a292cfd2baff32e33342589abf0d26231b87e86a7b9b7f46da6b33f66fc10cdd

Analysis

max time kernel
146s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22-08-2024 18:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8a0a76f412c04dbd8a83f9a1208f166_JaffaCakes118.exe
Size

502KB
MD5

b8a0a76f412c04dbd8a83f9a1208f166
SHA1

821840d330d1dff087701dbcb3af4971fe9a6e82
SHA256

a292cfd2baff32e33342589abf0d26231b87e86a7b9b7f46da6b33f66fc10cdd
SHA512

9ec48046259607a59ad0cc9c4af55a21d60ccb4afd47696b91d14a008d7665ef4b249349f0bce383ce03e82c8a040e03d5893ce14a81cd4300f1caac15cd08bd
SSDEEP

12288:Q1PO8MeQh81uhNmq+jhfgKBMMMxMMyILi7YXLa:wPO8MeQS143+jhfjMMMxMMyuie+

Score

7^/10

discovery upx

Malware Config

Signatures

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4372-0-0x0000000000400000-0x00000000004FC000-memory.dmp	upx
behavioral2/memory/3668-1-0x0000000000400000-0x0000000000436000-memory.dmp	upx
behavioral2/memory/3668-3-0x0000000000400000-0x0000000000436000-memory.dmp	upx
behavioral2/memory/3668-5-0x0000000000400000-0x0000000000436000-memory.dmp	upx
behavioral2/memory/4372-8-0x0000000000400000-0x00000000004FC000-memory.dmp	upx
behavioral2/memory/3668-10-0x0000000000400000-0x0000000000436000-memory.dmp	upx

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/4372-8-0x0000000000400000-0x00000000004FC000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4372 set thread context of 3668	4372	b8a0a76f412c04dbd8a83f9a1208f166_JaffaCakes118.exe	85

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8a0a76f412c04dbd8a83f9a1208f166_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8a0a76f412c04dbd8a83f9a1208f166_JaffaCakes118.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
3668	b8a0a76f412c04dbd8a83f9a1208f166_JaffaCakes118.exe
3668	b8a0a76f412c04dbd8a83f9a1208f166_JaffaCakes118.exe
3668	b8a0a76f412c04dbd8a83f9a1208f166_JaffaCakes118.exe
3668	b8a0a76f412c04dbd8a83f9a1208f166_JaffaCakes118.exe
3668	b8a0a76f412c04dbd8a83f9a1208f166_JaffaCakes118.exe
3668	b8a0a76f412c04dbd8a83f9a1208f166_JaffaCakes118.exe
3668	b8a0a76f412c04dbd8a83f9a1208f166_JaffaCakes118.exe
3668	b8a0a76f412c04dbd8a83f9a1208f166_JaffaCakes118.exe
3668	b8a0a76f412c04dbd8a83f9a1208f166_JaffaCakes118.exe
3668	b8a0a76f412c04dbd8a83f9a1208f166_JaffaCakes118.exe
3668	b8a0a76f412c04dbd8a83f9a1208f166_JaffaCakes118.exe
3668	b8a0a76f412c04dbd8a83f9a1208f166_JaffaCakes118.exe
3668	b8a0a76f412c04dbd8a83f9a1208f166_JaffaCakes118.exe
3668	b8a0a76f412c04dbd8a83f9a1208f166_JaffaCakes118.exe
3668	b8a0a76f412c04dbd8a83f9a1208f166_JaffaCakes118.exe
3668	b8a0a76f412c04dbd8a83f9a1208f166_JaffaCakes118.exe
3668	b8a0a76f412c04dbd8a83f9a1208f166_JaffaCakes118.exe
3668	b8a0a76f412c04dbd8a83f9a1208f166_JaffaCakes118.exe
3668	b8a0a76f412c04dbd8a83f9a1208f166_JaffaCakes118.exe
3668	b8a0a76f412c04dbd8a83f9a1208f166_JaffaCakes118.exe
3668	b8a0a76f412c04dbd8a83f9a1208f166_JaffaCakes118.exe
3668	b8a0a76f412c04dbd8a83f9a1208f166_JaffaCakes118.exe
3668	b8a0a76f412c04dbd8a83f9a1208f166_JaffaCakes118.exe
3668	b8a0a76f412c04dbd8a83f9a1208f166_JaffaCakes118.exe
3668	b8a0a76f412c04dbd8a83f9a1208f166_JaffaCakes118.exe
3668	b8a0a76f412c04dbd8a83f9a1208f166_JaffaCakes118.exe
3668	b8a0a76f412c04dbd8a83f9a1208f166_JaffaCakes118.exe
3668	b8a0a76f412c04dbd8a83f9a1208f166_JaffaCakes118.exe
3668	b8a0a76f412c04dbd8a83f9a1208f166_JaffaCakes118.exe
3668	b8a0a76f412c04dbd8a83f9a1208f166_JaffaCakes118.exe
3668	b8a0a76f412c04dbd8a83f9a1208f166_JaffaCakes118.exe
3668	b8a0a76f412c04dbd8a83f9a1208f166_JaffaCakes118.exe
3668	b8a0a76f412c04dbd8a83f9a1208f166_JaffaCakes118.exe
3668	b8a0a76f412c04dbd8a83f9a1208f166_JaffaCakes118.exe
3668	b8a0a76f412c04dbd8a83f9a1208f166_JaffaCakes118.exe
3668	b8a0a76f412c04dbd8a83f9a1208f166_JaffaCakes118.exe
3668	b8a0a76f412c04dbd8a83f9a1208f166_JaffaCakes118.exe
3668	b8a0a76f412c04dbd8a83f9a1208f166_JaffaCakes118.exe
4428	msedge.exe
4428	msedge.exe
5000	msedge.exe
5000	msedge.exe
4896	identity_helper.exe
4896	identity_helper.exe
6128	msedge.exe
6128	msedge.exe
6128	msedge.exe
6128	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1800	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1800	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
4372	b8a0a76f412c04dbd8a83f9a1208f166_JaffaCakes118.exe
4372	b8a0a76f412c04dbd8a83f9a1208f166_JaffaCakes118.exe
4372	b8a0a76f412c04dbd8a83f9a1208f166_JaffaCakes118.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
4372	b8a0a76f412c04dbd8a83f9a1208f166_JaffaCakes118.exe
4372	b8a0a76f412c04dbd8a83f9a1208f166_JaffaCakes118.exe
4372	b8a0a76f412c04dbd8a83f9a1208f166_JaffaCakes118.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3668	b8a0a76f412c04dbd8a83f9a1208f166_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4372 wrote to memory of 3668	4372	b8a0a76f412c04dbd8a83f9a1208f166_JaffaCakes118.exe	85
PID 4372 wrote to memory of 3668	4372	b8a0a76f412c04dbd8a83f9a1208f166_JaffaCakes118.exe	85
PID 4372 wrote to memory of 3668	4372	b8a0a76f412c04dbd8a83f9a1208f166_JaffaCakes118.exe	85
PID 4372 wrote to memory of 3668	4372	b8a0a76f412c04dbd8a83f9a1208f166_JaffaCakes118.exe	85
PID 4372 wrote to memory of 3668	4372	b8a0a76f412c04dbd8a83f9a1208f166_JaffaCakes118.exe	85
PID 4372 wrote to memory of 3668	4372	b8a0a76f412c04dbd8a83f9a1208f166_JaffaCakes118.exe	85
PID 4372 wrote to memory of 3668	4372	b8a0a76f412c04dbd8a83f9a1208f166_JaffaCakes118.exe	85
PID 3668 wrote to memory of 5000	3668	b8a0a76f412c04dbd8a83f9a1208f166_JaffaCakes118.exe	88
PID 3668 wrote to memory of 5000	3668	b8a0a76f412c04dbd8a83f9a1208f166_JaffaCakes118.exe	88
PID 5000 wrote to memory of 3592	5000	msedge.exe	89
PID 5000 wrote to memory of 3592	5000	msedge.exe	89
PID 5000 wrote to memory of 2312	5000	msedge.exe	90
PID 5000 wrote to memory of 2312	5000	msedge.exe	90
PID 5000 wrote to memory of 2312	5000	msedge.exe	90
PID 5000 wrote to memory of 2312	5000	msedge.exe	90
PID 5000 wrote to memory of 2312	5000	msedge.exe	90
PID 5000 wrote to memory of 2312	5000	msedge.exe	90
PID 5000 wrote to memory of 2312	5000	msedge.exe	90
PID 5000 wrote to memory of 2312	5000	msedge.exe	90
PID 5000 wrote to memory of 2312	5000	msedge.exe	90
PID 5000 wrote to memory of 2312	5000	msedge.exe	90
PID 5000 wrote to memory of 2312	5000	msedge.exe	90
PID 5000 wrote to memory of 2312	5000	msedge.exe	90
PID 5000 wrote to memory of 2312	5000	msedge.exe	90
PID 5000 wrote to memory of 2312	5000	msedge.exe	90
PID 5000 wrote to memory of 2312	5000	msedge.exe	90
PID 5000 wrote to memory of 2312	5000	msedge.exe	90
PID 5000 wrote to memory of 2312	5000	msedge.exe	90
PID 5000 wrote to memory of 2312	5000	msedge.exe	90
PID 5000 wrote to memory of 2312	5000	msedge.exe	90
PID 5000 wrote to memory of 2312	5000	msedge.exe	90
PID 5000 wrote to memory of 2312	5000	msedge.exe	90
PID 5000 wrote to memory of 2312	5000	msedge.exe	90
PID 5000 wrote to memory of 2312	5000	msedge.exe	90
PID 5000 wrote to memory of 2312	5000	msedge.exe	90
PID 5000 wrote to memory of 2312	5000	msedge.exe	90
PID 5000 wrote to memory of 2312	5000	msedge.exe	90
PID 5000 wrote to memory of 2312	5000	msedge.exe	90
PID 5000 wrote to memory of 2312	5000	msedge.exe	90
PID 5000 wrote to memory of 2312	5000	msedge.exe	90
PID 5000 wrote to memory of 2312	5000	msedge.exe	90
PID 5000 wrote to memory of 2312	5000	msedge.exe	90
PID 5000 wrote to memory of 2312	5000	msedge.exe	90
PID 5000 wrote to memory of 2312	5000	msedge.exe	90
PID 5000 wrote to memory of 2312	5000	msedge.exe	90
PID 5000 wrote to memory of 2312	5000	msedge.exe	90
PID 5000 wrote to memory of 2312	5000	msedge.exe	90
PID 5000 wrote to memory of 2312	5000	msedge.exe	90
PID 5000 wrote to memory of 2312	5000	msedge.exe	90
PID 5000 wrote to memory of 2312	5000	msedge.exe	90
PID 5000 wrote to memory of 2312	5000	msedge.exe	90
PID 5000 wrote to memory of 4428	5000	msedge.exe	91
PID 5000 wrote to memory of 4428	5000	msedge.exe	91
PID 5000 wrote to memory of 5116	5000	msedge.exe	92
PID 5000 wrote to memory of 5116	5000	msedge.exe	92
PID 5000 wrote to memory of 5116	5000	msedge.exe	92
PID 5000 wrote to memory of 5116	5000	msedge.exe	92
PID 5000 wrote to memory of 5116	5000	msedge.exe	92
PID 5000 wrote to memory of 5116	5000	msedge.exe	92
PID 5000 wrote to memory of 5116	5000	msedge.exe	92
PID 5000 wrote to memory of 5116	5000	msedge.exe	92
PID 5000 wrote to memory of 5116	5000	msedge.exe	92
PID 5000 wrote to memory of 5116	5000	msedge.exe	92
PID 5000 wrote to memory of 5116	5000	msedge.exe	92

C:\Users\Admin\AppData\Local\Temp\b8a0a76f412c04dbd8a83f9a1208f166_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b8a0a76f412c04dbd8a83f9a1208f166_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4372
- C:\Users\Admin\AppData\Local\Temp\b8a0a76f412c04dbd8a83f9a1208f166_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\b8a0a76f412c04dbd8a83f9a1208f166_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3668
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.youtube.com/watch?v=24uFFR65rtI
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:5000
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbdf7946f8,0x7ffbdf794708,0x7ffbdf794718
      4⤵
      PID:3592
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2012,18362673694377422526,7696673317427305914,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2024 /prefetch:2
      4⤵
      PID:2312
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2012,18362673694377422526,7696673317427305914,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4428
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2012,18362673694377422526,7696673317427305914,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2600 /prefetch:8
      4⤵
      PID:5116
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,18362673694377422526,7696673317427305914,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
      4⤵
      PID:3896
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,18362673694377422526,7696673317427305914,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
      4⤵
      PID:3944
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,18362673694377422526,7696673317427305914,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:1
      4⤵
      PID:216
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,18362673694377422526,7696673317427305914,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3676 /prefetch:1
      4⤵
      PID:3084
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2012,18362673694377422526,7696673317427305914,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5288 /prefetch:8
      4⤵
      PID:1572
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2012,18362673694377422526,7696673317427305914,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5968 /prefetch:8
      4⤵
      PID:2116
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2012,18362673694377422526,7696673317427305914,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5968 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4896
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,18362673694377422526,7696673317427305914,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:1
      4⤵
      PID:232
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,18362673694377422526,7696673317427305914,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
      4⤵
      PID:3128
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,18362673694377422526,7696673317427305914,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
      4⤵
      PID:5356
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,18362673694377422526,7696673317427305914,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
      4⤵
      PID:5364
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2012,18362673694377422526,7696673317427305914,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2272 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:6128

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3680

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2592

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3420

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x300 0x534
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
983cbc1f706a155d63496ebc4d66515e

SHA1
223d0071718b80cad9239e58c5e8e64df6e2a2fe

SHA256
cc34b8f8e3f4bfe4c9a227d88f56ea2dd276ca3ac81df622ff5e9a8ec46b951c

SHA512
d9cf2ca46d9379902730c81e615a3eb694873ffd535c6bb3ded2dc97cdbbfb71051ab11a07754ed6f610f04285605b702b5a48a6cfda3ee3287230c41c9c45cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
111c361619c017b5d09a13a56938bd54

SHA1
e02b363a8ceb95751623f25025a9299a2c931e07

SHA256
d7be4042a1e3511b0dbf0ab5c493245e4ac314440a4ae0732813db01a21ef8bc

SHA512
fc16a4ad0b56899b82d05114d7b0ca8ee610cdba6ff0b6a67dea44faf17b3105109335359b78c0a59c9011a13152744a7f5d4f6a5b66ea519df750ef03f622b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
456B

MD5
bd4fc7dd8c6e384d39e7acdc58cb0478

SHA1
dba152aea1e4a094547b59e5c3fc419468591758

SHA256
b861483f5872999ecb815f3bf3ed88bc03eb67e08a63f55ddb52e5328b22c6da

SHA512
79a8d188b3b276004c883e68e84969d46acf7ae3a0c7d2b2ea974e036f8333be02dee12f456d96e3f98c068f3600596db186f43c0182476fc2f3dc396175f092

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
36b5a0e037c78d9d216aaa416e5d7b25

SHA1
e56cf752b97dd55b1c7d864a910e1efa9b47f5ae

SHA256
633b9fbf37c9e6d8b9ab7dc87e99c913a45bea2b4e696b11d6df8ab9afd95785

SHA512
976a025b6ff1614dabe86c38e00959ca1abf56d6dc9b222c734ccecd8dd9a50635b3a37296741eced0038d9cbdab9f412159783828b413e5b4e9d7d257b8c618

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1115a0fef72a244feb7360463a4ae234

SHA1
f4994325921dbb94b4705af5d8bf3ebcc44b1632

SHA256
67c2dd384a6f8260d4bc22fbc378cb3c7ebf653235a118d54d37b4c55aca4e02

SHA512
caa8817fcaf36016ec012f97468dfceea9cd08d0b66648259987994ed63c23a723ea11eeefb0c84fa1287acb7af6671d2fe7563d0ca12f792bd1858b68d1d5a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
4827e873254dda2e9646dc198fcaf330

SHA1
de5513118682073a2dd8ea9ef3895ec9277cc374

SHA256
05243937487e9f8beaa8c108505a938c7b414f6cae30a9de2937da9609e85eb6

SHA512
3f2ac928b542b9002da37653515b0d3ec49d8a5bc050c754523548371de820ead39db5b457381df8feb7225dce33b080fc18674f6ce040731672fb04eae3e9f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\3f25616a-e8b9-41e7-9609-25c232a258e9\index-dir\the-real-index

Filesize
624B

MD5
6bef96e29fd7a1066b4f9c6117f1a73f

SHA1
c420584205e57d12d4b25b5abfadfe4e62ced663

SHA256
a8d46db697ffe97a9bbf064ba270b1b24d211b8bb51807d46790cb96e869dcf3

SHA512
d13b03ef7a597523bba76f8689c3521e85cb376f12e9e436b23ca4d29c5d7907eb1efbc1c14492dc34e62ba9ef6183a2a9fa89e11a98eb14b6ea13ccde958e42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\3f25616a-e8b9-41e7-9609-25c232a258e9\index-dir\the-real-index~RFe57d11b.TMP

Filesize
48B

MD5
249e76a77976cf4a7bbabe5536ff5287

SHA1
de2891cf80c2090ddc0f0334169cbf4c75f4ff03

SHA256
f59378b0936be107d8c83927e1b9e6359857c5c5d0c294e55cec6434e6892c0d

SHA512
378e26f2073f7eb799c1fcb8039dbb15122a69180810416f6fb3178b8c1b891de6a74cfbdd8053ddcc18b7750ea6f45c4896ed1ab5d608f27f007f013776c6e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\a765b5ed-5bed-4165-9bf7-fc829874083c\index-dir\the-real-index

Filesize
2KB

MD5
b4186e51ac197beab4fce9f7b2d6f0a4

SHA1
5efd484157867522b2970c57782438aeb4631315

SHA256
0877e49933f72d33c1bba8600eab90dcf1ecf83840ad3fc73ae2187c9cc2f8d7

SHA512
d466f04a1c9afe4a28110ff03bb0003da2f79f53e8d16417f99f36028dc50b5659f585be63cdc95e126f4f9641e6f0afc271bc122ae5c3d2aaceb872d0d40a5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\a765b5ed-5bed-4165-9bf7-fc829874083c\index-dir\the-real-index~RFe57cf85.TMP

Filesize
48B

MD5
52e572babb3355c66faa75a755644f1f

SHA1
f1abfc4f5183d2dee744d8739d128964e6f05cbc

SHA256
6f032117b430467900534c63155ed29813545d6f45172f5a4c05bf89dc82dfec

SHA512
d81b1cd14d5ad789b902c517fd4809b1d2505ff7e2e6ee61f47c1a4b146ef772ddf21a5c3cae4fad36c7040525076917febef22d5e176c1ca12a6fb7950dd624

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
81b9c2c663b24da52208a50683926222

SHA1
70e65a96049f5a3e4473466d9cd3e3b3e32de8cc

SHA256
1772bd44927add3bc5e9980607d27f2e42c7544b82a254b3095bc41376067f7e

SHA512
35469ce3d2a133f9e2757177a2941bb5bbbacd2854e9d0b6245c8630fd9f4fa87767a11406cf7dbd8310c8a9578d012f3b2bcc371b50fc751b425b992bd46b0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
155B

MD5
4346b169e5acb5a2c784f316918a6728

SHA1
9bf8ef456fd6c6b56708a7be4f75572b5d93bff1

SHA256
f820b23d99013b83c9e41707c49cd6011d1ea05785f96163489d24c128d534aa

SHA512
d76bf3ee7e80f0ce5a2b8741a289ea5d5b0f46a338de89ab78b81dedba1b116e7dc6d389bc7021303942841c49d9edab48dadae3433a02d39c3cccf266af25d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
3f31f3e303bf1edee2fe251d6a7e7d70

SHA1
03163706c469bc375a205ea734c98b63237250ef

SHA256
6c093954bc069ff7c661e9086f828fa4d93ae3dd44fed6d3685a1b2f7688587c

SHA512
220334019a35672089f4aadd79e5d0357cb41fd6d204b7eb773eb938605fb79374c232ff03b5bafde8f269a03cb9ca0baed52458f9ec755fa9f925ecbbf9fd71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
153B

MD5
d5c0a25a6c95e4f32f7e05d02233a951

SHA1
09e2b779d9f0f41e2aed2e47fa712feb36e4474d

SHA256
719f4466e5edb106f4b5fe6a19739df6deb61a94514de9f9ca94d85909691874

SHA512
c61a80017518fb2481590880349407f4fc0feffc0e5ffbdaeb5368401608f9f379de5818d9c6625ed0fbc6adc3ddd55f556ebedef9dc7e8d7f661707010c41eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe57759d.TMP

Filesize
89B

MD5
4b9a057da687535dd7920b764362bf89

SHA1
8b3d1c61115cae84bca85da477b438c97e7186cb

SHA256
860cc01ba2d32b8a4ca4958b57933865b61208f583558e45b99007e81af4c93a

SHA512
b54bb9728d548b458d050f9565790e33b8ef544a89ef9feb8c196009ed29aaaa490fe8432e5a1e1225b0449f9669f1c633c1974ed45ca85e0e6da7134074e6b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
fca937d5fc2772c1d4852050ec9b5ab5

SHA1
ab449498fcea206495df29813a3bef4e7ed7dfd6

SHA256
db8f606b1daa6b74e879155c86380c2e443791dbbc0d1583bbc915f401592336

SHA512
558986d36ba082549fd5e22efb22f22ff93d979158d821beafa26e3c81d730d46665c8cde87b4ec5f36a067ef8470e4f6dfb4da5a18d44dd25e80fa5f1d89f64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57c534.TMP

Filesize
48B

MD5
dfa2e558d1e3a724e4a21ad8e2f9ebbb

SHA1
0e72dfd07005023d689e4995fb602cb42d93fc24

SHA256
b3da373972b1ee4053c2b26648ddffe1444fe6cf194da942cd9f416c8327409a

SHA512
e3935ce6eba5c25466e4d7a1dde83621572be953d691090d7e8b3c726338653b7eca9d95c96bea2443109aa17582482d83821dca93db79babbe68bf262cc002b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0f1ad116c1e1a74ce3237893e9b0121a

SHA1
e0bea01c40700edd91d74e154f3cd8791c09616a

SHA256
1ce3e11ce623e334d71c04950cfd44ecfe3c77262ffb64d7ea811f132d33dab8

SHA512
7d4cba59c4076ea00893dfdc1e0e96390d71da2f3922b7d8715ff7d0cdc87ea6baf817bb606699eb138fd7ba28b685c1cfaccfd665c34f572a584e5d0f30ed3e

Download Submit
memory/3668-10-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3668-5-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3668-3-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3668-1-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4372-0-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/4372-8-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download