e4ccbf60552add00030a27ff32e4a5cf109c4a0e6c110935c70f9111af2ec4ea

Analysis

max time kernel
147s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 17:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Size

980KB
MD5

ebd4ba76bcdc37a064b0506b4c2bd750
SHA1

9225144ccc2fbfe675d921b089e186a2ea7a3c1c
SHA256

e4ccbf60552add00030a27ff32e4a5cf109c4a0e6c110935c70f9111af2ec4ea
SHA512

a87b8cb9e10684b37f4dea9cd1bd8a97bbc5fb6084b515865d90cf8eaa3e842c39e7fd044337324e3449aafb3eaed039eb2c3aec540a5ef297a72792404846e2
SSDEEP

12288:jLPe/tzZCIBMMugHRkj4ptpvkizYIbdpyy0FQzVKCXVzQyiJ/DT7U7niEg04Oy+n:jje/t9NtH2j4ptp3EFanlzrBniEB4OH

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
2564	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
2564	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
File opened (read-only)	\??\G:	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
File opened (read-only)	\??\J:	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
File opened (read-only)	\??\N:	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
File opened (read-only)	\??\O:	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
File opened (read-only)	\??\P:	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
File opened (read-only)	\??\S:	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
File opened (read-only)	\??\U:	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
File opened (read-only)	\??\Z:	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
File opened (read-only)	\??\A:	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
File opened (read-only)	\??\E:	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
File opened (read-only)	\??\I:	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
File opened (read-only)	\??\L:	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
File opened (read-only)	\??\W:	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
File opened (read-only)	\??\X:	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
File opened (read-only)	\??\H:	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
File opened (read-only)	\??\K:	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
File opened (read-only)	\??\M:	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
File opened (read-only)	\??\T:	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
File opened (read-only)	\??\V:	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
File opened (read-only)	\??\Y:	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
File opened (read-only)	\??\Q:	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
File opened (read-only)	\??\R:	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
129	api.ipify.org
128	api.ipify.org

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\SysWOW64\winproses.dll	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\GIFviewer.ocx	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\TypeLib\Version = "1.0"	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\TypeLib\Version = "1.0"	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\TypeLib\Version = "1.0"	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\MiscStatus	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\VERSION\ = "1.0"	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\0	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\GIFviewer.ocx"	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ProxyStubClsid	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ = "ucAniGIF"	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\HELPDIR	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\TypeLib	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\Control\	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\ToolboxBitmap32	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ = "_ucAniGIF"	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\TypeLib\ = "{3383D1F1-029B-43B1-8733-289322EA85FA}"	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ProxyStubClsid32	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\TypeLib	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\TypeLib	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\VERSION	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WelchGIFviewer.ucAniGIF\Clsid\ = "{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}"	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ = "_ucAniGIF"	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\TypeLib\ = "{3383D1F1-029B-43B1-8733-289322EA85FA}"	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ProxyStubClsid32	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ = "__ucAniGIF"	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\ProgID	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\MiscStatus\ = "0"	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\MiscStatus\1	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WelchGIFviewer.ucAniGIF\ = "WelchGIFviewer.ucAniGIF"	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\HELPDIR\ = "C:\\Windows\\SYSTEM32"	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ = "__ucAniGIF"	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ProxyStubClsid	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\Implemented Categories	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\ = "WelchGIFviewer"	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\TypeLib\ = "{3383D1F1-029B-43B1-8733-289322EA85FA}"	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\GIFviewer.ocx, 30000"	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\TypeLib\ = "{3383D1F1-029B-43B1-8733-289322EA85FA}"	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\InprocServer32	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\Control	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WelchGIFviewer.ucAniGIF\Clsid	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ = "ucAniGIF"	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\FLAGS	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08D24088-19F0-490A-93C8-84B68381D155}	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\InprocServer32\ = "C:\\Windows\\SysWow64\\GIFviewer.ocx"	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ProxyStubClsid32	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\TypeLib\Version = "1.0"	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WelchGIFviewer.ucAniGIF	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\TypeLib\ = "{3383D1F1-029B-43B1-8733-289322EA85FA}"	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}"	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3383D1F1-029B-43B1-8733-289322EA85FA}	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\FLAGS\ = "2"	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\TypeLib	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ProxyStubClsid32	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1920	msedge.exe
1920	msedge.exe
3688	msedge.exe
3688	msedge.exe
2644	msedge.exe
2644	msedge.exe
728	identity_helper.exe
728	identity_helper.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe
4936	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2564	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2564	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Token: SeShutdownPrivilege	2564	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2564	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Token: SeShutdownPrivilege	2564	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2564	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Token: SeShutdownPrivilege	2564	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2564	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Token: SeShutdownPrivilege	2564	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2564	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2564	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
2564	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 3688	2564	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe	82
PID 2564 wrote to memory of 3688	2564	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe	82
PID 3688 wrote to memory of 3804	3688	msedge.exe	83
PID 3688 wrote to memory of 3804	3688	msedge.exe	83
PID 2564 wrote to memory of 4912	2564	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe	84
PID 2564 wrote to memory of 4912	2564	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe	84
PID 4912 wrote to memory of 2332	4912	msedge.exe	85
PID 4912 wrote to memory of 2332	4912	msedge.exe	85
PID 3688 wrote to memory of 2476	3688	msedge.exe	86
PID 3688 wrote to memory of 2476	3688	msedge.exe	86
PID 3688 wrote to memory of 2476	3688	msedge.exe	86
PID 3688 wrote to memory of 2476	3688	msedge.exe	86
PID 3688 wrote to memory of 2476	3688	msedge.exe	86
PID 3688 wrote to memory of 2476	3688	msedge.exe	86
PID 3688 wrote to memory of 2476	3688	msedge.exe	86
PID 3688 wrote to memory of 2476	3688	msedge.exe	86
PID 3688 wrote to memory of 2476	3688	msedge.exe	86
PID 3688 wrote to memory of 2476	3688	msedge.exe	86
PID 3688 wrote to memory of 2476	3688	msedge.exe	86
PID 3688 wrote to memory of 2476	3688	msedge.exe	86
PID 3688 wrote to memory of 2476	3688	msedge.exe	86
PID 3688 wrote to memory of 2476	3688	msedge.exe	86
PID 3688 wrote to memory of 2476	3688	msedge.exe	86
PID 3688 wrote to memory of 2476	3688	msedge.exe	86
PID 3688 wrote to memory of 2476	3688	msedge.exe	86
PID 3688 wrote to memory of 2476	3688	msedge.exe	86
PID 3688 wrote to memory of 2476	3688	msedge.exe	86
PID 3688 wrote to memory of 2476	3688	msedge.exe	86
PID 3688 wrote to memory of 2476	3688	msedge.exe	86
PID 3688 wrote to memory of 2476	3688	msedge.exe	86
PID 3688 wrote to memory of 2476	3688	msedge.exe	86
PID 3688 wrote to memory of 2476	3688	msedge.exe	86
PID 3688 wrote to memory of 2476	3688	msedge.exe	86
PID 3688 wrote to memory of 2476	3688	msedge.exe	86
PID 3688 wrote to memory of 2476	3688	msedge.exe	86
PID 3688 wrote to memory of 2476	3688	msedge.exe	86
PID 3688 wrote to memory of 2476	3688	msedge.exe	86
PID 3688 wrote to memory of 2476	3688	msedge.exe	86
PID 3688 wrote to memory of 2476	3688	msedge.exe	86
PID 3688 wrote to memory of 2476	3688	msedge.exe	86
PID 3688 wrote to memory of 2476	3688	msedge.exe	86
PID 3688 wrote to memory of 2476	3688	msedge.exe	86
PID 3688 wrote to memory of 2476	3688	msedge.exe	86
PID 3688 wrote to memory of 2476	3688	msedge.exe	86
PID 3688 wrote to memory of 2476	3688	msedge.exe	86
PID 3688 wrote to memory of 2476	3688	msedge.exe	86
PID 3688 wrote to memory of 2476	3688	msedge.exe	86
PID 3688 wrote to memory of 2476	3688	msedge.exe	86
PID 3688 wrote to memory of 1920	3688	msedge.exe	87
PID 3688 wrote to memory of 1920	3688	msedge.exe	87
PID 3688 wrote to memory of 4960	3688	msedge.exe	88
PID 3688 wrote to memory of 4960	3688	msedge.exe	88
PID 3688 wrote to memory of 4960	3688	msedge.exe	88
PID 3688 wrote to memory of 4960	3688	msedge.exe	88
PID 3688 wrote to memory of 4960	3688	msedge.exe	88
PID 3688 wrote to memory of 4960	3688	msedge.exe	88
PID 3688 wrote to memory of 4960	3688	msedge.exe	88
PID 3688 wrote to memory of 4960	3688	msedge.exe	88
PID 3688 wrote to memory of 4960	3688	msedge.exe	88
PID 3688 wrote to memory of 4960	3688	msedge.exe	88
PID 3688 wrote to memory of 4960	3688	msedge.exe	88
PID 3688 wrote to memory of 4960	3688	msedge.exe	88
PID 3688 wrote to memory of 4960	3688	msedge.exe	88
PID 3688 wrote to memory of 4960	3688	msedge.exe	88

C:\Users\Admin\AppData\Local\Temp\ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://adf.ly/82712/home
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3688
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9544046f8,0x7ff954404708,0x7ff954404718
    3⤵
    PID:3804
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,14871621093596210998,602570677588096421,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
    3⤵
    PID:2476
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,14871621093596210998,602570677588096421,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1920
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,14871621093596210998,602570677588096421,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
    3⤵
    PID:4960
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14871621093596210998,602570677588096421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
    3⤵
    PID:4968
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14871621093596210998,602570677588096421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
    3⤵
    PID:1100
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14871621093596210998,602570677588096421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3860 /prefetch:1
    3⤵
    PID:1520
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14871621093596210998,602570677588096421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
    3⤵
    PID:556
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14871621093596210998,602570677588096421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
    3⤵
    PID:3444
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14871621093596210998,602570677588096421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
    3⤵
    PID:1864
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14871621093596210998,602570677588096421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
    3⤵
    PID:2524
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,14871621093596210998,602570677588096421,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3616 /prefetch:8
    3⤵
    PID:4384
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,14871621093596210998,602570677588096421,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3616 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:728
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14871621093596210998,602570677588096421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4036 /prefetch:1
    3⤵
    PID:1740
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14871621093596210998,602570677588096421,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3956 /prefetch:1
    3⤵
    PID:3152
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14871621093596210998,602570677588096421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
    3⤵
    PID:5148
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14871621093596210998,602570677588096421,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4104 /prefetch:1
    3⤵
    PID:5156
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,14871621093596210998,602570677588096421,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3060 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.banturcity.co.cc/
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4912
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9544046f8,0x7ff954404708,0x7ff954404718
    3⤵
    PID:2332
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,7235496301033294391,10972788105295008520,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
    3⤵
    PID:4384
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,7235496301033294391,10972788105295008520,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2644

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1972

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0446fcdd21b016db1f468971fb82a488

SHA1
726b91562bb75f80981f381e3c69d7d832c87c9d

SHA256
62c5dc18b25e758f3508582a7c58bb46b734a774d97fc0e8a20614235caa8222

SHA512
1df7c085042266959f1fe0aedc5f6d40ceba485b54159f51f0c38f17bb250b79ea941b735e1b6faf219f23fe8ab65ac4557f545519d52d5416b89ad0f9047a31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9b008261dda31857d68792b46af6dd6d

SHA1
e82dc88e2d1da2df7cb19d79a0346b9bb90d52b3

SHA256
9ac598d4f8170f7e475d84103aead9e3c23d5f2d292741a7f56a17bde8b6f7da

SHA512
78853091403a06beeec4998e2e3a4342111895ffd485f7f7cd367741a4883f7a25864cba00a6c86f27dc0c9ce9d04f08011ecc40c8ae9383d33274739ac39f10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
624B

MD5
8cc52690eedecc5b78886304e66abe8e

SHA1
02c383dcfb2e774fb9f1f7b62089793dd246dca9

SHA256
ae922fab9b6eb571641603e8d1c2b9ad1b20a04d37185c340fb2434cd4cb1c93

SHA512
a7784f46f4554472e0bce1e81e232d4b6df90d421910248f56a1e63ec81c5215a172791a93c64ff774c0bb89c69f2b431e753950d8701a4ff9f2b8b3c888e25d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
691c2f09bb1ace5490a960d09d0adaf5

SHA1
15c0696f78a0e74e5ac5d834c3ff85d9f7580101

SHA256
9c83131de26f3a1d28f14a26c52388c04a3bf4b74683c8a611be4407a8373c0e

SHA512
88e2687a5cbc18ed8e528686706c10caa6c975ae4cb575534edee1e441300d1725161964b867c1187d598751596ab998f2a6ecfae0f0951246e650ade2827fbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4f062cdf819723f26ecc6e7de0395646

SHA1
f25a0690d158142f816886d864e509298bbe6732

SHA256
dc702ee9d655dab0ed7d959533b8774e1c429bd1a279a89173588e254656884d

SHA512
5fe213fcdf880c2eed1f0f5fe46f04968a7000eed1ab2f2131ad6f96b071840eedccf36d852d7730175a0b9383cd63b6a440fefbd9ba37cc1f3f58105ce532e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
ebf149bc809b3100de4f3148fb35a94e

SHA1
c6e0dc3dedda9a6dc5f02c76de819bbfd5589cbf

SHA256
fea77143775ffa50a7889f063bf80776edc067e3f83b4893dd77dd578480be50

SHA512
35e5a6a5869e7e41fd1ae50e709fb166a230db7ef5476b4e3930f4b245222acae2c81c199bdacafe2d2fee3154b535664334a226b65845c9fe3681fb6bfab731

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
0a8d45f2963c0e1c02dd7e0eb3eda60a

SHA1
30b20ff33eda0df74a3676697d7c66a74257b29f

SHA256
50f49ec32f80021a901e690536f7b3eabd67a42a4e89a043bc97e7157e3a3e41

SHA512
e5fd2eacb560246966aa24a4a147cd467a330dbbc7872356a7ce7f43e255be7f4f896e2e1eb0eb9180aa78bb037b19f1ecdd4311efb77a31896af070648851cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c4ccb592501852106a275348f91598c1

SHA1
58e731bc34aae81459a496240d23e04d340c3b30

SHA256
992e1a1ab7c183b70bb8f4c8b016ecce18efcfc55f5841ac381cb801ff151001

SHA512
d827e0be9fbacb768c92dda82f7931a6e1e3e2f2b58159ff20a3cee050c5a8e3ca90bdf1a8892f306e0704e5f5b68f92daaacc1baff8777bf5669125088c7cc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
64KB

MD5
8823aa548b21ee90b74edd265b2563de

SHA1
57b42373e22035e5b4ac66bf665951d9c746af13

SHA256
d17fb119860a6282bbdf89d6cea5729f8b977fcde4272339a75e0a6356b5b6ca

SHA512
4cc81c5006230222578e0e8a44cd6af20ce217477e84281e6936a7440d7048d25b5a5d1ea7eb70ac3b6e694572dc932e2e8e95380eaab0d72fd245100b97ac89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Windows\SysWOW64\GIFviewer.ocx

Filesize
100KB

MD5
73404435b36b8cb9ea68be6d4249488e

SHA1
ecd6f0e28c4f4ac6c1943a7647f42a5d91c14f02

SHA256
2123cadad9f7da81601c5e09105a569fedda561b4b12e87f0c0f6b4afa286e5c

SHA512
e260099024bdc4711ef068455e350cb400042f5fd5066b07b024e49b8a13b6c058347f2e4e68ff73704358b51db851e4e06c28cb2f3cd36b64d9023c748dcad7

Download Submit