e67335151bb709294749794e2e3085f4063c623461a0b3decbcca8e620807b707ec9bcbe36dcd7d639c55753da0495be85b4ae5fb6bfc52ab4b284fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\T369AOZZ\background_gradient[1]

Filesize
453B

MD5
20f0110ed5e4e0d5384a496e4880139b

SHA1
51f5fc61d8bf19100df0f8aadaa57fcd9c086255

SHA256
1471693be91e53c2640fe7baeecbc624530b088444222d93f2815dfce1865d5b

SHA512
5f52c117e346111d99d3b642926139178a80b9ec03147c00e27f07aab47fe38e9319fe983444f3e0e36def1e86dd7c56c25e44b14efdc3f13b45ededa064db5a

Download Submit
memory/4916-0-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/4916-155-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/4916-2-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/4916-1-0x00000000004EE000-0x00000000004EF000-memory.dmp

Filesize
4KB

Download