f98890af20a7e8d3396608e18733648822d8674aa98e09862d287453d762046f

Analysis

max time kernel
139s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2024, 16:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e08e80d23281aefb7a919e30da67a200_JaffaCakes118.exe
Size

173KB
MD5

e08e80d23281aefb7a919e30da67a200
SHA1

698aaf2613613d19fcab90bf02076c142d7b8688
SHA256

f98890af20a7e8d3396608e18733648822d8674aa98e09862d287453d762046f
SHA512

552c41b61de2ef059b6075bca48d793550b620185ff52ecfa76d0c5023cfa0c20b79329a3fd6aabea80091e3d47fc1f482058293ed65de197edcbf0970183052
SSDEEP

3072:1nuk0ONtRu9Wxi2w4cKtmK5HJmnPqaTBvwjbD9NKA0trs1b7OwptmI9PX0:lukttBGmtmKPmnPqXtNKA0m5RX

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmplayer = "C:\\MessengerPlus\\mplayer2.exe"	e08e80d23281aefb7a919e30da67a200_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4852	1260	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e08e80d23281aefb7a919e30da67a200_JaffaCakes118.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	e08e80d23281aefb7a919e30da67a200_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "00000001"	e08e80d23281aefb7a919e30da67a200_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Download	e08e80d23281aefb7a919e30da67a200_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
1260	e08e80d23281aefb7a919e30da67a200_JaffaCakes118.exe
1260	e08e80d23281aefb7a919e30da67a200_JaffaCakes118.exe
1260	e08e80d23281aefb7a919e30da67a200_JaffaCakes118.exe
1260	e08e80d23281aefb7a919e30da67a200_JaffaCakes118.exe
1260	e08e80d23281aefb7a919e30da67a200_JaffaCakes118.exe
1260	e08e80d23281aefb7a919e30da67a200_JaffaCakes118.exe
1260	e08e80d23281aefb7a919e30da67a200_JaffaCakes118.exe
1260	e08e80d23281aefb7a919e30da67a200_JaffaCakes118.exe
1260	e08e80d23281aefb7a919e30da67a200_JaffaCakes118.exe
1260	e08e80d23281aefb7a919e30da67a200_JaffaCakes118.exe
1260	e08e80d23281aefb7a919e30da67a200_JaffaCakes118.exe
1260	e08e80d23281aefb7a919e30da67a200_JaffaCakes118.exe
1260	e08e80d23281aefb7a919e30da67a200_JaffaCakes118.exe
1260	e08e80d23281aefb7a919e30da67a200_JaffaCakes118.exe
1260	e08e80d23281aefb7a919e30da67a200_JaffaCakes118.exe
1260	e08e80d23281aefb7a919e30da67a200_JaffaCakes118.exe
1260	e08e80d23281aefb7a919e30da67a200_JaffaCakes118.exe
1260	e08e80d23281aefb7a919e30da67a200_JaffaCakes118.exe
1260	e08e80d23281aefb7a919e30da67a200_JaffaCakes118.exe
1260	e08e80d23281aefb7a919e30da67a200_JaffaCakes118.exe
1260	e08e80d23281aefb7a919e30da67a200_JaffaCakes118.exe
1260	e08e80d23281aefb7a919e30da67a200_JaffaCakes118.exe
1260	e08e80d23281aefb7a919e30da67a200_JaffaCakes118.exe
1260	e08e80d23281aefb7a919e30da67a200_JaffaCakes118.exe
1260	e08e80d23281aefb7a919e30da67a200_JaffaCakes118.exe
1260	e08e80d23281aefb7a919e30da67a200_JaffaCakes118.exe
1260	e08e80d23281aefb7a919e30da67a200_JaffaCakes118.exe
1260	e08e80d23281aefb7a919e30da67a200_JaffaCakes118.exe
1260	e08e80d23281aefb7a919e30da67a200_JaffaCakes118.exe
1260	e08e80d23281aefb7a919e30da67a200_JaffaCakes118.exe
1260	e08e80d23281aefb7a919e30da67a200_JaffaCakes118.exe
1260	e08e80d23281aefb7a919e30da67a200_JaffaCakes118.exe
1260	e08e80d23281aefb7a919e30da67a200_JaffaCakes118.exe
1260	e08e80d23281aefb7a919e30da67a200_JaffaCakes118.exe
1260	e08e80d23281aefb7a919e30da67a200_JaffaCakes118.exe
1260	e08e80d23281aefb7a919e30da67a200_JaffaCakes118.exe
1260	e08e80d23281aefb7a919e30da67a200_JaffaCakes118.exe
1260	e08e80d23281aefb7a919e30da67a200_JaffaCakes118.exe
3320	msedge.exe
3320	msedge.exe
2632	msedge.exe
2632	msedge.exe
5068	identity_helper.exe
5068	identity_helper.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4900	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4900	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1260	e08e80d23281aefb7a919e30da67a200_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 2632	1260	e08e80d23281aefb7a919e30da67a200_JaffaCakes118.exe	97
PID 1260 wrote to memory of 2632	1260	e08e80d23281aefb7a919e30da67a200_JaffaCakes118.exe	97
PID 2632 wrote to memory of 4788	2632	msedge.exe	98
PID 2632 wrote to memory of 4788	2632	msedge.exe	98
PID 2632 wrote to memory of 1524	2632	msedge.exe	99
PID 2632 wrote to memory of 1524	2632	msedge.exe	99
PID 2632 wrote to memory of 1524	2632	msedge.exe	99
PID 2632 wrote to memory of 1524	2632	msedge.exe	99
PID 2632 wrote to memory of 1524	2632	msedge.exe	99
PID 2632 wrote to memory of 1524	2632	msedge.exe	99
PID 2632 wrote to memory of 1524	2632	msedge.exe	99
PID 2632 wrote to memory of 1524	2632	msedge.exe	99
PID 2632 wrote to memory of 1524	2632	msedge.exe	99
PID 2632 wrote to memory of 1524	2632	msedge.exe	99
PID 2632 wrote to memory of 1524	2632	msedge.exe	99
PID 2632 wrote to memory of 1524	2632	msedge.exe	99
PID 2632 wrote to memory of 1524	2632	msedge.exe	99
PID 2632 wrote to memory of 1524	2632	msedge.exe	99
PID 2632 wrote to memory of 1524	2632	msedge.exe	99
PID 2632 wrote to memory of 1524	2632	msedge.exe	99
PID 2632 wrote to memory of 1524	2632	msedge.exe	99
PID 2632 wrote to memory of 1524	2632	msedge.exe	99
PID 2632 wrote to memory of 1524	2632	msedge.exe	99
PID 2632 wrote to memory of 1524	2632	msedge.exe	99
PID 2632 wrote to memory of 1524	2632	msedge.exe	99
PID 2632 wrote to memory of 1524	2632	msedge.exe	99
PID 2632 wrote to memory of 1524	2632	msedge.exe	99
PID 2632 wrote to memory of 1524	2632	msedge.exe	99
PID 2632 wrote to memory of 1524	2632	msedge.exe	99
PID 2632 wrote to memory of 1524	2632	msedge.exe	99
PID 2632 wrote to memory of 1524	2632	msedge.exe	99
PID 2632 wrote to memory of 1524	2632	msedge.exe	99
PID 2632 wrote to memory of 1524	2632	msedge.exe	99
PID 2632 wrote to memory of 1524	2632	msedge.exe	99
PID 2632 wrote to memory of 1524	2632	msedge.exe	99
PID 2632 wrote to memory of 1524	2632	msedge.exe	99
PID 2632 wrote to memory of 1524	2632	msedge.exe	99
PID 2632 wrote to memory of 1524	2632	msedge.exe	99
PID 2632 wrote to memory of 1524	2632	msedge.exe	99
PID 2632 wrote to memory of 1524	2632	msedge.exe	99
PID 2632 wrote to memory of 1524	2632	msedge.exe	99
PID 2632 wrote to memory of 1524	2632	msedge.exe	99
PID 2632 wrote to memory of 1524	2632	msedge.exe	99
PID 2632 wrote to memory of 1524	2632	msedge.exe	99
PID 2632 wrote to memory of 3320	2632	msedge.exe	100
PID 2632 wrote to memory of 3320	2632	msedge.exe	100
PID 2632 wrote to memory of 3308	2632	msedge.exe	101
PID 2632 wrote to memory of 3308	2632	msedge.exe	101
PID 2632 wrote to memory of 3308	2632	msedge.exe	101
PID 2632 wrote to memory of 3308	2632	msedge.exe	101
PID 2632 wrote to memory of 3308	2632	msedge.exe	101
PID 2632 wrote to memory of 3308	2632	msedge.exe	101
PID 2632 wrote to memory of 3308	2632	msedge.exe	101
PID 2632 wrote to memory of 3308	2632	msedge.exe	101
PID 2632 wrote to memory of 3308	2632	msedge.exe	101
PID 2632 wrote to memory of 3308	2632	msedge.exe	101
PID 2632 wrote to memory of 3308	2632	msedge.exe	101
PID 2632 wrote to memory of 3308	2632	msedge.exe	101
PID 2632 wrote to memory of 3308	2632	msedge.exe	101
PID 2632 wrote to memory of 3308	2632	msedge.exe	101
PID 2632 wrote to memory of 3308	2632	msedge.exe	101
PID 2632 wrote to memory of 3308	2632	msedge.exe	101
PID 2632 wrote to memory of 3308	2632	msedge.exe	101
PID 2632 wrote to memory of 3308	2632	msedge.exe	101

C:\Users\Admin\AppData\Local\Temp\e08e80d23281aefb7a919e30da67a200_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e08e80d23281aefb7a919e30da67a200_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 396
  2⤵
  - Program crash
  PID:4852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.youtube.com/watch?v=FvCdqOQZQuk
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffba9f446f8,0x7ffba9f44708,0x7ffba9f44718
    3⤵
    PID:4788
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,5182810483730986933,12374220362064840643,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
    3⤵
    PID:1524
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,5182810483730986933,12374220362064840643,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3320
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,5182810483730986933,12374220362064840643,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
    3⤵
    PID:3308
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,5182810483730986933,12374220362064840643,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
    3⤵
    PID:232
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,5182810483730986933,12374220362064840643,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
    3⤵
    PID:2160
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,5182810483730986933,12374220362064840643,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4524 /prefetch:1
    3⤵
    PID:1912
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,5182810483730986933,12374220362064840643,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
    3⤵
    PID:3264
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2056,5182810483730986933,12374220362064840643,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3976 /prefetch:8
    3⤵
    PID:4328
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,5182810483730986933,12374220362064840643,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 /prefetch:8
    3⤵
    PID:4056
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,5182810483730986933,12374220362064840643,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5068
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,5182810483730986933,12374220362064840643,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
    3⤵
    PID:4268
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,5182810483730986933,12374220362064840643,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
    3⤵
    PID:4584
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,5182810483730986933,12374220362064840643,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
    3⤵
    PID:2748
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,5182810483730986933,12374220362064840643,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
    3⤵
    PID:1708
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,5182810483730986933,12374220362064840643,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3120 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1260 -ip 1260
1⤵
PID:3708

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3876

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2916

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5060

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x464 0x32c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
27304926d60324abe74d7a4b571c35ea

SHA1
78b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1

SHA256
7039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de

SHA512
f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9e3fc58a8fb86c93d19e1500b873ef6f

SHA1
c6aae5f4e26f5570db5e14bba8d5061867a33b56

SHA256
828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4

SHA512
e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
7d18c5fe5e01d568f1bb5d64685b2349

SHA1
b65c23df2dad605f725fa9aefc42bcacbc16f157

SHA256
ca4ad1c44eb0132df5a35284b4d7f1978f08d8412d5d3c9abcfa3bfe28ed53cc

SHA512
7a127d0d6d4aaa77ac744f35770533df7973485bf9b55d15f2304d7b4d25bd5f1fd62565332968827d63ad6f514d58070b050b61aa2e4c4826f9b3c8319e4a9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
2af6ef7c3cf9c3a2737f81bd1b459d4e

SHA1
9ef03c6c487205abbed038be8a27c31d15a6c475

SHA256
fedf0697de6172ce34017801df0b0d647f48d650fcd50ceebb72f21e1e2b05bb

SHA512
af3a932d06f7d631bd68b9b141722cb6156cd0742ca00ac20c83b56712549b770a68b247c91d5e276c24f8355bcf328d8ec1a241591861ec250f4eec25674d1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
f179f62e102494b2ae6a29cb07b0b6ec

SHA1
d46c460e1fc569bba813566f788c5ca27eff189a

SHA256
47e76f9fda5b62805d948187a586897f093c3d1fb865efe51093a93a66187ea7

SHA512
817c4feaea96cf9ddbb3428faa5382fac095a177657f355d72ed2a6b3a32a6334fb284811469d6bc83a3a084f69301b08e31519f2208fe53ec6889d5e7ee8c0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6e5d1bc5e456cde9ede517c126450c5b

SHA1
9d32390f8caf78b3c65b7449185d5ab851c2bb6b

SHA256
f9a4478af7a004232d8eeb327a489e565bb03e2e8caf521a0c3fdc0a2ab354d2

SHA512
b8ae57019c4bb1ecde1be0ef51fc9d45de57b4f04e5804b69b43cebbadcaa6170aa5e6a4929e9feb0315a3a0a55f67659842a7decc8422240bf28152d7260833

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5450ea9f5d6da9b24f54bba7379f5342

SHA1
065afa6a5d3d915ec2d10e049efcb34172cc6306

SHA256
f477f070e16fc4cb5ec8dacc2341f6c9a09accd74768c849d1810b019ae5f0e2

SHA512
fc41c3f78c1777bc48250ffc640c7549ca861e3e97c18ced1bb30008977c137d22a62149d1406dc5f46290edf80bf22ef6d8a064a35eb8b9e7be743cd9ce029a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\b46ce675-76c5-4879-a60e-02a043431de0\index-dir\the-real-index

Filesize
2KB

MD5
0cb2ea441d933c2e6e4c450e4c2e6bcc

SHA1
fad595fcb3f054ca6b35b845e15e94150dd233b1

SHA256
ebe3ead75e4dfcbda92900386cdb5a394c42c684a6b5fd6193c4ffb105afc16d

SHA512
9a24b12f1796c8bcd9163003fe3bd62df0e461387a02074ffd6cebc789a23862388ebe423007f0f933e08a200d553e02924fa982e460491220b25bf41be5614c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\b46ce675-76c5-4879-a60e-02a043431de0\index-dir\the-real-index~RFe585280.TMP

Filesize
48B

MD5
4e023734c8ca23850d430347de642ef3

SHA1
388728181a4678f93d57ccc83766c660faed0ee9

SHA256
5742b87d0ec2388a3778168313051cf387efcef4f790af3bfbf801da407fb8ab

SHA512
f846d1af18cec8ac10544111ab51471844be163f20a7cfd007fa31a2efdc07d2d20b36e658681150ac0afd8c54269f6aa0ec90abe776d58510ed6ef8e2bf5d6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
3dd1fc01dd1a5391895b133f09907d1b

SHA1
d16843560ab8bed3719f1487d490d1de7c31c8b4

SHA256
50f0c93aa5b9f69f439e73b46ba429a641ebe79f8d804faf1872d3685c555aab

SHA512
851d9e12c0ccf20d32db4262fb9b956af256882a74257808746db815c83e8fd0176acec5aba68583036aec9d93d0d2d3cbe3e0be72cb16a434ca1e0102e4e45f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
509bb22ff0a9905afcf04db5c83b71b3

SHA1
dfbc52dc9a623aba9ac8b63f9a6bca7b341c53db

SHA256
9a71112d040895a2621cce52c28714679ea937aeb17f2e6466ce5059306911b0

SHA512
5ebc76a5e9b76e9d16c0bbe681d0961420fc8b6e4830ae540714b40b28a36a48954277872aab8dc59433bbb8447518e95919ed606e29f8d09b12dc5902a31f13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
b923bcc36977cc83d87a95b0e1ef9b36

SHA1
87438d82fcfa3a7aa933248507a6a8555d072987

SHA256
bb717b6d6c3b0daff68be5ad4c45818a31043aad9ee32052818a3a1df7e3a169

SHA512
5086b77db5205a2bed728ef6110312fd162a57d5e5ce47e1b0fe6450b5c427e093861fe22a1d7e3d0940f3ee34fd23aa2c2ff95292ff4e317870f6c426f792da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe57fd0d.TMP

Filesize
89B

MD5
92556098f70ab565ec6269ebc84d5c32

SHA1
744a1333e8ea3ff5453b4a1edc4e3889b5b8336b

SHA256
38376378aac3ab65fdb31619f5d7894d2a67c089b9304b23d45fba46661d67de

SHA512
fed2e5822efcc01e66fc42680ca399ded2d94bf90fe49872f8ce3f3987c997be0af0a282bd92bb46f9b28901b540686c0afe243d072d43a4948d5fce8340efc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
2900976a1b49771dd29cbb9e72d56bfd

SHA1
bdae756570606664fc7ea64387f9f2746d587e33

SHA256
c1c4da16e941171310ee1c9fc61b3e8d22ac5c9d2f71d7eb8b141de13d471bc3

SHA512
9c62eb1c0c1ee4b3cab9c863c6bfccff9a3392cbf2ef2b3bd3341582bb6b5bd784aac24d24b7462010009e471c41746633289106b408a1baa28bd87a594dc22a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe584c27.TMP

Filesize
48B

MD5
950803bb0b9794cd38eb7d207adb101e

SHA1
7f0571b97cd57b1198ba2e6c23a80fb246502fe8

SHA256
6c08528ff187cca6bcfd301895b327895b1df70141aa8aef88f8d65009bfa0b1

SHA512
a6efde956772389ccd930f93f69e5de5715a9d3785dcdce024ed70aa75ef0db6f5c68b72204532ad3f99c8d368c4727fc97a97909185bde200fe0f81d9522788

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
abb4c100d61a7df3b0d988e1cf79e340

SHA1
f8ea5a958a093e9164dd7736a2254a25e91aa9d8

SHA256
085b28b96ed70d550bf11d8b27a11d6b233f3f04ad5c14ce2fc787f41ed0ea8b

SHA512
4913be839fc93120b48157028eaa11b45e754bbd3525d8a7204c7f039ade8d5dd7cc49c655ba6f6a53ada876dc59f2ced870906ed48652e12c976fccbd556d79

Download Submit
memory/1260-7-0x00000000004F0000-0x0000000000536000-memory.dmp

Filesize
280KB

Download
memory/1260-6-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1260-3-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1260-0-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1260-2-0x00000000004F0000-0x0000000000536000-memory.dmp

Filesize
280KB

Download
memory/1260-1-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download