b667caf294dfc1ec9073576d84e40504659ba8cfb28b57d861d08ceb492f4f92

Analysis

max time kernel
147s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2024, 21:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1089ca24f198dea7ea70b3c393f1e1cd_JaffaCakes118.exe
Size

71KB
MD5

1089ca24f198dea7ea70b3c393f1e1cd
SHA1

84e9fd0de3b92ffdd1af7fda2734cba6d989b25a
SHA256

b667caf294dfc1ec9073576d84e40504659ba8cfb28b57d861d08ceb492f4f92
SHA512

1d9bce6ef0d287cbdcd95d6c941b17d541547f766abdd0c6d641d4c7feec5bd5e1bc9767a5f9fa50ee497a9e9539b34798174e9754c931571216d78e9fd92630
SSDEEP

1536:FyUiHm6t2cswngVAqqmqes6Kflbt4xon1txbxNwc2bdqThFgQ+0iOR9:F9i3Jswng1hIFlbtWo1fbxNwc2ZqThFj

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmplayer = "C:\\MessengerPlus\\mplayer2.exe"	1089ca24f198dea7ea70b3c393f1e1cd_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1089ca24f198dea7ea70b3c393f1e1cd_JaffaCakes118.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Download	1089ca24f198dea7ea70b3c393f1e1cd_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	1089ca24f198dea7ea70b3c393f1e1cd_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "00000001"	1089ca24f198dea7ea70b3c393f1e1cd_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 49 IoCs

pid	Process
3152	1089ca24f198dea7ea70b3c393f1e1cd_JaffaCakes118.exe
3152	1089ca24f198dea7ea70b3c393f1e1cd_JaffaCakes118.exe
3152	1089ca24f198dea7ea70b3c393f1e1cd_JaffaCakes118.exe
3152	1089ca24f198dea7ea70b3c393f1e1cd_JaffaCakes118.exe
3152	1089ca24f198dea7ea70b3c393f1e1cd_JaffaCakes118.exe
3152	1089ca24f198dea7ea70b3c393f1e1cd_JaffaCakes118.exe
3152	1089ca24f198dea7ea70b3c393f1e1cd_JaffaCakes118.exe
3152	1089ca24f198dea7ea70b3c393f1e1cd_JaffaCakes118.exe
3152	1089ca24f198dea7ea70b3c393f1e1cd_JaffaCakes118.exe
3152	1089ca24f198dea7ea70b3c393f1e1cd_JaffaCakes118.exe
3152	1089ca24f198dea7ea70b3c393f1e1cd_JaffaCakes118.exe
3152	1089ca24f198dea7ea70b3c393f1e1cd_JaffaCakes118.exe
3152	1089ca24f198dea7ea70b3c393f1e1cd_JaffaCakes118.exe
3152	1089ca24f198dea7ea70b3c393f1e1cd_JaffaCakes118.exe
3152	1089ca24f198dea7ea70b3c393f1e1cd_JaffaCakes118.exe
3152	1089ca24f198dea7ea70b3c393f1e1cd_JaffaCakes118.exe
3152	1089ca24f198dea7ea70b3c393f1e1cd_JaffaCakes118.exe
3152	1089ca24f198dea7ea70b3c393f1e1cd_JaffaCakes118.exe
3152	1089ca24f198dea7ea70b3c393f1e1cd_JaffaCakes118.exe
3152	1089ca24f198dea7ea70b3c393f1e1cd_JaffaCakes118.exe
3152	1089ca24f198dea7ea70b3c393f1e1cd_JaffaCakes118.exe
3152	1089ca24f198dea7ea70b3c393f1e1cd_JaffaCakes118.exe
3152	1089ca24f198dea7ea70b3c393f1e1cd_JaffaCakes118.exe
3152	1089ca24f198dea7ea70b3c393f1e1cd_JaffaCakes118.exe
3152	1089ca24f198dea7ea70b3c393f1e1cd_JaffaCakes118.exe
3152	1089ca24f198dea7ea70b3c393f1e1cd_JaffaCakes118.exe
3152	1089ca24f198dea7ea70b3c393f1e1cd_JaffaCakes118.exe
3152	1089ca24f198dea7ea70b3c393f1e1cd_JaffaCakes118.exe
3152	1089ca24f198dea7ea70b3c393f1e1cd_JaffaCakes118.exe
3152	1089ca24f198dea7ea70b3c393f1e1cd_JaffaCakes118.exe
3152	1089ca24f198dea7ea70b3c393f1e1cd_JaffaCakes118.exe
3152	1089ca24f198dea7ea70b3c393f1e1cd_JaffaCakes118.exe
3152	1089ca24f198dea7ea70b3c393f1e1cd_JaffaCakes118.exe
3152	1089ca24f198dea7ea70b3c393f1e1cd_JaffaCakes118.exe
3152	1089ca24f198dea7ea70b3c393f1e1cd_JaffaCakes118.exe
3152	1089ca24f198dea7ea70b3c393f1e1cd_JaffaCakes118.exe
3152	1089ca24f198dea7ea70b3c393f1e1cd_JaffaCakes118.exe
3152	1089ca24f198dea7ea70b3c393f1e1cd_JaffaCakes118.exe
944	msedge.exe
944	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
1228	identity_helper.exe
1228	identity_helper.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3608	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3608	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3152	1089ca24f198dea7ea70b3c393f1e1cd_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3152 wrote to memory of 4500	3152	1089ca24f198dea7ea70b3c393f1e1cd_JaffaCakes118.exe	82
PID 3152 wrote to memory of 4500	3152	1089ca24f198dea7ea70b3c393f1e1cd_JaffaCakes118.exe	82
PID 4500 wrote to memory of 4064	4500	msedge.exe	83
PID 4500 wrote to memory of 4064	4500	msedge.exe	83
PID 4500 wrote to memory of 4112	4500	msedge.exe	84
PID 4500 wrote to memory of 4112	4500	msedge.exe	84
PID 4500 wrote to memory of 4112	4500	msedge.exe	84
PID 4500 wrote to memory of 4112	4500	msedge.exe	84
PID 4500 wrote to memory of 4112	4500	msedge.exe	84
PID 4500 wrote to memory of 4112	4500	msedge.exe	84
PID 4500 wrote to memory of 4112	4500	msedge.exe	84
PID 4500 wrote to memory of 4112	4500	msedge.exe	84
PID 4500 wrote to memory of 4112	4500	msedge.exe	84
PID 4500 wrote to memory of 4112	4500	msedge.exe	84
PID 4500 wrote to memory of 4112	4500	msedge.exe	84
PID 4500 wrote to memory of 4112	4500	msedge.exe	84
PID 4500 wrote to memory of 4112	4500	msedge.exe	84
PID 4500 wrote to memory of 4112	4500	msedge.exe	84
PID 4500 wrote to memory of 4112	4500	msedge.exe	84
PID 4500 wrote to memory of 4112	4500	msedge.exe	84
PID 4500 wrote to memory of 4112	4500	msedge.exe	84
PID 4500 wrote to memory of 4112	4500	msedge.exe	84
PID 4500 wrote to memory of 4112	4500	msedge.exe	84
PID 4500 wrote to memory of 4112	4500	msedge.exe	84
PID 4500 wrote to memory of 4112	4500	msedge.exe	84
PID 4500 wrote to memory of 4112	4500	msedge.exe	84
PID 4500 wrote to memory of 4112	4500	msedge.exe	84
PID 4500 wrote to memory of 4112	4500	msedge.exe	84
PID 4500 wrote to memory of 4112	4500	msedge.exe	84
PID 4500 wrote to memory of 4112	4500	msedge.exe	84
PID 4500 wrote to memory of 4112	4500	msedge.exe	84
PID 4500 wrote to memory of 4112	4500	msedge.exe	84
PID 4500 wrote to memory of 4112	4500	msedge.exe	84
PID 4500 wrote to memory of 4112	4500	msedge.exe	84
PID 4500 wrote to memory of 4112	4500	msedge.exe	84
PID 4500 wrote to memory of 4112	4500	msedge.exe	84
PID 4500 wrote to memory of 4112	4500	msedge.exe	84
PID 4500 wrote to memory of 4112	4500	msedge.exe	84
PID 4500 wrote to memory of 4112	4500	msedge.exe	84
PID 4500 wrote to memory of 4112	4500	msedge.exe	84
PID 4500 wrote to memory of 4112	4500	msedge.exe	84
PID 4500 wrote to memory of 4112	4500	msedge.exe	84
PID 4500 wrote to memory of 4112	4500	msedge.exe	84
PID 4500 wrote to memory of 4112	4500	msedge.exe	84
PID 4500 wrote to memory of 944	4500	msedge.exe	85
PID 4500 wrote to memory of 944	4500	msedge.exe	85
PID 4500 wrote to memory of 1492	4500	msedge.exe	86
PID 4500 wrote to memory of 1492	4500	msedge.exe	86
PID 4500 wrote to memory of 1492	4500	msedge.exe	86
PID 4500 wrote to memory of 1492	4500	msedge.exe	86
PID 4500 wrote to memory of 1492	4500	msedge.exe	86
PID 4500 wrote to memory of 1492	4500	msedge.exe	86
PID 4500 wrote to memory of 1492	4500	msedge.exe	86
PID 4500 wrote to memory of 1492	4500	msedge.exe	86
PID 4500 wrote to memory of 1492	4500	msedge.exe	86
PID 4500 wrote to memory of 1492	4500	msedge.exe	86
PID 4500 wrote to memory of 1492	4500	msedge.exe	86
PID 4500 wrote to memory of 1492	4500	msedge.exe	86
PID 4500 wrote to memory of 1492	4500	msedge.exe	86
PID 4500 wrote to memory of 1492	4500	msedge.exe	86
PID 4500 wrote to memory of 1492	4500	msedge.exe	86
PID 4500 wrote to memory of 1492	4500	msedge.exe	86
PID 4500 wrote to memory of 1492	4500	msedge.exe	86
PID 4500 wrote to memory of 1492	4500	msedge.exe	86

C:\Users\Admin\AppData\Local\Temp\1089ca24f198dea7ea70b3c393f1e1cd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1089ca24f198dea7ea70b3c393f1e1cd_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.youtube.com/watch?v=vsd3g0h_vs0
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4500
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8e38446f8,0x7ff8e3844708,0x7ff8e3844718
    3⤵
    PID:4064
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,7663310485404403887,13885508815152803521,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
    3⤵
    PID:4112
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,7663310485404403887,13885508815152803521,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:944
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,7663310485404403887,13885508815152803521,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:8
    3⤵
    PID:1492
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7663310485404403887,13885508815152803521,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
    3⤵
    PID:5048
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7663310485404403887,13885508815152803521,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
    3⤵
    PID:1988
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7663310485404403887,13885508815152803521,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
    3⤵
    PID:3216
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7663310485404403887,13885508815152803521,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3584 /prefetch:1
    3⤵
    PID:344
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2120,7663310485404403887,13885508815152803521,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4100 /prefetch:8
    3⤵
    PID:1740
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,7663310485404403887,13885508815152803521,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5920 /prefetch:8
    3⤵
    PID:3512
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,7663310485404403887,13885508815152803521,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5920 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1228
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7663310485404403887,13885508815152803521,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
    3⤵
    PID:4836
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7663310485404403887,13885508815152803521,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
    3⤵
    PID:3352
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7663310485404403887,13885508815152803521,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:1
    3⤵
    PID:2044
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7663310485404403887,13885508815152803521,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:1
    3⤵
    PID:3740
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,7663310485404403887,13885508815152803521,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3068 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2000

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4948

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4640

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:892

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4a8 0x4f8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
38f59a47b777f2fc52088e96ffb2baaf

SHA1
267224482588b41a96d813f6d9e9d924867062db

SHA256
13569c5681c71dc42ab57d34879f5a567d7b94afe0e8f6d7c6f6c1314fb0087b

SHA512
4657d13e1bb7cdd7e83f5f2562f5598cca12edf839626ae96da43e943b5550fab46a14b9018f1bec90de88cc714f637605531ccda99deb9e537908ddb826113b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ab8ce148cb7d44f709fb1c460d03e1b0

SHA1
44d15744015155f3e74580c93317e12d2cc0f859

SHA256
014006a90e43ea9a1903b08b843a5aab8ad3823d22e26e5b113fad5f9fa620ff

SHA512
f685423b1eaee18a2a06030b4b2977335f62499c0041c142a92f6e6f846c2b9ce54324b6ae94efbbb303282dcda70e2b1597c748fddc251c0b3122a412c2d7c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
360B

MD5
0d9d64b08a5c33543db15f44edf39c88

SHA1
72646edb51d1990efc3669996ddaaf4943ff7281

SHA256
d08ef4b07bdd9306da4684d7f7c9ac7ffc6410ca8498bfc1bc9059ff92278083

SHA512
d361e02a0dcb0e4e3d7f541627b868eb9e6c71839d0fb421a1b61dc1afae0bf1ab2f00f523ee5492be061b910fa2e4c96cb007f96cabb42406f9d2f2596ea433

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
b005f4f7f1c010466121dde656b8f089

SHA1
b682d83c1a1bd08268e940727ed21e5880dbb67d

SHA256
3c7e154158eb0cc0ddd5b346f1baef56eedbac787996b4dcf8a9dcf65658f455

SHA512
df362ac01705ff20665cd6bac26712160c1c1156c38711e70cd5f3cc6430fb512e8b9f078ddbff93893161ac664a77a829e07b25a70203a66d762cb19ca74c49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
d52155dbf7948faefe7c1e73bdbc5bbe

SHA1
6ac57fb8757f19fdf0abec3edb365414e0080257

SHA256
d66316c3052bebace50449f90bc7a45fb98cecef30617e77b346ecd1c51c312c

SHA512
c2bc8264d366ba3124d88a2291bff37ba82c1c1cd767be3694d184a543ca8c613101509763d2fe464625f6ba10f96e584dfa9aa19301bf055046eec6f90ab171

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3e40559fd361a1c03d295a6f7d7a84bb

SHA1
ba6434ba3edf0d7c8ba28ee24d7aeb51d711b974

SHA256
d32b861eaec1a93216841fb41bd79bfff873b5af6e31cd6a1c038d42dc5584c6

SHA512
aedf42bfc73940d643feb1e8df9c39623d445a5470bb0ae2a412a3e9f46cecdc513b2c3f3b60f2b787e898f73c4ae64b08c194fe97b3a3c19bbe25f6b66c8f7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e032a727dfc7775ac88f4ac6915494f5

SHA1
c53ccf9c88910eee75b965f8690d23c3050680fa

SHA256
e3b01aefcd04aac2fcd2896281ad0334eb91838643a79b465c5d3de5a97d42ba

SHA512
f8b8a61ba4ec2d0e842f248c22b972612c0ec843a98ba5d8bf9bbbfcb857fdc8f3bae7d2b5123145dba883cd86e66a7f728690e93a7804e4f5c1dc2c9712a9fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\8433e606-83b5-4cfb-a2be-9f859738424c\index-dir\the-real-index

Filesize
2KB

MD5
97a42e4c7302963d0515dc64901ef71e

SHA1
1f3f88800636443c7da4fdd3620df38dc75f8cd6

SHA256
6b7b00f3da581d73fc1c487e85d11a49df1f3ce9a60e51a2e161df1fea98bd46

SHA512
84bd5d0e8cd160bed8ddfaae03765163b7c839de10957c4ed65b5a1252a072247d123a5459aa1aa37869edf8fa3339eb2c1d2aeb9e93fc699710038d36c628a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\8433e606-83b5-4cfb-a2be-9f859738424c\index-dir\the-real-index~RFe583023.TMP

Filesize
48B

MD5
dfba6a08ba3607760e8dd2641f7bf953

SHA1
2854d78f3fcb18b87b2a6aa50a2059ce78aa79a6

SHA256
417b9f694413e225dd7b816df39e987679c0f19fd8e6949a5064090065e0ae4d

SHA512
dd048a118ea45887e28e7d7a8a1d8ba9633b618d2d4950ea2e2c0ebb80e3d8c324d5576ab4664e804212fc37a8396c78ddf46391a1459ed112c149981b6a498c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
9dec1c15b6e2084315701dc451d53d93

SHA1
c62420d81c2df41fce609c8697d3ad4303a28bd3

SHA256
75ca9fde3c74d9a5fadb93b94bb9ef3b4f57010540813ac10b8e83ff28b57172

SHA512
305f835e1cc5f9cc8a07da16977b761a7687a3b0b6cfd3635e763e6aee746f950c6be294ee70a617adbb7cab3a581fc45138d64f58524477ead495fcfa0bd3cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
60262d3879b8aaa78db482e9fe712f02

SHA1
573b765153358fb3afc0582a23436bf6e812ecc5

SHA256
64917fcc3031ec75382664dda27630e6337e75e97a8937b216a196ae903079ec

SHA512
550a303949aaa2a87aa2b7497cf35fb33376a095b900b598530887369dad25224d58dc13fc11ab25c819fa086aa38fa4bd92ae80d81959009c821be61bc64722

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
ac022788d60c05167ef94123458b1b6c

SHA1
f2997c0333a9fed3be8944dd13d24c4b4f61b52c

SHA256
b390ae7e04a8053d7e17c8e95405d6832fd690fa24eeab27a6c796a3a5176c22

SHA512
dad2e10171a620366110b6003db95dbb15cc691d8faa52584f82a9b31936c3d85d83cbe9aab555f5838800ad4d3efcc5932a6d27e1111533bfaac749acf716b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe57dafe.TMP

Filesize
89B

MD5
e290db3ad5297c3846d000b4e9abb00b

SHA1
dbff0c26efcb8be629a9b65a30b28ea50d466985

SHA256
9d1b75e1c7f0f69c7154a7122023812479f3ae12f51b8d9adbece3d0477dfb52

SHA512
c71d0de427ba7d25bf3267609e5e93f65bd7b8629a78b6fec56ffb2256b86a0ee0aa193d376ff8fa928c6e8a2c3a566b47f199b716b71fd3c39485001b2b8297

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
b7f9ab717c4c82710ffb45d37e3b7271

SHA1
6d5629b11e6d24643b570984f72db62e4bf7a825

SHA256
2dd8d7b7f219d1dae47568db78074a7e88f959e7a9a20ea539cf50a457b8c09a

SHA512
3f60b5051199f2bf7f1aa3442fd7d3cb340119b053eeaf7970a3e23552c8e4a428ef638c9a1112ce407e66a7758d8aa1a9ba8b1fd7701eea90636576ea5be60e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe582a18.TMP

Filesize
48B

MD5
73c4c7bd2168318772cb6f9a62d5ace3

SHA1
2d5dcceb9926d3c8ce32f67a098e431b8a1d72b0

SHA256
909cdaae4ed5c445e78c728a1dce30c6da107edf3475b735dff2f79cc9eb1a05

SHA512
db8aedc2be9c7effaf17acc1a389bd1fd8bac32650fe1bac04e8021ef0a341c8e233cf78835af4bec76aba9c4bf5b8999c589afd9702746b0ff6fedfccc1c30b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5d4b1ec7dcbf39c02786448763397aa1

SHA1
ea5cbea06dc83bd48d2b2140e3b8e11be8d89b19

SHA256
07317e0c12a8a5f7a251d0dc3e05ed2ab2320f0acbbf4ea68bd5592284adc134

SHA512
d7730203bb4c1b9f3333b11ba7b3c04660a876246a5a5da4c176aabd62a7f9b82fc1857b9e7810f190649482c15652fe492565cab2fb533428d9d2489c9aba5a

Download Submit
memory/3152-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3152-5-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3152-6-0x00000000001C0000-0x00000000001C7000-memory.dmp

Filesize
28KB

Download
memory/3152-1-0x00000000001C0000-0x00000000001C7000-memory.dmp

Filesize
28KB

Download