68515491d2afecff653a625b7fc1c0a5fa08e7a4219c5b2c7bf1e33ad9040691

Analysis

max time kernel
138s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/09/2024, 04:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5a9230196e60a083d108eecc67227e7_JaffaCakes118.exe
Size

576KB
MD5

d5a9230196e60a083d108eecc67227e7
SHA1

5dc89e6a0b3aeb72191d66e83b80d6980a8ce9a8
SHA256

68515491d2afecff653a625b7fc1c0a5fa08e7a4219c5b2c7bf1e33ad9040691
SHA512

b5958b7ec6fc7c4e718b396d290d9865a22fc3914be333d37821070e3b411d65a65a72071369a786444162660720a567bd2607ba3d86e10674a39216aacd4227
SSDEEP

6144:Z0bY3ZCQbCTUbVEv/RCs6GKz6ZRjQxf6kjeSo8z5v8bnoex+2LQKHK:D36So4mx+2L

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmplayer = "C:\\MessengerPlus\\mplayer2.exe"	d5a9230196e60a083d108eecc67227e7_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5a9230196e60a083d108eecc67227e7_JaffaCakes118.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Download	d5a9230196e60a083d108eecc67227e7_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	d5a9230196e60a083d108eecc67227e7_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "00000001"	d5a9230196e60a083d108eecc67227e7_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
3680	d5a9230196e60a083d108eecc67227e7_JaffaCakes118.exe
3680	d5a9230196e60a083d108eecc67227e7_JaffaCakes118.exe
3680	d5a9230196e60a083d108eecc67227e7_JaffaCakes118.exe
3680	d5a9230196e60a083d108eecc67227e7_JaffaCakes118.exe
3680	d5a9230196e60a083d108eecc67227e7_JaffaCakes118.exe
3680	d5a9230196e60a083d108eecc67227e7_JaffaCakes118.exe
3680	d5a9230196e60a083d108eecc67227e7_JaffaCakes118.exe
3680	d5a9230196e60a083d108eecc67227e7_JaffaCakes118.exe
3680	d5a9230196e60a083d108eecc67227e7_JaffaCakes118.exe
3680	d5a9230196e60a083d108eecc67227e7_JaffaCakes118.exe
3680	d5a9230196e60a083d108eecc67227e7_JaffaCakes118.exe
3680	d5a9230196e60a083d108eecc67227e7_JaffaCakes118.exe
3680	d5a9230196e60a083d108eecc67227e7_JaffaCakes118.exe
3680	d5a9230196e60a083d108eecc67227e7_JaffaCakes118.exe
3680	d5a9230196e60a083d108eecc67227e7_JaffaCakes118.exe
3680	d5a9230196e60a083d108eecc67227e7_JaffaCakes118.exe
3680	d5a9230196e60a083d108eecc67227e7_JaffaCakes118.exe
3680	d5a9230196e60a083d108eecc67227e7_JaffaCakes118.exe
3680	d5a9230196e60a083d108eecc67227e7_JaffaCakes118.exe
3680	d5a9230196e60a083d108eecc67227e7_JaffaCakes118.exe
3680	d5a9230196e60a083d108eecc67227e7_JaffaCakes118.exe
3680	d5a9230196e60a083d108eecc67227e7_JaffaCakes118.exe
3680	d5a9230196e60a083d108eecc67227e7_JaffaCakes118.exe
3680	d5a9230196e60a083d108eecc67227e7_JaffaCakes118.exe
3680	d5a9230196e60a083d108eecc67227e7_JaffaCakes118.exe
3680	d5a9230196e60a083d108eecc67227e7_JaffaCakes118.exe
3680	d5a9230196e60a083d108eecc67227e7_JaffaCakes118.exe
3680	d5a9230196e60a083d108eecc67227e7_JaffaCakes118.exe
3680	d5a9230196e60a083d108eecc67227e7_JaffaCakes118.exe
3680	d5a9230196e60a083d108eecc67227e7_JaffaCakes118.exe
3680	d5a9230196e60a083d108eecc67227e7_JaffaCakes118.exe
3680	d5a9230196e60a083d108eecc67227e7_JaffaCakes118.exe
3680	d5a9230196e60a083d108eecc67227e7_JaffaCakes118.exe
3680	d5a9230196e60a083d108eecc67227e7_JaffaCakes118.exe
3680	d5a9230196e60a083d108eecc67227e7_JaffaCakes118.exe
3680	d5a9230196e60a083d108eecc67227e7_JaffaCakes118.exe
3680	d5a9230196e60a083d108eecc67227e7_JaffaCakes118.exe
3680	d5a9230196e60a083d108eecc67227e7_JaffaCakes118.exe
3860	msedge.exe
3860	msedge.exe
4792	msedge.exe
4792	msedge.exe
512	identity_helper.exe
512	identity_helper.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4788	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4788	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3680	d5a9230196e60a083d108eecc67227e7_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3680 wrote to memory of 4792	3680	d5a9230196e60a083d108eecc67227e7_JaffaCakes118.exe	91
PID 3680 wrote to memory of 4792	3680	d5a9230196e60a083d108eecc67227e7_JaffaCakes118.exe	91
PID 4792 wrote to memory of 636	4792	msedge.exe	92
PID 4792 wrote to memory of 636	4792	msedge.exe	92
PID 4792 wrote to memory of 540	4792	msedge.exe	93
PID 4792 wrote to memory of 540	4792	msedge.exe	93
PID 4792 wrote to memory of 540	4792	msedge.exe	93
PID 4792 wrote to memory of 540	4792	msedge.exe	93
PID 4792 wrote to memory of 540	4792	msedge.exe	93
PID 4792 wrote to memory of 540	4792	msedge.exe	93
PID 4792 wrote to memory of 540	4792	msedge.exe	93
PID 4792 wrote to memory of 540	4792	msedge.exe	93
PID 4792 wrote to memory of 540	4792	msedge.exe	93
PID 4792 wrote to memory of 540	4792	msedge.exe	93
PID 4792 wrote to memory of 540	4792	msedge.exe	93
PID 4792 wrote to memory of 540	4792	msedge.exe	93
PID 4792 wrote to memory of 540	4792	msedge.exe	93
PID 4792 wrote to memory of 540	4792	msedge.exe	93
PID 4792 wrote to memory of 540	4792	msedge.exe	93
PID 4792 wrote to memory of 540	4792	msedge.exe	93
PID 4792 wrote to memory of 540	4792	msedge.exe	93
PID 4792 wrote to memory of 540	4792	msedge.exe	93
PID 4792 wrote to memory of 540	4792	msedge.exe	93
PID 4792 wrote to memory of 540	4792	msedge.exe	93
PID 4792 wrote to memory of 540	4792	msedge.exe	93
PID 4792 wrote to memory of 540	4792	msedge.exe	93
PID 4792 wrote to memory of 540	4792	msedge.exe	93
PID 4792 wrote to memory of 540	4792	msedge.exe	93
PID 4792 wrote to memory of 540	4792	msedge.exe	93
PID 4792 wrote to memory of 540	4792	msedge.exe	93
PID 4792 wrote to memory of 540	4792	msedge.exe	93
PID 4792 wrote to memory of 540	4792	msedge.exe	93
PID 4792 wrote to memory of 540	4792	msedge.exe	93
PID 4792 wrote to memory of 540	4792	msedge.exe	93
PID 4792 wrote to memory of 540	4792	msedge.exe	93
PID 4792 wrote to memory of 540	4792	msedge.exe	93
PID 4792 wrote to memory of 540	4792	msedge.exe	93
PID 4792 wrote to memory of 540	4792	msedge.exe	93
PID 4792 wrote to memory of 540	4792	msedge.exe	93
PID 4792 wrote to memory of 540	4792	msedge.exe	93
PID 4792 wrote to memory of 540	4792	msedge.exe	93
PID 4792 wrote to memory of 540	4792	msedge.exe	93
PID 4792 wrote to memory of 540	4792	msedge.exe	93
PID 4792 wrote to memory of 540	4792	msedge.exe	93
PID 4792 wrote to memory of 3860	4792	msedge.exe	94
PID 4792 wrote to memory of 3860	4792	msedge.exe	94
PID 4792 wrote to memory of 3500	4792	msedge.exe	95
PID 4792 wrote to memory of 3500	4792	msedge.exe	95
PID 4792 wrote to memory of 3500	4792	msedge.exe	95
PID 4792 wrote to memory of 3500	4792	msedge.exe	95
PID 4792 wrote to memory of 3500	4792	msedge.exe	95
PID 4792 wrote to memory of 3500	4792	msedge.exe	95
PID 4792 wrote to memory of 3500	4792	msedge.exe	95
PID 4792 wrote to memory of 3500	4792	msedge.exe	95
PID 4792 wrote to memory of 3500	4792	msedge.exe	95
PID 4792 wrote to memory of 3500	4792	msedge.exe	95
PID 4792 wrote to memory of 3500	4792	msedge.exe	95
PID 4792 wrote to memory of 3500	4792	msedge.exe	95
PID 4792 wrote to memory of 3500	4792	msedge.exe	95
PID 4792 wrote to memory of 3500	4792	msedge.exe	95
PID 4792 wrote to memory of 3500	4792	msedge.exe	95
PID 4792 wrote to memory of 3500	4792	msedge.exe	95
PID 4792 wrote to memory of 3500	4792	msedge.exe	95
PID 4792 wrote to memory of 3500	4792	msedge.exe	95

C:\Users\Admin\AppData\Local\Temp\d5a9230196e60a083d108eecc67227e7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d5a9230196e60a083d108eecc67227e7_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.youtube.com/watch?v=ZvizXaqutWM
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4792
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9fa8846f8,0x7ff9fa884708,0x7ff9fa884718
    3⤵
    PID:636
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,9215133920772275674,1397075596727654403,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
    3⤵
    PID:540
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,9215133920772275674,1397075596727654403,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3860
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,9215133920772275674,1397075596727654403,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
    3⤵
    PID:3500
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9215133920772275674,1397075596727654403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
    3⤵
    PID:2764
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9215133920772275674,1397075596727654403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
    3⤵
    PID:4232
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9215133920772275674,1397075596727654403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3888 /prefetch:1
    3⤵
    PID:2472
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9215133920772275674,1397075596727654403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
    3⤵
    PID:5060
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2160,9215133920772275674,1397075596727654403,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4112 /prefetch:8
    3⤵
    PID:3904
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,9215133920772275674,1397075596727654403,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5648 /prefetch:8
    3⤵
    PID:8
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,9215133920772275674,1397075596727654403,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5648 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:512
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9215133920772275674,1397075596727654403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1
    3⤵
    PID:4716
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9215133920772275674,1397075596727654403,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1
    3⤵
    PID:1832
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9215133920772275674,1397075596727654403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
    3⤵
    PID:4584
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9215133920772275674,1397075596727654403,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1
    3⤵
    PID:4332
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,9215133920772275674,1397075596727654403,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5240

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2536

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2008

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1452

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3a0 0x4b4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f9664c896e19205022c094d725f820b6

SHA1
f8f1baf648df755ba64b412d512446baf88c0184

SHA256
7121d84202a850791c2320385eb59eda4d697310dc51b1fcd4d51264aba2434e

SHA512
3fa5d2c68a9e70e4a25eaac2095171d87c741eec2624c314c6a56f4fa390d6319633bf4c48b1a4af7e9a0451f346beced9693da88cfc7bcba8dfe209cbd1b3ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
847d47008dbea51cb1732d54861ba9c9

SHA1
f2099242027dccb88d6f05760b57f7c89d926c0d

SHA256
10292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1

SHA512
bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
ba70e6888902cb79cbe1f6107edffc2d

SHA1
37d8447b4121806d5ac83b4b81e1a94c6386bc22

SHA256
3f168fb150ce71c25160cbd288f6da62b6763bf1b46576ef202b47a37e217559

SHA512
69cf04d5495b5eb2f85dd7b5c3075cd29422593a520bdf6278cb6d0578c27012631308ea3a32a6f817985246253b696a18f4d2ecc58c367827187fc9175b9245

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
9c359d9b53fc0d99b6431e8e6dc06d3e

SHA1
efa20c27cc81fd1715f11930a5429b70b3c1dbd6

SHA256
1d225dd0da3fa2af7d999a0f5cc36f9645d0cf32d09e11f526ea1e05a4176746

SHA512
47df77ffc91bb326284870a7c9b81452b7241b1a3a84333f295f6dca88772ca6e9327598e97abfe09b5d1089976226173aaeb57a5c0fe4abaaa629f89aff6d95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
2d80a6ab0fcd36cc6fc06b090570bc58

SHA1
deeb613d5a5c13442353edc8c720600c12b03646

SHA256
d3646e5d2861729f3ae456c0edec24fc6f3f1e8b4c03397b187fe5c1ce62e366

SHA512
ea9898cb5118041e63c7de593205153cca8867f23717c4fe8f4d7ca08725822fe25dbe662a9e52233e25d37e0dab493900a51931713c4cea85f26219a8adc3c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
cf1779b3c526af507143936e4bcca4f1

SHA1
a8296d5f3e69a1fb1499d96524529bdbb0f074d7

SHA256
0f1e40a4ebc67725ad047bbaf233143beb13a934e0ff803bccd5113b7b9886c2

SHA512
d013b875740762466174e1f4add851773fcc76f7dfa1ec20839c89eea720609f847a3978485e85d2e8e4e66e7730b65c939c477808e919cf3dbac094c5cdc8e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2490ff6e52150d2619f407897fcba8d4

SHA1
566bfda7ec03a580cf3f0626f3c23028fb47b230

SHA256
77cbf2d3a016e4dfad1c56c7b0bf2174864f81bb7e788480d5701636c4b7a9e3

SHA512
383cb17622fb29b447177da73d7268919008a4195b3b719f1350b82a01e6aceca53604613917de5598261cd3f6c14e080e61c2f0795c3173eae8a6dfeac3bdab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\78a39dfd-536a-4569-b80f-a67549d7b5e9\index-dir\the-real-index

Filesize
2KB

MD5
77b7aad731d55fdc729a337524108821

SHA1
bc616c129200501ca00e68c950fb64745575f238

SHA256
f043656864c348dc4fe0ed6940ac7f5325ed2f49aa62be7a7467b9d83eed4d90

SHA512
6a98adc118c0714c7c5eb45e483c9d7cba38716b4c54fee022a1bd6a74c4030c81557f4681ffcf1a532da79cba0cba21bc868edb5f896ab81d3183bcb1fa847e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\78a39dfd-536a-4569-b80f-a67549d7b5e9\index-dir\the-real-index~RFe5828ff.TMP

Filesize
48B

MD5
b5a8bb7dc8f8dee480c33f752fc1fd7f

SHA1
08b8f8103c27a0a14a96370b3f1ff414556b1b4a

SHA256
fc04d4f4ceafb0d2fd829faee66208f7695ba326551b06bbe88eb2c803ef07bf

SHA512
0ee19882fc9ad6d6aa02c7d383e2a7ad3af0cc9fe2d19bf63c108f8fc2509817a54aa6aeb5e035ea418d3c3637c3ed7d11a861c6d0be291fb168f605f8e9eecb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
3b64d74d8b78142cfb97235f5b6b377e

SHA1
4c651311abc9642027b5317561068df48f4e1afc

SHA256
662ee6b8598d84a1c9188ac7f51e2e1c92594ce7039a8e02ff6a628bda8bbb65

SHA512
a285678fa69c90f268125166036292c64f2d747d809244bbfaeadf4c7a75419004dbe8dc3a205700b0a34182667d08653f38d83e3ae0cd99927d9c5ac4ee1254

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
be229a27f9ee3241a1386e93b68372fa

SHA1
f8de56360a645c49b604c358211f0169f3edcbb5

SHA256
d3b89db2cfe12c9d9e89c79bd182b60d8357f31308e7f10223c9d5d32ffd22cc

SHA512
f58a80cf8bec9ff47e2e9893a4787e2be039334679770fbaa7f119c77a9965579b83b9238aab6b0cc1c5c0e5897a63c6aa5675eddd88b03acc37a77fe87a21ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
f9689c09c2a43e4f1ae5d2df8336bf7e

SHA1
52f91f212a316a6edc0e341ec0409cb2598baff3

SHA256
29c206acd7ef26b5ccb82e96f756c54a05b11f4a724dda3068fdff5e51e4f5a2

SHA512
65fdee22225a4245a9f2d461dbf42b38016c8c8a66073344b3d7dd56e6521967ce73d4fffdeff5fde6a993bb8096fc72608a13a1ca53fefc82184259b49ac910

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe57d37c.TMP

Filesize
89B

MD5
313f68f5bf5d806a93dbb460ab042dfb

SHA1
67cd11dd18da06cb5b9d6447200ea6dfca2c9129

SHA256
850fde6045523d6c71d91b8ecb3a88a1968a89e2913f382cb569661832b86124

SHA512
09e0659900db58e45ab26a0ab8e255c47655bdf95f1121bc0edcf431174f8f46f487272e8cb5102073a7bfab918ab18ebad9e919afeae45e20a5c812d99a9713

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
21035e6c3bef0faacf95a7f5def7302f

SHA1
4e12a9b44f29f8a4f9fa5fb6219e433e85a222b8

SHA256
913b779adeaa64ab51b14e22138ab951c7c5d9ce0664dbb1cdea87cc4ce5e60e

SHA512
4454ebfd64ba4fa2f5979c9010a667c30535f2585ae1d0a4fb40fe3d6c932ad8235e89f35262ed96b200ac8674febb15af50a589980902be941ae3964ba2233c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5822b6.TMP

Filesize
48B

MD5
c9f4d34c2e47bf080a446c9a3ab3be52

SHA1
bae4d9437458e5109fada3e2aa66f4cf89a9a828

SHA256
941f5b7909b08cf547c512b1e75009549a73d5b7cecc59bd6c4996372bb71af0

SHA512
165cbf1276ca42b4d88c88bb886be740bf493c0c829971c0fe91f263726daacf231244d99edf8dbcf87cb058c70e220041b6c2d4cffb132bfd6c1b6536016673

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2172f71c737a3187f6265ecc1d14280c

SHA1
67b82adbdf62c7e3981ee2cf8426199df26d7f25

SHA256
76b86252f931c6ec805d391dace4fdab4827a184d2b121719bc84583a81d1044

SHA512
9a2ce772f4f04f50b765d62d9744b1ccd9a9d7e247f45dc254d9fb5ef78b41903d61f47406279d70cca3403d08df56c9a1024543b03f1c3f11dd45e9472ab063

Download Submit
memory/3680-0-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3680-3-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download