a5ac52eba07b3e91e8273c2c4bb7a5ca9eab6c4294f7f0bb92430e88b46b385f

Analysis

max time kernel
140s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 04:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b64fb85a6419fba53bd51e13394571bf_JaffaCakes118.exe
Size

169KB
MD5

b64fb85a6419fba53bd51e13394571bf
SHA1

8f7310c7bcaa754d2e3cf56a1166803a3dd098d1
SHA256

a5ac52eba07b3e91e8273c2c4bb7a5ca9eab6c4294f7f0bb92430e88b46b385f
SHA512

37caf4a8966752734e0f3256906a763da2f014a2ba0a8e68dde17adf9f6e3b4f5645cdf78a74e20ec68f03bbf33fbe6daf3dcdc369a803b1a8b1b38706c4cc77
SSDEEP

3072:b59jNh6heNAi4pjDOzUiTQoZ5TKVuJSsgE9U0F5/vA7ueOtc2iLWfwEYnD3:bfNFG/pjyzp7GVu8sg45/vACeO+2i8zo

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmplayer = "C:\\MessengerPlus\\mplayer2.exe"	b64fb85a6419fba53bd51e13394571bf_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3112	1180	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b64fb85a6419fba53bd51e13394571bf_JaffaCakes118.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Download	b64fb85a6419fba53bd51e13394571bf_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	b64fb85a6419fba53bd51e13394571bf_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "00000001"	b64fb85a6419fba53bd51e13394571bf_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
1180	b64fb85a6419fba53bd51e13394571bf_JaffaCakes118.exe
1180	b64fb85a6419fba53bd51e13394571bf_JaffaCakes118.exe
1180	b64fb85a6419fba53bd51e13394571bf_JaffaCakes118.exe
1180	b64fb85a6419fba53bd51e13394571bf_JaffaCakes118.exe
1180	b64fb85a6419fba53bd51e13394571bf_JaffaCakes118.exe
1180	b64fb85a6419fba53bd51e13394571bf_JaffaCakes118.exe
1180	b64fb85a6419fba53bd51e13394571bf_JaffaCakes118.exe
1180	b64fb85a6419fba53bd51e13394571bf_JaffaCakes118.exe
1180	b64fb85a6419fba53bd51e13394571bf_JaffaCakes118.exe
1180	b64fb85a6419fba53bd51e13394571bf_JaffaCakes118.exe
1180	b64fb85a6419fba53bd51e13394571bf_JaffaCakes118.exe
1180	b64fb85a6419fba53bd51e13394571bf_JaffaCakes118.exe
1180	b64fb85a6419fba53bd51e13394571bf_JaffaCakes118.exe
1180	b64fb85a6419fba53bd51e13394571bf_JaffaCakes118.exe
1180	b64fb85a6419fba53bd51e13394571bf_JaffaCakes118.exe
1180	b64fb85a6419fba53bd51e13394571bf_JaffaCakes118.exe
1180	b64fb85a6419fba53bd51e13394571bf_JaffaCakes118.exe
1180	b64fb85a6419fba53bd51e13394571bf_JaffaCakes118.exe
1180	b64fb85a6419fba53bd51e13394571bf_JaffaCakes118.exe
1180	b64fb85a6419fba53bd51e13394571bf_JaffaCakes118.exe
1180	b64fb85a6419fba53bd51e13394571bf_JaffaCakes118.exe
1180	b64fb85a6419fba53bd51e13394571bf_JaffaCakes118.exe
1180	b64fb85a6419fba53bd51e13394571bf_JaffaCakes118.exe
1180	b64fb85a6419fba53bd51e13394571bf_JaffaCakes118.exe
1180	b64fb85a6419fba53bd51e13394571bf_JaffaCakes118.exe
1180	b64fb85a6419fba53bd51e13394571bf_JaffaCakes118.exe
1180	b64fb85a6419fba53bd51e13394571bf_JaffaCakes118.exe
1180	b64fb85a6419fba53bd51e13394571bf_JaffaCakes118.exe
1180	b64fb85a6419fba53bd51e13394571bf_JaffaCakes118.exe
1180	b64fb85a6419fba53bd51e13394571bf_JaffaCakes118.exe
1180	b64fb85a6419fba53bd51e13394571bf_JaffaCakes118.exe
1180	b64fb85a6419fba53bd51e13394571bf_JaffaCakes118.exe
1180	b64fb85a6419fba53bd51e13394571bf_JaffaCakes118.exe
1180	b64fb85a6419fba53bd51e13394571bf_JaffaCakes118.exe
1180	b64fb85a6419fba53bd51e13394571bf_JaffaCakes118.exe
1180	b64fb85a6419fba53bd51e13394571bf_JaffaCakes118.exe
1180	b64fb85a6419fba53bd51e13394571bf_JaffaCakes118.exe
1180	b64fb85a6419fba53bd51e13394571bf_JaffaCakes118.exe
5008	msedge.exe
5008	msedge.exe
1620	msedge.exe
1620	msedge.exe
4724	identity_helper.exe
4724	identity_helper.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3864	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3864	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1180	b64fb85a6419fba53bd51e13394571bf_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1180 wrote to memory of 1620	1180	b64fb85a6419fba53bd51e13394571bf_JaffaCakes118.exe	96
PID 1180 wrote to memory of 1620	1180	b64fb85a6419fba53bd51e13394571bf_JaffaCakes118.exe	96
PID 1620 wrote to memory of 3876	1620	msedge.exe	97
PID 1620 wrote to memory of 3876	1620	msedge.exe	97
PID 1620 wrote to memory of 4968	1620	msedge.exe	98
PID 1620 wrote to memory of 4968	1620	msedge.exe	98
PID 1620 wrote to memory of 4968	1620	msedge.exe	98
PID 1620 wrote to memory of 4968	1620	msedge.exe	98
PID 1620 wrote to memory of 4968	1620	msedge.exe	98
PID 1620 wrote to memory of 4968	1620	msedge.exe	98
PID 1620 wrote to memory of 4968	1620	msedge.exe	98
PID 1620 wrote to memory of 4968	1620	msedge.exe	98
PID 1620 wrote to memory of 4968	1620	msedge.exe	98
PID 1620 wrote to memory of 4968	1620	msedge.exe	98
PID 1620 wrote to memory of 4968	1620	msedge.exe	98
PID 1620 wrote to memory of 4968	1620	msedge.exe	98
PID 1620 wrote to memory of 4968	1620	msedge.exe	98
PID 1620 wrote to memory of 4968	1620	msedge.exe	98
PID 1620 wrote to memory of 4968	1620	msedge.exe	98
PID 1620 wrote to memory of 4968	1620	msedge.exe	98
PID 1620 wrote to memory of 4968	1620	msedge.exe	98
PID 1620 wrote to memory of 4968	1620	msedge.exe	98
PID 1620 wrote to memory of 4968	1620	msedge.exe	98
PID 1620 wrote to memory of 4968	1620	msedge.exe	98
PID 1620 wrote to memory of 4968	1620	msedge.exe	98
PID 1620 wrote to memory of 4968	1620	msedge.exe	98
PID 1620 wrote to memory of 4968	1620	msedge.exe	98
PID 1620 wrote to memory of 4968	1620	msedge.exe	98
PID 1620 wrote to memory of 4968	1620	msedge.exe	98
PID 1620 wrote to memory of 4968	1620	msedge.exe	98
PID 1620 wrote to memory of 4968	1620	msedge.exe	98
PID 1620 wrote to memory of 4968	1620	msedge.exe	98
PID 1620 wrote to memory of 4968	1620	msedge.exe	98
PID 1620 wrote to memory of 4968	1620	msedge.exe	98
PID 1620 wrote to memory of 4968	1620	msedge.exe	98
PID 1620 wrote to memory of 4968	1620	msedge.exe	98
PID 1620 wrote to memory of 4968	1620	msedge.exe	98
PID 1620 wrote to memory of 4968	1620	msedge.exe	98
PID 1620 wrote to memory of 4968	1620	msedge.exe	98
PID 1620 wrote to memory of 4968	1620	msedge.exe	98
PID 1620 wrote to memory of 4968	1620	msedge.exe	98
PID 1620 wrote to memory of 4968	1620	msedge.exe	98
PID 1620 wrote to memory of 4968	1620	msedge.exe	98
PID 1620 wrote to memory of 4968	1620	msedge.exe	98
PID 1620 wrote to memory of 5008	1620	msedge.exe	99
PID 1620 wrote to memory of 5008	1620	msedge.exe	99
PID 1620 wrote to memory of 1820	1620	msedge.exe	100
PID 1620 wrote to memory of 1820	1620	msedge.exe	100
PID 1620 wrote to memory of 1820	1620	msedge.exe	100
PID 1620 wrote to memory of 1820	1620	msedge.exe	100
PID 1620 wrote to memory of 1820	1620	msedge.exe	100
PID 1620 wrote to memory of 1820	1620	msedge.exe	100
PID 1620 wrote to memory of 1820	1620	msedge.exe	100
PID 1620 wrote to memory of 1820	1620	msedge.exe	100
PID 1620 wrote to memory of 1820	1620	msedge.exe	100
PID 1620 wrote to memory of 1820	1620	msedge.exe	100
PID 1620 wrote to memory of 1820	1620	msedge.exe	100
PID 1620 wrote to memory of 1820	1620	msedge.exe	100
PID 1620 wrote to memory of 1820	1620	msedge.exe	100
PID 1620 wrote to memory of 1820	1620	msedge.exe	100
PID 1620 wrote to memory of 1820	1620	msedge.exe	100
PID 1620 wrote to memory of 1820	1620	msedge.exe	100
PID 1620 wrote to memory of 1820	1620	msedge.exe	100
PID 1620 wrote to memory of 1820	1620	msedge.exe	100

C:\Users\Admin\AppData\Local\Temp\b64fb85a6419fba53bd51e13394571bf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b64fb85a6419fba53bd51e13394571bf_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 388
  2⤵
  - Program crash
  PID:3112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.youtube.com/watch?v=FvCdqOQZQuk
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8adf046f8,0x7ff8adf04708,0x7ff8adf04718
    3⤵
    PID:3876
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,7080513284709859258,402809211943668484,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
    3⤵
    PID:4968
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,7080513284709859258,402809211943668484,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5008
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,7080513284709859258,402809211943668484,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:8
    3⤵
    PID:1820
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7080513284709859258,402809211943668484,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
    3⤵
    PID:4848
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7080513284709859258,402809211943668484,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
    3⤵
    PID:464
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7080513284709859258,402809211943668484,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:1
    3⤵
    PID:4912
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7080513284709859258,402809211943668484,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
    3⤵
    PID:4792
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2124,7080513284709859258,402809211943668484,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4704 /prefetch:8
    3⤵
    PID:2280
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,7080513284709859258,402809211943668484,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5904 /prefetch:8
    3⤵
    PID:4548
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,7080513284709859258,402809211943668484,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5904 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4724
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7080513284709859258,402809211943668484,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3904 /prefetch:1
    3⤵
    PID:1632
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7080513284709859258,402809211943668484,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
    3⤵
    PID:3080
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7080513284709859258,402809211943668484,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
    3⤵
    PID:5260
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,7080513284709859258,402809211943668484,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1
    3⤵
    PID:5268
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,7080513284709859258,402809211943668484,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4872 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1180 -ip 1180
1⤵
PID:2880

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2336

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5072

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2484

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f8 0x500
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
27304926d60324abe74d7a4b571c35ea

SHA1
78b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1

SHA256
7039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de

SHA512
f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9e3fc58a8fb86c93d19e1500b873ef6f

SHA1
c6aae5f4e26f5570db5e14bba8d5061867a33b56

SHA256
828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4

SHA512
e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\15c77219-46a2-4cf8-866b-7f37569e5678.tmp

Filesize
5KB

MD5
5dc59f06c49f3f9ea486617694c4abdd

SHA1
9e2f36dadbfcc4997e3aa10eb2f2832d47cdf289

SHA256
57ee8a62d59419bb9fece7f957bc19a03d957555527c60833332915359e6429d

SHA512
a686c04724a1b45f78a8c9717711a9e09e54f648ad7ed1b850b96030e5c2893c31df79b9d12777a20ba615f958d4e293e0e1b0d5e1be46210549083d2498955d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
47KB

MD5
201a89b53e3d7ff9f45d78e9a191c8a5

SHA1
e4abe321ea8f590ca6a6c3b38c3e8fd8827d67b6

SHA256
a3f235d453979f32edcc800f6d8be8266c207361165a740ec917786f935c6daf

SHA512
179a594bf32cbf8c9b0c760780eeb83d55540c767bd619e7362abb7d66bf4d2301895dcf1cb9362390a7b5149589e499f73c87f210a73fd9e3a3fe41cc0e6642

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
502000a61c35ac94ab2e50e28cfb67af

SHA1
5c0c986b1c7174163ab5f54ee8d690f5c8122918

SHA256
843795c4704c8929491241ad4d0dc03a50e252ac0d51af647ca028e9c2f6834b

SHA512
c02eb89c548a19710912a7a686db60edb0f7216cbf4cc47936a6c92480384a4dcac17411299460de1b5334e47d61dc45bce1a4047944baf97bda3ba1cf72d322

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
fa65e56b98de39f8d40273e829be3a35

SHA1
30663d447f793a153fae45dc3b367dc46b567f33

SHA256
d900711056ea2a2ac2a86dd108537c622f6534d72bf4fcc59f176eb47bcb3f23

SHA512
e1c5f2841485ddb26450de37b86518ea24191ede08fdec60759c4dc44882596ece8a6034c248f4ed09330967f206faa31b884a833f10552b2c0bc2b36b62fc28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
67ec80ad102443d3fbd7efea358e6047

SHA1
4160d215d688f92ea3124373f5ad54d5c4b9ec6d

SHA256
502a531083b0269368ebf08ea73eda92a0be5b1fdd07cd70b4f78c353ae10e7b

SHA512
3d932478b7698a6846868904b7359a9f4502b232f7189ad8e18b4a53990ddb2be8b8081418d53257706e412723dd310cf180735b86791f7556606106d9531b7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
6e0b8b7510166e972c53329c0a9f39a1

SHA1
b1f2c6670f16088e987184875c5d605d93461768

SHA256
17237475ce7e15ea32b8e8109440f4d03872d32e7c0e0cdef869340b9df97878

SHA512
f93fb0441a52c63941555d81536e6dc811372129107421227c6263e8cdf568483780189a50bab0d0a2241231a71c22b36c3bb8d1a31a0020a3cda1b442766181

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\1dbd5df0-faa1-4be2-842f-93b27442a389\index-dir\the-real-index

Filesize
624B

MD5
f6969ac705639d2ed9248f63d9d6f1ea

SHA1
f3937914bd09c0680f964417b587fd2174f1391b

SHA256
da2891506dc6510a869cdc3b872bd8a208be0d10b29b9e927fbd2ebb4eb83e5e

SHA512
e566d2c96297742e3a659f28a31b657e5bc1ce92db46d295a549bd1fb95092585880fa44dca5705e4d221c1ff967ff2a09d5a66ed49840112aa8032666e46e46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\1dbd5df0-faa1-4be2-842f-93b27442a389\index-dir\the-real-index~RFe580de6.TMP

Filesize
48B

MD5
d977de2b995e35b67a604d95efbb5f69

SHA1
0b70fdd217fcb1201fe7521b5aba90ccfda0e54d

SHA256
75e278f41e43571e2612c0163bb641f55b4f115855323f3ae303debae5b45b2d

SHA512
87455b93b11f7de97c67f810647498ab25ae75fd90d0858aca61715658f4fb851ed08fc65c6e3ea3bbe06e5bef6185d598ea79cc81e2dc62146463154164e826

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\59e3dbfb-23ad-4c05-bff4-4ba046c9c841\index-dir\the-real-index

Filesize
2KB

MD5
7667ab7dd8805c251c7ba68872dd165d

SHA1
2be4372e1d9d40c9f91f294963c0caf1007f6883

SHA256
0c32be980abf30d951dec376e7772148f854a79910307e80e35ae988fc45c7b7

SHA512
03082362c74c7a51dff62eb1b1eb011eccf30644284b5dcf96320ea4784e4865acba40475d6929383c1c37b37ee2ba97ceeaae9e72f9872b646b15a3de4a3eca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\59e3dbfb-23ad-4c05-bff4-4ba046c9c841\index-dir\the-real-index~RFe580b36.TMP

Filesize
48B

MD5
bc019f998b99637d589766e994b53edd

SHA1
b7ba890513cb42b3e21d8bbb95f1dece1a1eefc8

SHA256
aa6145013fb5a5a65fd52aa330565d7db4fa3fe48b8490fe8904b67907f6c34d

SHA512
0e40dcbd3065e97aebd7a8d26eb3fb519ce5c710cb6284f4caa9aff033abb29632ba3dcf628c4466508f62fd5db7a133260b7c0bf9cbf32f1cc6aa3a6b765df4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
fdc8a1997af213acd6323a045a5bd374

SHA1
973ac9c4db30c2116ea02eded1ab4a2b0690257a

SHA256
760483edae45c0c1a8ebd5c6bab0a09213e95a22625e60162537a8236eb55cc6

SHA512
64f9312a642c02e467c7a6acc1b953cdfae2a49532fcd12edae88241819dd06542e58e0ad65715167d4db8b9af4bfb0d85418f18f386c1708f15171c835c3d8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
3f8a58fa3eac121b9b1889d775190141

SHA1
a12e1428e6b7a5b0460ede97e6a84f798738246e

SHA256
8e7c86a48a7bf03ea65f3186fbae1f2a0647656c2a1251390188acf47d63a332

SHA512
f67b1697efb13b1d8283abb6841bc39d51f4ef5307649969f1343f6c0e44906805d67651d99ed438db53b223a79a37e61a8837ae4e57625975557c822c49ae99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
156B

MD5
cb22293030cfe7d83eb6b18755d4e49b

SHA1
026cf910c26ca77e7e07647aee7d9166f7a891ef

SHA256
78a327683ab6fa27b552b52557190df8ce974eb27378f0a3ca17db21933bbfea

SHA512
86ea0a49e92aeb8c375de005d3e30ce52385e123be63e483dc3bc6a2456067d9c50c0bd25339043ed24adf07793df1a1a1d69b6f3271042976d9a63be251fa8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
d51c252190bca83e5fde8533fc631d38

SHA1
d8551bef84117315d600b2dae49ee894ab6659da

SHA256
1f00fe543575429afe57ff35120d3ef6f0563419bee00230b46abfd9abe3a68b

SHA512
2ab2c04fe379971132e9ccf299958973f07d86d628ae9ac3b69845a88a1ed4f638a8ac042424c1b83764b06ea7a3ccc33fec2b59c347f6590d8f20ffdb3e0a76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
153B

MD5
2b96b8073d24fad046c04bc40884ca16

SHA1
4d82b99d7388a3d5b63715fb1af1a31b4d5a895a

SHA256
0bd4faa97263d72c1a1da8416ef7f98c0dcfbc710770fab132a96821fed54836

SHA512
1a58c29e0ddafe5e2a9e428bd9a9d2d016227e3c68ace60dc43d481a13ec83f1bfcde5798ed1b6542893641b2805662e318b4af9b7b886c70b9cbf7551508c16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
76659dcfab1105cbe6241a4e7b9736d3

SHA1
e12928dc659e2f5295b8cf0a1628a2702a957631

SHA256
8ffa588cad079a03e424a5a6a7dc7a7be8f86241d17dbc8f76b86357563e9a27

SHA512
6a0f4ce1814c6c2e2b83e190d28d13236ea43862fedc80541f4b8c928e95eda4e4fa773862e8b832fbd65289948f82b8f315c4fb0915beb3cbfe16b264d53dd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe580644.TMP

Filesize
48B

MD5
ba2a451d6824eee6c50f8bf7987572a0

SHA1
3fe44720440cc430768104f75d40690696aa4df3

SHA256
a6954d7dc2bd95d9d720b95557e302707c284342c56e77a01b60e63fe91d7e15

SHA512
be610c4b280e3c88c3ffd53c94070bfe45ff392b51cbb8888df9c873cb3ab2768b7d4976de6adf23b86381c438477b8cc77fd2fe3c454af74ae937dbbe433ded

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ee43a006d6c40784a7b738dd6b2b5f2a

SHA1
9d3bbeaba17ae87cf0600b71665eb0a5a920f328

SHA256
99faba64304a06df0a0979e9bc71ab2de5b2f8b6bf671d4c0cde61faade6cc8e

SHA512
c055ba177e2e9ca937c9c1dba255be0641082f73be7f7e5ec6e49eeb68aa40aa2cf7e4341ad5251d2d40677a9bb52d2a78e74b5956c0b94a5fcc8313dc99e000

Download Submit
memory/1180-0-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1180-8-0x0000000000710000-0x0000000000756000-memory.dmp

Filesize
280KB

Download
memory/1180-2-0x0000000000710000-0x0000000000756000-memory.dmp

Filesize
280KB

Download
memory/1180-3-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1180-7-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download