bd467477ec758b2a5ab5652da7f03627ef301075d833e9a4c0cba6600fba4b8b

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/09/2024, 16:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fcb8b776618a58060928a6d7d7c23661_JaffaCakes118.exe
Size

54KB
MD5

fcb8b776618a58060928a6d7d7c23661
SHA1

5dc28359d741eaab9737ac5d78811cb575acfdda
SHA256

bd467477ec758b2a5ab5652da7f03627ef301075d833e9a4c0cba6600fba4b8b
SHA512

1dec7b1acc9e45b2adf1c8c47b10c7449af4e1f2b38be9274ee826c978a48863273f762658ee170e87fbf6dc0a9cd0f7f76fa416ef449db40ee4914946e69f13
SSDEEP

1536:KvQ4EYIIMUl+xWW2udFiJX5ELLozatWd3b6mef:KI4EYeQW2CgaLcGtW5h8

Score

7^/10

discovery upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	fcb8b776618a58060928a6d7d7c23661_JaffaCakes118.exe

Executes dropped EXE 4 IoCs

pid	Process
2416	b.exe
1808	a.exe
4224	c.exe
2084	d.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2740-0-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/files/0x000800000002346c-14.dat	upx
behavioral2/memory/1808-17-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2740-39-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/1808-80-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1740	2740	WerFault.exe	84
2460	4224	WerFault.exe	93
4696	2416	WerFault.exe	91

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fcb8b776618a58060928a6d7d7c23661_JaffaCakes118.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2952	msedge.exe
2952	msedge.exe
3168	msedge.exe
3168	msedge.exe
1996	identity_helper.exe
1996	identity_helper.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 1700	2740	fcb8b776618a58060928a6d7d7c23661_JaffaCakes118.exe	85
PID 2740 wrote to memory of 1700	2740	fcb8b776618a58060928a6d7d7c23661_JaffaCakes118.exe	85
PID 2740 wrote to memory of 1700	2740	fcb8b776618a58060928a6d7d7c23661_JaffaCakes118.exe	85
PID 1700 wrote to memory of 3076	1700	net.exe	88
PID 1700 wrote to memory of 3076	1700	net.exe	88
PID 1700 wrote to memory of 3076	1700	net.exe	88
PID 2740 wrote to memory of 2416	2740	fcb8b776618a58060928a6d7d7c23661_JaffaCakes118.exe	91
PID 2740 wrote to memory of 2416	2740	fcb8b776618a58060928a6d7d7c23661_JaffaCakes118.exe	91
PID 2740 wrote to memory of 2416	2740	fcb8b776618a58060928a6d7d7c23661_JaffaCakes118.exe	91
PID 2740 wrote to memory of 1808	2740	fcb8b776618a58060928a6d7d7c23661_JaffaCakes118.exe	92
PID 2740 wrote to memory of 1808	2740	fcb8b776618a58060928a6d7d7c23661_JaffaCakes118.exe	92
PID 2740 wrote to memory of 1808	2740	fcb8b776618a58060928a6d7d7c23661_JaffaCakes118.exe	92
PID 2740 wrote to memory of 4224	2740	fcb8b776618a58060928a6d7d7c23661_JaffaCakes118.exe	93
PID 2740 wrote to memory of 4224	2740	fcb8b776618a58060928a6d7d7c23661_JaffaCakes118.exe	93
PID 2740 wrote to memory of 4224	2740	fcb8b776618a58060928a6d7d7c23661_JaffaCakes118.exe	93
PID 2740 wrote to memory of 2084	2740	fcb8b776618a58060928a6d7d7c23661_JaffaCakes118.exe	96
PID 2740 wrote to memory of 2084	2740	fcb8b776618a58060928a6d7d7c23661_JaffaCakes118.exe	96
PID 2740 wrote to memory of 2084	2740	fcb8b776618a58060928a6d7d7c23661_JaffaCakes118.exe	96
PID 2740 wrote to memory of 4856	2740	fcb8b776618a58060928a6d7d7c23661_JaffaCakes118.exe	98
PID 2740 wrote to memory of 4856	2740	fcb8b776618a58060928a6d7d7c23661_JaffaCakes118.exe	98
PID 2740 wrote to memory of 4856	2740	fcb8b776618a58060928a6d7d7c23661_JaffaCakes118.exe	98
PID 1808 wrote to memory of 3168	1808	a.exe	102
PID 1808 wrote to memory of 3168	1808	a.exe	102
PID 3168 wrote to memory of 2912	3168	msedge.exe	103
PID 3168 wrote to memory of 2912	3168	msedge.exe	103
PID 3168 wrote to memory of 2992	3168	msedge.exe	104
PID 3168 wrote to memory of 2992	3168	msedge.exe	104
PID 3168 wrote to memory of 2992	3168	msedge.exe	104
PID 3168 wrote to memory of 2992	3168	msedge.exe	104
PID 3168 wrote to memory of 2992	3168	msedge.exe	104
PID 3168 wrote to memory of 2992	3168	msedge.exe	104
PID 3168 wrote to memory of 2992	3168	msedge.exe	104
PID 3168 wrote to memory of 2992	3168	msedge.exe	104
PID 3168 wrote to memory of 2992	3168	msedge.exe	104
PID 3168 wrote to memory of 2992	3168	msedge.exe	104
PID 3168 wrote to memory of 2992	3168	msedge.exe	104
PID 3168 wrote to memory of 2992	3168	msedge.exe	104
PID 3168 wrote to memory of 2992	3168	msedge.exe	104
PID 3168 wrote to memory of 2992	3168	msedge.exe	104
PID 3168 wrote to memory of 2992	3168	msedge.exe	104
PID 3168 wrote to memory of 2992	3168	msedge.exe	104
PID 3168 wrote to memory of 2992	3168	msedge.exe	104
PID 3168 wrote to memory of 2992	3168	msedge.exe	104
PID 3168 wrote to memory of 2992	3168	msedge.exe	104
PID 3168 wrote to memory of 2992	3168	msedge.exe	104
PID 3168 wrote to memory of 2992	3168	msedge.exe	104
PID 3168 wrote to memory of 2992	3168	msedge.exe	104
PID 3168 wrote to memory of 2992	3168	msedge.exe	104
PID 3168 wrote to memory of 2992	3168	msedge.exe	104
PID 3168 wrote to memory of 2992	3168	msedge.exe	104
PID 3168 wrote to memory of 2992	3168	msedge.exe	104
PID 3168 wrote to memory of 2992	3168	msedge.exe	104
PID 3168 wrote to memory of 2992	3168	msedge.exe	104
PID 3168 wrote to memory of 2992	3168	msedge.exe	104
PID 3168 wrote to memory of 2992	3168	msedge.exe	104
PID 3168 wrote to memory of 2992	3168	msedge.exe	104
PID 3168 wrote to memory of 2992	3168	msedge.exe	104
PID 3168 wrote to memory of 2992	3168	msedge.exe	104
PID 3168 wrote to memory of 2992	3168	msedge.exe	104
PID 3168 wrote to memory of 2992	3168	msedge.exe	104
PID 3168 wrote to memory of 2992	3168	msedge.exe	104
PID 3168 wrote to memory of 2992	3168	msedge.exe	104
PID 3168 wrote to memory of 2992	3168	msedge.exe	104
PID 3168 wrote to memory of 2992	3168	msedge.exe	104

C:\Users\Admin\AppData\Local\Temp\fcb8b776618a58060928a6d7d7c23661_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fcb8b776618a58060928a6d7d7c23661_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2740
- C:\windows\SysWOW64\net.exe
  "C:\windows\system32\net.exe" stop wscsvc
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop wscsvc
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3076
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 1060
  2⤵
  - Program crash
  PID:1740
- C:\Users\Admin\AppData\Local\Temp\b.exe
  "C:\Users\Admin\AppData\Local\Temp\b.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2416
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 232
    3⤵
    - Program crash
    PID:4696
- C:\Users\Admin\AppData\Local\Temp\a.exe
  "C:\Users\Admin\AppData\Local\Temp\a.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1808
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://thisfreemovies.com/movie/black/0/4/459/1/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3168
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff4b8246f8,0x7fff4b824708,0x7fff4b824718
      4⤵
      PID:2912
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,8866861189295438240,10895047288468392617,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
      4⤵
      PID:2992
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,8866861189295438240,10895047288468392617,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2952
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,8866861189295438240,10895047288468392617,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8
      4⤵
      PID:3424
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8866861189295438240,10895047288468392617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
      4⤵
      PID:4944
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8866861189295438240,10895047288468392617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
      4⤵
      PID:3144
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8866861189295438240,10895047288468392617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4276 /prefetch:1
      4⤵
      PID:4452
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8866861189295438240,10895047288468392617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3604 /prefetch:1
      4⤵
      PID:1400
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,8866861189295438240,10895047288468392617,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4396 /prefetch:8
      4⤵
      PID:2592
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,8866861189295438240,10895047288468392617,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4396 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1996
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8866861189295438240,10895047288468392617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4328 /prefetch:1
      4⤵
      PID:3720
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8866861189295438240,10895047288468392617,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4392 /prefetch:1
      4⤵
      PID:2244
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8866861189295438240,10895047288468392617,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
      4⤵
      PID:3288
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8866861189295438240,10895047288468392617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
      4⤵
      PID:1296
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8866861189295438240,10895047288468392617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1700 /prefetch:1
      4⤵
      PID:2344
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8866861189295438240,10895047288468392617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3156 /prefetch:1
      4⤵
      PID:224
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,8866861189295438240,10895047288468392617,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5628 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3696
- C:\Users\Admin\AppData\Local\Temp\c.exe
  "C:\Users\Admin\AppData\Local\Temp\c.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4224
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 252
    3⤵
    - Program crash
    PID:2460
- C:\Users\Admin\AppData\Local\Temp\d.exe
  "C:\Users\Admin\AppData\Local\Temp\d.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2084
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1.bat" C:\Users\Admin\AppData\Local\Temp\FCB8B7~1.EXE"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2740 -ip 2740
1⤵
PID:456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4224 -ip 4224
1⤵
PID:812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2416 -ip 2416
1⤵
PID:1588

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1652

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
27304926d60324abe74d7a4b571c35ea

SHA1
78b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1

SHA256
7039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de

SHA512
f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9e3fc58a8fb86c93d19e1500b873ef6f

SHA1
c6aae5f4e26f5570db5e14bba8d5061867a33b56

SHA256
828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4

SHA512
e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9c61e2487bfc85b1c8cb1d07191f2e07

SHA1
d858317b3f6d524965b81ef060438cac7cbdcd74

SHA256
71270966b3ef7389190077a153d0410673889d0e930e0ad970f3959ce4abc6e7

SHA512
7592a3baca580d0b4b3e120ca3d67e2a310727870a35d554115711ed99de4562dbd54def5f8a074904ef9ba1e7d74c07d332a413b7de5456b8884a1b324972d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a55af4c91bfe06b42ce784038ac13692

SHA1
183262f158afb804338ea2fe88aa5fe6ac53e8e6

SHA256
8f2ea3ea9350035f4658cd98863df221d14ffa44f6531623ee4a2cebf91a48b8

SHA512
950a48b13029a7007dc7c747cd02953bdab8d06d09f1d34725a0a8f5aa550b4d2722f5196c6b66e5d5745e25bcbfe71e687e463f24a26d0329fb83331a5ae622

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9255fbd3f6437345b290514cbb3a15f8

SHA1
bb6933d80819eafb0483ebe9ff055c191439f5bd

SHA256
72f1d9cfead674bea17f3639de7c52da37ae417bb8bdac599b31218408759810

SHA512
ab68b5172009905754c039effdb53ced9c36326f748d289b81a2c1e0146e0dd5133385290a133d376b040454b5a6160d0029fe15081bae27564bf884e0e737f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
e508e3278d327ec8e2eb68b67471a0ed

SHA1
a96ed574f5e8d4a43309bea64ff48e1851daf2c0

SHA256
24bdb00e137a39716ee35737d7ade15d7094d835b7a734ac36b36e207c30ba47

SHA512
536a97c535ff97fd62058d4a6a592d3b451676876218bba67cec586f347ac89bdeee22eb28b08b22d3e88eb9b9a3d0d3624e9476eb6473c706d964631597090b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.bat

Filesize
100B

MD5
690b3f01505a574851c27e804e2125fa

SHA1
1a81de4651cb2dda34b063d671171a104208f49d

SHA256
275fd7f274e03051e0fc26542c2d867a0dc7eadb592a71f6341ed5765ecb4f40

SHA512
2664845d87ccfef7d6f8d8b349e375fa902f7bb069f778ff24b70061c5385caa2f8f532534dd2cc627d6ba310c5d86c40829298c63dba9ceb8de5f082a55e228

Download Submit
C:\Users\Admin\AppData\Local\Temp\a.exe

Filesize
33KB

MD5
e31f2bd3e91f1312624126c032926d9d

SHA1
06659697743f34a69059ef8882586eee94ad1ffa

SHA256
317c0d7dda045ca8da235206990e7ce0cf063574a31d5a53733317814dcf3c1c

SHA512
0e10cc712d29e45f8c2d853728374b45659fdfa98774faa47b04900ccdf77b6a5030a6de1f8777ca247645c74a382dc6c701ebea94715cf9cab4ac1bf5fea8a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\b.exe

Filesize
9KB

MD5
14dcaceef471e47ffd6686cbee966410

SHA1
72bc88050ab1f717db1a08c86c1b563649b74ca6

SHA256
dce5eb1617216e68c307c4130eb778dc8d994c2b77f806dc7d6870f3a5f0132f

SHA512
89aac0d11b7d62e7b53359a295e6e4cb8219463af7fd8a478ff47d509076ae1b9292c879f82e47754967f91af00868320007014bc646c74fe1c828f8fa68d339

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.exe

Filesize
3KB

MD5
a877890f490f3453d2623beaaacaa2da

SHA1
48ed85d37ee3360cf74019a70b2519ec587e7bc7

SHA256
0de2e450794871ade85cbe378885ae8ef2d5243c4e02b908e96bd1e7a0afa99d

SHA512
b21dff9dfb33c6a0a2a272a06a3addc4732eaba7babb4186f043274014239dadbe84590cd9fa5612ceeeaf8cb6bb8511427dc5b62d46b9d21862649be177dcda

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.exe

Filesize
8KB

MD5
751e89b7a8bd116b1217905556933e9e

SHA1
f64af2aa2d7559333079eb5373244bb46fab6f94

SHA256
0d2b856817066487a76d47f84a3dcb5d16c8ebb51444bf0a05c3e0c82b04fbcc

SHA512
81de1b1ac3ac7b225818f4611f7fca3fa20a50a60d461e67fde3e1eb170c483e3d6a93be99f4326651f0bb607d484cf7c120144e7724860ebb4e76546fe59da6

Download Submit
memory/1808-17-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1808-80-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2416-42-0x0000000000400000-0x00000000004141DF-memory.dmp

Filesize
80KB

Download
memory/2416-8-0x0000000000400000-0x00000000004141DF-memory.dmp

Filesize
80KB

Download
memory/2740-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2740-39-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download