00e860faee4a41a04548e6d192752025ff3e7797b5ea79af28ec79717967a412

Analysis

max time kernel
140s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 06:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eacc26a7f13e6d7966a24a203be1209c_JaffaCakes118.exe
Size

171KB
MD5

eacc26a7f13e6d7966a24a203be1209c
SHA1

eca7e96b7f7281258482a7b6a6321040ff5005dd
SHA256

00e860faee4a41a04548e6d192752025ff3e7797b5ea79af28ec79717967a412
SHA512

9700680580a38c3ebc9aa06b168f20e49c8c99ff306d606f13bc90b85f9e081aa5bfb813d66af02a270ec8c828fc6a5fe62d5ade44476ad1c1ca25b8c6dd22cd
SSDEEP

3072:HyqBbuCxjjuRmh/EPcBJK5OTOHP4PbCHdBABuH/hci+PIZsRu:H7BbuCxjjZUsJKcTOv4JBbSZ

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmplayer = "C:\\MessengerPlus\\mplayer2.exe"	eacc26a7f13e6d7966a24a203be1209c_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4992	1052	WerFault.exe	81

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eacc26a7f13e6d7966a24a203be1209c_JaffaCakes118.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Download	eacc26a7f13e6d7966a24a203be1209c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	eacc26a7f13e6d7966a24a203be1209c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "00000001"	eacc26a7f13e6d7966a24a203be1209c_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 49 IoCs

pid	Process
1052	eacc26a7f13e6d7966a24a203be1209c_JaffaCakes118.exe
1052	eacc26a7f13e6d7966a24a203be1209c_JaffaCakes118.exe
1052	eacc26a7f13e6d7966a24a203be1209c_JaffaCakes118.exe
1052	eacc26a7f13e6d7966a24a203be1209c_JaffaCakes118.exe
1052	eacc26a7f13e6d7966a24a203be1209c_JaffaCakes118.exe
1052	eacc26a7f13e6d7966a24a203be1209c_JaffaCakes118.exe
1052	eacc26a7f13e6d7966a24a203be1209c_JaffaCakes118.exe
1052	eacc26a7f13e6d7966a24a203be1209c_JaffaCakes118.exe
1052	eacc26a7f13e6d7966a24a203be1209c_JaffaCakes118.exe
1052	eacc26a7f13e6d7966a24a203be1209c_JaffaCakes118.exe
1052	eacc26a7f13e6d7966a24a203be1209c_JaffaCakes118.exe
1052	eacc26a7f13e6d7966a24a203be1209c_JaffaCakes118.exe
1052	eacc26a7f13e6d7966a24a203be1209c_JaffaCakes118.exe
1052	eacc26a7f13e6d7966a24a203be1209c_JaffaCakes118.exe
1052	eacc26a7f13e6d7966a24a203be1209c_JaffaCakes118.exe
1052	eacc26a7f13e6d7966a24a203be1209c_JaffaCakes118.exe
1052	eacc26a7f13e6d7966a24a203be1209c_JaffaCakes118.exe
1052	eacc26a7f13e6d7966a24a203be1209c_JaffaCakes118.exe
1052	eacc26a7f13e6d7966a24a203be1209c_JaffaCakes118.exe
1052	eacc26a7f13e6d7966a24a203be1209c_JaffaCakes118.exe
1052	eacc26a7f13e6d7966a24a203be1209c_JaffaCakes118.exe
1052	eacc26a7f13e6d7966a24a203be1209c_JaffaCakes118.exe
1052	eacc26a7f13e6d7966a24a203be1209c_JaffaCakes118.exe
1052	eacc26a7f13e6d7966a24a203be1209c_JaffaCakes118.exe
1052	eacc26a7f13e6d7966a24a203be1209c_JaffaCakes118.exe
1052	eacc26a7f13e6d7966a24a203be1209c_JaffaCakes118.exe
1052	eacc26a7f13e6d7966a24a203be1209c_JaffaCakes118.exe
1052	eacc26a7f13e6d7966a24a203be1209c_JaffaCakes118.exe
1052	eacc26a7f13e6d7966a24a203be1209c_JaffaCakes118.exe
1052	eacc26a7f13e6d7966a24a203be1209c_JaffaCakes118.exe
1052	eacc26a7f13e6d7966a24a203be1209c_JaffaCakes118.exe
1052	eacc26a7f13e6d7966a24a203be1209c_JaffaCakes118.exe
1052	eacc26a7f13e6d7966a24a203be1209c_JaffaCakes118.exe
1052	eacc26a7f13e6d7966a24a203be1209c_JaffaCakes118.exe
1052	eacc26a7f13e6d7966a24a203be1209c_JaffaCakes118.exe
1052	eacc26a7f13e6d7966a24a203be1209c_JaffaCakes118.exe
1052	eacc26a7f13e6d7966a24a203be1209c_JaffaCakes118.exe
1052	eacc26a7f13e6d7966a24a203be1209c_JaffaCakes118.exe
2728	msedge.exe
2728	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
116	identity_helper.exe
116	identity_helper.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4264	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4264	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1052	eacc26a7f13e6d7966a24a203be1209c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1052 wrote to memory of 4572	1052	eacc26a7f13e6d7966a24a203be1209c_JaffaCakes118.exe	90
PID 1052 wrote to memory of 4572	1052	eacc26a7f13e6d7966a24a203be1209c_JaffaCakes118.exe	90
PID 4572 wrote to memory of 3012	4572	msedge.exe	91
PID 4572 wrote to memory of 3012	4572	msedge.exe	91
PID 4572 wrote to memory of 3172	4572	msedge.exe	92
PID 4572 wrote to memory of 3172	4572	msedge.exe	92
PID 4572 wrote to memory of 3172	4572	msedge.exe	92
PID 4572 wrote to memory of 3172	4572	msedge.exe	92
PID 4572 wrote to memory of 3172	4572	msedge.exe	92
PID 4572 wrote to memory of 3172	4572	msedge.exe	92
PID 4572 wrote to memory of 3172	4572	msedge.exe	92
PID 4572 wrote to memory of 3172	4572	msedge.exe	92
PID 4572 wrote to memory of 3172	4572	msedge.exe	92
PID 4572 wrote to memory of 3172	4572	msedge.exe	92
PID 4572 wrote to memory of 3172	4572	msedge.exe	92
PID 4572 wrote to memory of 3172	4572	msedge.exe	92
PID 4572 wrote to memory of 3172	4572	msedge.exe	92
PID 4572 wrote to memory of 3172	4572	msedge.exe	92
PID 4572 wrote to memory of 3172	4572	msedge.exe	92
PID 4572 wrote to memory of 3172	4572	msedge.exe	92
PID 4572 wrote to memory of 3172	4572	msedge.exe	92
PID 4572 wrote to memory of 3172	4572	msedge.exe	92
PID 4572 wrote to memory of 3172	4572	msedge.exe	92
PID 4572 wrote to memory of 3172	4572	msedge.exe	92
PID 4572 wrote to memory of 3172	4572	msedge.exe	92
PID 4572 wrote to memory of 3172	4572	msedge.exe	92
PID 4572 wrote to memory of 3172	4572	msedge.exe	92
PID 4572 wrote to memory of 3172	4572	msedge.exe	92
PID 4572 wrote to memory of 3172	4572	msedge.exe	92
PID 4572 wrote to memory of 3172	4572	msedge.exe	92
PID 4572 wrote to memory of 3172	4572	msedge.exe	92
PID 4572 wrote to memory of 3172	4572	msedge.exe	92
PID 4572 wrote to memory of 3172	4572	msedge.exe	92
PID 4572 wrote to memory of 3172	4572	msedge.exe	92
PID 4572 wrote to memory of 3172	4572	msedge.exe	92
PID 4572 wrote to memory of 3172	4572	msedge.exe	92
PID 4572 wrote to memory of 3172	4572	msedge.exe	92
PID 4572 wrote to memory of 3172	4572	msedge.exe	92
PID 4572 wrote to memory of 3172	4572	msedge.exe	92
PID 4572 wrote to memory of 3172	4572	msedge.exe	92
PID 4572 wrote to memory of 3172	4572	msedge.exe	92
PID 4572 wrote to memory of 3172	4572	msedge.exe	92
PID 4572 wrote to memory of 3172	4572	msedge.exe	92
PID 4572 wrote to memory of 3172	4572	msedge.exe	92
PID 4572 wrote to memory of 2728	4572	msedge.exe	93
PID 4572 wrote to memory of 2728	4572	msedge.exe	93
PID 4572 wrote to memory of 3868	4572	msedge.exe	94
PID 4572 wrote to memory of 3868	4572	msedge.exe	94
PID 4572 wrote to memory of 3868	4572	msedge.exe	94
PID 4572 wrote to memory of 3868	4572	msedge.exe	94
PID 4572 wrote to memory of 3868	4572	msedge.exe	94
PID 4572 wrote to memory of 3868	4572	msedge.exe	94
PID 4572 wrote to memory of 3868	4572	msedge.exe	94
PID 4572 wrote to memory of 3868	4572	msedge.exe	94
PID 4572 wrote to memory of 3868	4572	msedge.exe	94
PID 4572 wrote to memory of 3868	4572	msedge.exe	94
PID 4572 wrote to memory of 3868	4572	msedge.exe	94
PID 4572 wrote to memory of 3868	4572	msedge.exe	94
PID 4572 wrote to memory of 3868	4572	msedge.exe	94
PID 4572 wrote to memory of 3868	4572	msedge.exe	94
PID 4572 wrote to memory of 3868	4572	msedge.exe	94
PID 4572 wrote to memory of 3868	4572	msedge.exe	94
PID 4572 wrote to memory of 3868	4572	msedge.exe	94
PID 4572 wrote to memory of 3868	4572	msedge.exe	94

C:\Users\Admin\AppData\Local\Temp\eacc26a7f13e6d7966a24a203be1209c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eacc26a7f13e6d7966a24a203be1209c_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 388
  2⤵
  - Program crash
  PID:4992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.youtube.com/watch?v=FvCdqOQZQuk
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4572
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdaf2546f8,0x7ffdaf254708,0x7ffdaf254718
    3⤵
    PID:3012
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,5916740317274968836,14055929252187923302,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
    3⤵
    PID:3172
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,5916740317274968836,14055929252187923302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2728
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,5916740317274968836,14055929252187923302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:8
    3⤵
    PID:3868
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5916740317274968836,14055929252187923302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
    3⤵
    PID:4908
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5916740317274968836,14055929252187923302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
    3⤵
    PID:2476
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5916740317274968836,14055929252187923302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1
    3⤵
    PID:976
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5916740317274968836,14055929252187923302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
    3⤵
    PID:3180
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2120,5916740317274968836,14055929252187923302,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3972 /prefetch:8
    3⤵
    PID:2376
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,5916740317274968836,14055929252187923302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5452 /prefetch:8
    3⤵
    PID:2872
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,5916740317274968836,14055929252187923302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5452 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:116
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5916740317274968836,14055929252187923302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
    3⤵
    PID:3676
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5916740317274968836,14055929252187923302,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1
    3⤵
    PID:4628
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5916740317274968836,14055929252187923302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
    3⤵
    PID:3016
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5916740317274968836,14055929252187923302,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
    3⤵
    PID:800
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,5916740317274968836,14055929252187923302,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1976 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1052 -ip 1052
1⤵
PID:2148

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2632

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4348

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4580

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f4 0x4ec
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e765f3d75e6b0e4a7119c8b14d47d8da

SHA1
cc9f7c7826c2e1a129e7d98884926076c3714fc0

SHA256
986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89

SHA512
a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
53bc70ecb115bdbabe67620c416fe9b3

SHA1
af66ec51a13a59639eaf54d62ff3b4f092bb2fc1

SHA256
b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771

SHA512
cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
bc881fad0f8db8f2f345452d89e0744f

SHA1
beab5507446a467c84c3410479b82b3b044192b5

SHA256
e950ca4c56473c0e64c1786687ee06adde0da4d4c5c04c308692018cf052a6c2

SHA512
fa6b204eee4979664e3279f432a450224e67de28cb61849aa4cbc08e9594cea44d928609576d03f7d9442f4672892b538e1cc5542f497de9c07fc618281cc221

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
bc8c73b95f7b7653c323235fd74cdcd4

SHA1
43cfb74e74c53a417fec7aef5ffcb7fb48a54101

SHA256
3751cb0e74722a9dc8c888f942fc7b302acd1ca856c1d858050b2f93e2921f13

SHA512
212c9bc196113312c89b186f2b0566d240ef28710f3a04992c4c452412bc4644bbc36b84d968a6b03514c22d55520f52c9736885aba63f422e20c0f56de56cd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
987fee01c5074f85545ad08ab3b7651b

SHA1
9551e8b02333cf7bc44609305a95f75b2cb96ca0

SHA256
a38ffd2bc28c6a4a1ed089c204909856fbc90eb21a5d3d858b792d922f3e4a0a

SHA512
7739f59f4a83e799c49a9eefd0df5141b134f7c590005fe9ac8ad82b3923634e537095f89a6214456b3a0a947d76fbae75c969c918ff5b6b24a3f8e1af2befe8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f61066f7821f24b1e2379c4ff69fb672

SHA1
79ee921b9097dd359b1655f0de7f223f1e81b86b

SHA256
cb7f53951e8d1d5ffc3832c7562b532acc00c9338a03c887fa9f13232fce1f19

SHA512
1f002d88a6274fafb715600fd6b858e8a4fe1e5a7c0037b62ff3b230ae51e6b3acc2ee12844904437ab7aca86dcdeb543406b20504cbbbd57ca197261a89b3e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ab8011ca553b63e6f4f3c1d517d17769

SHA1
a68d89bfb008d72fc293e0be554b6c2d8f984efe

SHA256
59878f63609aab602d1ddb0d51e8a4d1ad1749e079fade2e132147d25c62b3b8

SHA512
3651ef3d236eb979d8b2481399f1ea4736721a255d66bba54a172ebc0053fe7f30abc254bdef75a80e377c8a2d459a449516d596e1401fbcacb7a0c921d22660

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\d79ac64d-9da2-41e7-9952-cf427c19c7cd\index-dir\the-real-index

Filesize
2KB

MD5
3781a40056c471ef460e8e550044ad9f

SHA1
a092532a155b8237e625ea81e4fb1f0cb2cda3f1

SHA256
d81ef1727dc47d830b75bdce199d53880f0e6cb0143fef60169b6b63dbe3d9c5

SHA512
d66caafc8e3e2153bf9f569d8ea803a4374c4a48dbefab20c41a2b429aa2102a390b32818333b2d383b6f99257c88a99ab8ff3b641e359a885f0dd5e84658469

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\d79ac64d-9da2-41e7-9952-cf427c19c7cd\index-dir\the-real-index~RFe57ef42.TMP

Filesize
48B

MD5
e4a0e6e8c6f586ecdfa5878cddf1be0e

SHA1
13390bc5f7bc47e7cdcfa46cce280d07282ff582

SHA256
047fec564453e599c586103ea4923f2359fa9f88032131d6e6bdeab64d7af4a4

SHA512
d9c51080483e32e6547931504dfb8deb24cc02209089657779476bce2fcfd59d81880e11861801432579b8430202e99ac9957daf39db876561d9faa8680a0392

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
71d5ece73520b31a106bd15b1384f740

SHA1
604d0df19dfed3642d67645598b6163e5fee8f18

SHA256
f094595df2c2ae4364e70a2497813844e3eab3d9981955e7be9ed1500dcca0bb

SHA512
2edfd4f35e4327dbfee240dfbe73e5abaa523e72d92918cdd1b9da47827f264f6e78057dbd69e9acc113164f4c45f9f38c0ed4e4d33a3aa46115a4900135d6c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
8babb9d42b6886ff6a1ba6b68c79bf8f

SHA1
5622b122fa71d0f8f085d66241c4267769cee363

SHA256
249877ef8ae236e046735dadd7d5809202a1110bbc02f0a32eee670dd045a96b

SHA512
91dfe4042f0381376fe83814bd35df3b6df90ad836ef126741c0d756426f914c7634e3892c8802004dcf4d64df9cdc7d5a93e113f4659fe31117c0314274faf3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
853887624759e3251dff4fd83538d39d

SHA1
7d88115d6eb665968c3ae1eeb75457cbdb40a5b5

SHA256
39802246124458ec4ac7d905237a9f30c0c8b67f761c8d7e0163b7d3d5c2943f

SHA512
8d732b081d6921ec60a7bee2e9afd12ffc8a46379f4ca4e6321d9573708c3c27373dc56d5267f6486812125ff9479ec0674b4602b4866d106749cda2ca44dc29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe579942.TMP

Filesize
89B

MD5
c3c53c8a5950321d2ad8c38837ec9b5a

SHA1
a1bc706c1b6f94b05504ec9be6d629e05868a4f2

SHA256
8cda39da8cf53ccf22e7c714e1ffd322cc44d9addd7e26444bae2d06e92afc6f

SHA512
41ae0efa39c96e8f35e748a5cd63995e3469f30555a76b718ee25cd55624e05b35ad17c3ef0299bd94fedc83d2a3b7de559573c611331473e152f230a17feec4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
87f874a01d07521b757d680b20d1fde6

SHA1
6c03945dc3c6681aab64510c0d800bae52e117ff

SHA256
5972b2ce7cadfd19e57e6c7b32e78d67dd551f12ab12146fbbbf58a03bfcac0a

SHA512
335c4ba6d7266cb519202d74d78617521860daab4b7099160f37f5a916db75200f4b7a1188f5b4e788ed0caec555ae17d8ff671b6b55ae5630b26ea71e3e2c7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57e89b.TMP

Filesize
48B

MD5
aaa760a219fc0571a5d85a8b650c0642

SHA1
5f6cf5f0a3074f5fe39dac68156d3c24c7e27f18

SHA256
75d3c9410665ea878484c64d2bf888b4c367a01369df5c0b4103c77faf6bc41c

SHA512
8a818e9e82dc41da629b108dd0009f447a0dd028c85b2a8325e866258140c4e9bc093875925e968aafb1b4fc5d2dcfb569f33600b0139593054a2a4d9e753e79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
90da5a3966d322f20b340d6294fe748f

SHA1
fc675b5028d85cedd27cd0fa0e405e9009bfa898

SHA256
2306cdb7a8b1ab8f3ae33147f2f97025f347bc8bd6ce4543e858135a05f13182

SHA512
2d35297c9cce26dc7f63613a16ac552c4781c7428eee513bc2a5c05cfb3540c0da45fbb79d7836ffc54ac4a52a3cea357b7b69a6d02d42ca5caf6b5e3a7572bc

Download Submit
memory/1052-0-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1052-7-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1052-8-0x00000000005F0000-0x0000000000636000-memory.dmp

Filesize
280KB

Download
memory/1052-3-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1052-2-0x00000000005F0000-0x0000000000636000-memory.dmp

Filesize
280KB

Download