880999d64ef9755e0f71e37722f43f633225c4e45676d52f3e98c1172ead78bd

Analysis

max time kernel
150s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2024, 17:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0b800ae181fecf4da4378ade7ddb584_JaffaCakes118.exe
Size

44KB
MD5

e0b800ae181fecf4da4378ade7ddb584
SHA1

73073412f60ca70985ccb75743560cd70e836183
SHA256

880999d64ef9755e0f71e37722f43f633225c4e45676d52f3e98c1172ead78bd
SHA512

133b068dc4198992e70fe811d805f81381f824915592f1c41b87489732d83df303d3c4ba3bcc7b1c8239ba9e541ec6cb3e0c22db1841a6c8363e8cf330e9fe4b
SSDEEP

768:+h3hOahQo3idDaY0NO7xXgg/PjcDFRX2hyKRSC:Hocmhiqg/Lc5RSBRSC

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	e0b800ae181fecf4da4378ade7ddb584_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
1496	FooVA.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Matri-x27 = "C:\\FooVA.EXE"	e0b800ae181fecf4da4378ade7ddb584_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Matri-x27 = "C:\\FooVA.EXE"	e0b800ae181fecf4da4378ade7ddb584_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Matri-x27 = "C:\\FooVA.EXE"	FooVA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Matri-x27 = "C:\\FooVA.EXE"	FooVA.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e0b800ae181fecf4da4378ade7ddb584_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FooVA.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
232	msedge.exe
232	msedge.exe
4232	msedge.exe
4232	msedge.exe
1256	identity_helper.exe
1256	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3936	e0b800ae181fecf4da4378ade7ddb584_JaffaCakes118.exe
1496	FooVA.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3936 wrote to memory of 1496	3936	e0b800ae181fecf4da4378ade7ddb584_JaffaCakes118.exe	85
PID 3936 wrote to memory of 1496	3936	e0b800ae181fecf4da4378ade7ddb584_JaffaCakes118.exe	85
PID 3936 wrote to memory of 1496	3936	e0b800ae181fecf4da4378ade7ddb584_JaffaCakes118.exe	85
PID 1496 wrote to memory of 1256	1496	FooVA.exe	98
PID 1496 wrote to memory of 1256	1496	FooVA.exe	98
PID 1496 wrote to memory of 1256	1496	FooVA.exe	98
PID 2720 wrote to memory of 4232	2720	explorer.exe	100
PID 2720 wrote to memory of 4232	2720	explorer.exe	100
PID 4232 wrote to memory of 3852	4232	msedge.exe	101
PID 4232 wrote to memory of 3852	4232	msedge.exe	101
PID 4232 wrote to memory of 2664	4232	msedge.exe	102
PID 4232 wrote to memory of 2664	4232	msedge.exe	102
PID 4232 wrote to memory of 2664	4232	msedge.exe	102
PID 4232 wrote to memory of 2664	4232	msedge.exe	102
PID 4232 wrote to memory of 2664	4232	msedge.exe	102
PID 4232 wrote to memory of 2664	4232	msedge.exe	102
PID 4232 wrote to memory of 2664	4232	msedge.exe	102
PID 4232 wrote to memory of 2664	4232	msedge.exe	102
PID 4232 wrote to memory of 2664	4232	msedge.exe	102
PID 4232 wrote to memory of 2664	4232	msedge.exe	102
PID 4232 wrote to memory of 2664	4232	msedge.exe	102
PID 4232 wrote to memory of 2664	4232	msedge.exe	102
PID 4232 wrote to memory of 2664	4232	msedge.exe	102
PID 4232 wrote to memory of 2664	4232	msedge.exe	102
PID 4232 wrote to memory of 2664	4232	msedge.exe	102
PID 4232 wrote to memory of 2664	4232	msedge.exe	102
PID 4232 wrote to memory of 2664	4232	msedge.exe	102
PID 4232 wrote to memory of 2664	4232	msedge.exe	102
PID 4232 wrote to memory of 2664	4232	msedge.exe	102
PID 4232 wrote to memory of 2664	4232	msedge.exe	102
PID 4232 wrote to memory of 2664	4232	msedge.exe	102
PID 4232 wrote to memory of 2664	4232	msedge.exe	102
PID 4232 wrote to memory of 2664	4232	msedge.exe	102
PID 4232 wrote to memory of 2664	4232	msedge.exe	102
PID 4232 wrote to memory of 2664	4232	msedge.exe	102
PID 4232 wrote to memory of 2664	4232	msedge.exe	102
PID 4232 wrote to memory of 2664	4232	msedge.exe	102
PID 4232 wrote to memory of 2664	4232	msedge.exe	102
PID 4232 wrote to memory of 2664	4232	msedge.exe	102
PID 4232 wrote to memory of 2664	4232	msedge.exe	102
PID 4232 wrote to memory of 2664	4232	msedge.exe	102
PID 4232 wrote to memory of 2664	4232	msedge.exe	102
PID 4232 wrote to memory of 2664	4232	msedge.exe	102
PID 4232 wrote to memory of 2664	4232	msedge.exe	102
PID 4232 wrote to memory of 2664	4232	msedge.exe	102
PID 4232 wrote to memory of 2664	4232	msedge.exe	102
PID 4232 wrote to memory of 2664	4232	msedge.exe	102
PID 4232 wrote to memory of 2664	4232	msedge.exe	102
PID 4232 wrote to memory of 2664	4232	msedge.exe	102
PID 4232 wrote to memory of 2664	4232	msedge.exe	102
PID 4232 wrote to memory of 232	4232	msedge.exe	103
PID 4232 wrote to memory of 232	4232	msedge.exe	103
PID 4232 wrote to memory of 4508	4232	msedge.exe	104
PID 4232 wrote to memory of 4508	4232	msedge.exe	104
PID 4232 wrote to memory of 4508	4232	msedge.exe	104
PID 4232 wrote to memory of 4508	4232	msedge.exe	104
PID 4232 wrote to memory of 4508	4232	msedge.exe	104
PID 4232 wrote to memory of 4508	4232	msedge.exe	104
PID 4232 wrote to memory of 4508	4232	msedge.exe	104
PID 4232 wrote to memory of 4508	4232	msedge.exe	104
PID 4232 wrote to memory of 4508	4232	msedge.exe	104
PID 4232 wrote to memory of 4508	4232	msedge.exe	104
PID 4232 wrote to memory of 4508	4232	msedge.exe	104
PID 4232 wrote to memory of 4508	4232	msedge.exe	104

C:\Users\Admin\AppData\Local\Temp\e0b800ae181fecf4da4378ade7ddb584_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e0b800ae181fecf4da4378ade7ddb584_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3936
- C:\FooVA.exe
  "C:\FooVA.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1496
- - C:\Windows\SysWOW64\Explorer.exe
    Explorer http://www.ne.blogfa.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1256
- - C:\Windows\SysWOW64\Explorer.exe
    Explorer http://www.ne.blogfa.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4532

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.ne.blogfa.com/
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4232
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff435f46f8,0x7fff435f4708,0x7fff435f4718
    3⤵
    PID:3852
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,16623090541117158565,9491731571367719986,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
    3⤵
    PID:2664
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,16623090541117158565,9491731571367719986,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:232
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,16623090541117158565,9491731571367719986,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2620 /prefetch:8
    3⤵
    PID:4508
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16623090541117158565,9491731571367719986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
    3⤵
    PID:2752
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16623090541117158565,9491731571367719986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
    3⤵
    PID:1428
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16623090541117158565,9491731571367719986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
    3⤵
    PID:3792
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16623090541117158565,9491731571367719986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
    3⤵
    PID:376
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16623090541117158565,9491731571367719986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
    3⤵
    PID:512
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2076,16623090541117158565,9491731571367719986,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5656 /prefetch:8
    3⤵
    PID:3092
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16623090541117158565,9491731571367719986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6380 /prefetch:1
    3⤵
    PID:2632
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16623090541117158565,9491731571367719986,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6416 /prefetch:1
    3⤵
    PID:2368
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,16623090541117158565,9491731571367719986,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6804 /prefetch:8
    3⤵
    PID:2968
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,16623090541117158565,9491731571367719986,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6804 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1256
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16623090541117158565,9491731571367719986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
    3⤵
    PID:2840
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16623090541117158565,9491731571367719986,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
    3⤵
    PID:4452
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16623090541117158565,9491731571367719986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6728 /prefetch:1
    3⤵
    PID:2012

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4464

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1904

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4c0 0x3d0
1⤵
PID:3876

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.ne.blogfa.com/
  2⤵
  PID:4328
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff435f46f8,0x7fff435f4708,0x7fff435f4718
    3⤵
    PID:4936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FooVA.exe

Filesize
44KB

MD5
e0b800ae181fecf4da4378ade7ddb584

SHA1
73073412f60ca70985ccb75743560cd70e836183

SHA256
880999d64ef9755e0f71e37722f43f633225c4e45676d52f3e98c1172ead78bd

SHA512
133b068dc4198992e70fe811d805f81381f824915592f1c41b87489732d83df303d3c4ba3bcc7b1c8239ba9e541ec6cb3e0c22db1841a6c8363e8cf330e9fe4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
719923124ee00fb57378e0ebcbe894f7

SHA1
cc356a7d27b8b27dc33f21bd4990f286ee13a9f9

SHA256
aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808

SHA512
a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7114a6cd851f9bf56cf771c37d664a2

SHA1
769c5d04fd83e583f15ab1ef659de8f883ecab8a

SHA256
d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e

SHA512
33bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
96KB

MD5
fed82ad3a5c68dbc6e9c3554b6142395

SHA1
2e3c042847876b6869102325d907efe6b2eeffd5

SHA256
8b67785ca0e0d259693aef2e2e8deb24401ff91e4df004ce172b25cdde67989a

SHA512
735036576af004c53d0f4ecfcea2075c0f10f7feaf08700d825247f7e819b27b3c12fcbb44c0d4f466c77382dce6a06a682b13f75a5598e5a8e2c5bce52b1915

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019

Filesize
111KB

MD5
e8223e0e3b989707fa796d698deced02

SHA1
71e04b91356753ed938a21c9772b4117ce1cdf25

SHA256
b7f1a62d5c145182fa21ebaff2cbd82664b49e0a07aef3d01309a50fb7bdf741

SHA512
0697d309e6d3a6d0ffed7be18dacdd57678535d35e341ea21dcc315e90b3d77121a43a3634120da29a3c40bd7187c11a278f06e021046bd8cdfcf2a7d09723c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c

Filesize
770KB

MD5
f402336313c1e19237b9ed25dc3871d8

SHA1
2aeeb0f8d3542c189d38da13d1dcf0e47d121a47

SHA256
c962fbcb57237c8ec331d13d77abf74e559ba1432914ac1301713a2bb9c391f2

SHA512
350df6afc2358ad43ff244ca8588d35320ae729227414b3b85eabf2c73121a9f1d8ce5492a17060e09ac87843b8896ebaf25d3d881469357769ebe2c1de45b9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
312B

MD5
fe83611f0946106e8163a08c8d807b0d

SHA1
68efb4246ab7a6e08fbbdb553bde0517ef3673be

SHA256
5c3f6e6f8e7415148c8d0277441e20b1570ad2c8d9ff6cfee1d5da0c4fdc6873

SHA512
9d42e39584e77bc04e67b7986f05f03dd4c016a57938fdc0e18ca025d7c6b413c317bfd5be15ceaf86cbe3e6df8e794ec7197792e32ecaaa46d9b3d3b829b71d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
40bf117e78aaba19f823fb4ac148aa0d

SHA1
fc7e413bccf29b42620ff487668d42ac428cf8a7

SHA256
1336ab8439cdeef89d02178efd3d6d71805eb604f3f20aeaca4f906c6f83dbb8

SHA512
88ff3a1b870f39cf319bd08275cc0524e01edf39a5b87434889af5fdeee371c63b0a6b2956069de96352b43fdea227acff5afaeecf22a9b1f097c9503a93d4e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
699B

MD5
3c6e2d63e667e1534d221b081c9e612b

SHA1
35958b0b90113a30626fb351f742215e5bb1d84f

SHA256
3c96b53017def4e750a2ea1ac7fa35363abaac0da8af837bdaed0f6490e3fba9

SHA512
20495347418f1450a148cbf912aa9fb8247904962187eb3cb44b2cd4b79b69819186cf97d09698576193519de18625b5e0f70fa396db415938948bf9de2d6cc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a28358183faa6da00665b32d95df4cdd

SHA1
f4efca692b208641db6303ed9849f559f3729b63

SHA256
748d0d324b4ad3efac85cdd95e99ecb4ab3d19fbd36fd3c6348f7d45b16d8999

SHA512
ef734dd9af04ad3fb762e36f264a22d2cf29cffc54d06e4c766b95dfe94403f52f0d090a22918d391a48791e6fc45b71425e81b060847393b1695f551d7d0f33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
47cfd5e2a14c70562bedc30a23c2ce3d

SHA1
2f71cdcca52bb5c35584b493f8a5f7f9311e3bb1

SHA256
8bbaae18db7860cd3c1ad112174adaa009d66efe87dd2f3828d140cc06c0977b

SHA512
a4d5d1ac31ce1456617340860d64168195f521bbca5e38fc1f68dd8d0bfb257bedb0709f350baa6c021d7c40f6c8846a339d2a985320e57afc6ea0d37b861e4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
45331a078aa6873fbf1cf8380ded020c

SHA1
a826cb05e001fe0c796d76adc4b9294f7ae24b6e

SHA256
2f58130a9f47184707df13c2d954934ba57c244e6388ab404614c8ec41829558

SHA512
2893799756c6a253d3d9ed922ed8104dd726ade0c4322c4d1897fce57071eb5f15532a02373789d05d35411025c8a1ec90d052c68419113f40c2f3383a28916f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ac3f8db1fa7d96a397a6f6bf56a37baf

SHA1
27fd73a933471c614a8ded3193ee1029770b86a3

SHA256
875c189ab78eef367e5a168414caa6e0f07c0c1ed347492225d977a26e6f5d7d

SHA512
aad86a823bd86f5da533974756fe0bf56441a208694a9d6d34c1a8e20646df1dacc490220b0d671c0b13eca90abe495e3c213e6c60706ec70cb6a0acf93d2b4d

Download Submit
memory/3936-0-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download