139d85111e50720642abad5632d04494eeaf8f3c424431def6b85473678e58da

Analysis

max time kernel
137s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2024, 03:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1194397109dad7881cebf3c04697358a_JaffaCakes118.exe
Size

944KB
MD5

1194397109dad7881cebf3c04697358a
SHA1

60c97bbf2ab477f291385cc3bebdb7de0842f35a
SHA256

139d85111e50720642abad5632d04494eeaf8f3c424431def6b85473678e58da
SHA512

659f1e1698b9368edb8fda01e0314ee1be6ca4eedeb24adebc7126bb164000add3a2e0d0f31a5570687996a8792479b4655440d612eea25549773c82bc529ffc
SSDEEP

12288:zCvEAIe3cdEl2Zg0gnW0X7X4sonr1Wqb1bqUXo529tVHP9pwgUVDT33rzzNedKE0:zfe3oEvGRWI0Gnl3UVP3zY

Score

7^/10

discovery evasion spyware stealer trojan

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3600	crpB343.exe
4236	Setup.exe
896	Setup.exe

Loads dropped DLL 3 IoCs

pid	Process
2244	rundll32.exe
4236	Setup.exe
3640	rundll32.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Setup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1194397109dad7881cebf3c04697358a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crpB343.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\IECookies = "\|affilID=\|trkInfo=\|visitorID=\|URI="	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\IECookies = "\|affilID=\|trkInfo=\|visitorID="	rundll32.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Prod.cap	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Prod.cap\Info = 433f39789c636262604903622146b36a630b3327673303175d470b73275d135357035d274723275d0b730b3747636753732747d75a06010181c86a8eed00226b0b9c	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Test.cap	Setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\TEST.CAP	Setup.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
4816	msedge.exe
4816	msedge.exe
2424	msedge.exe
2424	msedge.exe
4236	Setup.exe
4236	Setup.exe
4236	Setup.exe
4236	Setup.exe
4236	Setup.exe
4236	Setup.exe
4236	Setup.exe
4236	Setup.exe
4236	Setup.exe
4236	Setup.exe
4236	Setup.exe
4236	Setup.exe
4236	Setup.exe
4236	Setup.exe
608	identity_helper.exe
608	identity_helper.exe
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4236	Setup.exe
Token: SeTakeOwnershipPrivilege	4236	Setup.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1120	1194397109dad7881cebf3c04697358a_JaffaCakes118.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1120 wrote to memory of 3600	1120	1194397109dad7881cebf3c04697358a_JaffaCakes118.exe	93
PID 1120 wrote to memory of 3600	1120	1194397109dad7881cebf3c04697358a_JaffaCakes118.exe	93
PID 1120 wrote to memory of 3600	1120	1194397109dad7881cebf3c04697358a_JaffaCakes118.exe	93
PID 3600 wrote to memory of 4236	3600	crpB343.exe	94
PID 3600 wrote to memory of 4236	3600	crpB343.exe	94
PID 3600 wrote to memory of 4236	3600	crpB343.exe	94
PID 1120 wrote to memory of 2424	1120	1194397109dad7881cebf3c04697358a_JaffaCakes118.exe	97
PID 1120 wrote to memory of 2424	1120	1194397109dad7881cebf3c04697358a_JaffaCakes118.exe	97
PID 2424 wrote to memory of 1644	2424	msedge.exe	98
PID 2424 wrote to memory of 1644	2424	msedge.exe	98
PID 2424 wrote to memory of 2100	2424	msedge.exe	99
PID 2424 wrote to memory of 2100	2424	msedge.exe	99
PID 2424 wrote to memory of 2100	2424	msedge.exe	99
PID 2424 wrote to memory of 2100	2424	msedge.exe	99
PID 2424 wrote to memory of 2100	2424	msedge.exe	99
PID 2424 wrote to memory of 2100	2424	msedge.exe	99
PID 2424 wrote to memory of 2100	2424	msedge.exe	99
PID 2424 wrote to memory of 2100	2424	msedge.exe	99
PID 2424 wrote to memory of 2100	2424	msedge.exe	99
PID 2424 wrote to memory of 2100	2424	msedge.exe	99
PID 2424 wrote to memory of 2100	2424	msedge.exe	99
PID 2424 wrote to memory of 2100	2424	msedge.exe	99
PID 2424 wrote to memory of 2100	2424	msedge.exe	99
PID 2424 wrote to memory of 2100	2424	msedge.exe	99
PID 2424 wrote to memory of 2100	2424	msedge.exe	99
PID 2424 wrote to memory of 2100	2424	msedge.exe	99
PID 2424 wrote to memory of 2100	2424	msedge.exe	99
PID 2424 wrote to memory of 2100	2424	msedge.exe	99
PID 2424 wrote to memory of 2100	2424	msedge.exe	99
PID 2424 wrote to memory of 2100	2424	msedge.exe	99
PID 2424 wrote to memory of 2100	2424	msedge.exe	99
PID 2424 wrote to memory of 2100	2424	msedge.exe	99
PID 2424 wrote to memory of 2100	2424	msedge.exe	99
PID 2424 wrote to memory of 2100	2424	msedge.exe	99
PID 2424 wrote to memory of 2100	2424	msedge.exe	99
PID 2424 wrote to memory of 2100	2424	msedge.exe	99
PID 2424 wrote to memory of 2100	2424	msedge.exe	99
PID 2424 wrote to memory of 2100	2424	msedge.exe	99
PID 2424 wrote to memory of 2100	2424	msedge.exe	99
PID 2424 wrote to memory of 2100	2424	msedge.exe	99
PID 2424 wrote to memory of 2100	2424	msedge.exe	99
PID 2424 wrote to memory of 2100	2424	msedge.exe	99
PID 2424 wrote to memory of 2100	2424	msedge.exe	99
PID 2424 wrote to memory of 2100	2424	msedge.exe	99
PID 2424 wrote to memory of 2100	2424	msedge.exe	99
PID 2424 wrote to memory of 2100	2424	msedge.exe	99
PID 2424 wrote to memory of 2100	2424	msedge.exe	99
PID 2424 wrote to memory of 2100	2424	msedge.exe	99
PID 2424 wrote to memory of 2100	2424	msedge.exe	99
PID 2424 wrote to memory of 2100	2424	msedge.exe	99
PID 2424 wrote to memory of 4816	2424	msedge.exe	100
PID 2424 wrote to memory of 4816	2424	msedge.exe	100
PID 2424 wrote to memory of 1620	2424	msedge.exe	101
PID 2424 wrote to memory of 1620	2424	msedge.exe	101
PID 2424 wrote to memory of 1620	2424	msedge.exe	101
PID 2424 wrote to memory of 1620	2424	msedge.exe	101
PID 2424 wrote to memory of 1620	2424	msedge.exe	101
PID 2424 wrote to memory of 1620	2424	msedge.exe	101
PID 2424 wrote to memory of 1620	2424	msedge.exe	101
PID 2424 wrote to memory of 1620	2424	msedge.exe	101
PID 2424 wrote to memory of 1620	2424	msedge.exe	101
PID 2424 wrote to memory of 1620	2424	msedge.exe	101
PID 2424 wrote to memory of 1620	2424	msedge.exe	101
PID 2424 wrote to memory of 1620	2424	msedge.exe	101

C:\Users\Admin\AppData\Local\Temp\1194397109dad7881cebf3c04697358a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1194397109dad7881cebf3c04697358a_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Users\Admin\AppData\Local\Temp\crpB343.exe
  /aflt=babsst /babTrack="affID=121631" /srcExt=ss /S /instlRef=sst /mds=7 /mhp=7 /mnt=7 /mtb=7
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3600
- - C:\Users\Admin\AppData\Local\Temp\79871CB5-BAB0-7891-9BCB-8447AD6B9D9E\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\79871CB5-BAB0-7891-9BCB-8447AD6B9D9E\Setup.exe" -xprm="cat=delta" -expg=none /aflt=babsst /babTrack="affID=121631" /srcExt=ss /S /instlRef=sst /mds=7 /mhp=7 /mnt=7 /mtb=7
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4236
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\79871C~1\IEHelper.dll,UpdateProtectedModeCookieCache URI|http://babylon.com
      4⤵
      Loads dropped DLL
      Checks whether UAC is enabled
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      PID:2244
  - - C:\Users\Admin\AppData\Local\Temp\79871CB5-BAB0-7891-9BCB-8447AD6B9D9E\Latest\Setup.exe
      C:\Users\Admin\AppData\Local\Temp\79871CB5-BAB0-7891-9BCB-8447AD6B9D9E\Latest\Setup.exe -latest -trkInfo=[TType:5012_7] -xprm="cat=delta" -expg=none /aflt=babsst /babTrack="affID=121631" /srcExt=ss /S /instlRef=sst /mds=7 /mhp=7 /mnt=7 /mtb=7
      4⤵
      Executes dropped EXE
      PID:896
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\79871C~1\IEHelper.dll,UpdateProtectedModeCookieCache trkInfo|http://babylon.com
      4⤵
      Loads dropped DLL
      Checks whether UAC is enabled
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      PID:3640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.4shared.com/rar/hDfmibXl/code_de_la_route_de_tunisie.html?ref=downloadhelpererror
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2424
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa6ea346f8,0x7ffa6ea34708,0x7ffa6ea34718
    3⤵
    PID:1644
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,12045237889913075686,1211873827539990344,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
    3⤵
    PID:2100
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,12045237889913075686,1211873827539990344,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4816
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,12045237889913075686,1211873827539990344,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2932 /prefetch:8
    3⤵
    PID:1620
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,12045237889913075686,1211873827539990344,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
    3⤵
    PID:4380
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,12045237889913075686,1211873827539990344,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
    3⤵
    PID:4796
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,12045237889913075686,1211873827539990344,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 /prefetch:8
    3⤵
    PID:2272
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,12045237889913075686,1211873827539990344,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:608
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,12045237889913075686,1211873827539990344,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:1
    3⤵
    PID:4936
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,12045237889913075686,1211873827539990344,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
    3⤵
    PID:3396
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,12045237889913075686,1211873827539990344,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
    3⤵
    PID:4632
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,12045237889913075686,1211873827539990344,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
    3⤵
    PID:4468
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,12045237889913075686,1211873827539990344,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2732 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2092

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2420

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Babylon\Setup\Setup2.zpb

Filesize
3KB

MD5
5e6230b3b16798e23720958756ac6d9e

SHA1
c7bcb001c48a67d4c9d6e70e92473ebd85b30585

SHA256
d49ec47f5d27a09a17e00a6eb78f49a761c9f5881ec81fb07cc49fd0a5f287b2

SHA512
6b1c132f0e4fc2ca6b5e8d807671c586d84e044e4db8380682fd4d071160177c0f7e7a6afae3ee74a4fbd5c65aca0c0876948f5a42deafdbb685c5b7989b5aae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b80cf20d9e8cf6a579981bfaab1bdce2

SHA1
171a886be3a882bd04206295ce7f1db5b8b7035e

SHA256
10d995b136b604440ac4033b2222543975779068a321d7bddf675d0cb2a4c2b1

SHA512
0233b34866be1afd214a1c8a9dcf8328d16246b3a5ef142295333547b4cfdc787c8627439a2ca03c20cb49107f7428d39696143b71f56b7f1f05029b3a14376a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7006aacd11b992cd29fca21e619e86ea

SHA1
f224b726a114d4c73d7379236739d5fbb8e7f7b7

SHA256
3c434b96841d5a0fa0a04a6b503c3c4d46f1c4e3a1be77853175e5680e182814

SHA512
6de169882c0e01217c4ca01f6ead8e5ebb316a77558e51cd862532dbf9147d9e267f8db667ff6e9fa33164243724f5e437cb882392382f3cae1072dadb762c1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4b31319914b5a173c954aefd0aba81e0

SHA1
a61df365a84840f5aaeed89b57422d86812e3e4c

SHA256
e1ab665d64f44326769310b87458ff32aa1d45a8a6383bebad2a4fc42b663c6f

SHA512
957301b56b5b56e032bb590eb0f8bbb275a2bb584d5763301abe2b502ef4db2c83a754f2d6c959e866d6b5f6c4e947b5998aa90ff45a8aba7fbd34a6bf9c573a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9979aed41d9fcc9fb1f26e69df0f9345

SHA1
9816960e6d4bf89438173d1a236d0376faa5d8a4

SHA256
03c4674b3255f6ccc68cc9867eddfab0257f9b4a4b614917ba2c479c2ac0d2d1

SHA512
81adfb356c303e7c87d377cb7edd426abea284659f5519e3dee95ddb6f48df8faf40201a709bff6336959880cd35ad0c88097618c676c0b8da15f58acb455f72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b14de97a870209f20dd4784c2c6cdf40

SHA1
a6aa47dfa2e6f8a48948cad5e83de73836bbb8cf

SHA256
d4ede4bd9f19bb6a1bc95f34460be6a6d4fec0ffea4ee7965e132253f91e8fe4

SHA512
cbf032a49fc9db4117d13ef95be8a7103785589d0bb2ce1356059912dbb1866b0bcb83196bcec242b0868ac197a9d0366c7db0f43dcf7d5acbc6648e905c942d

Download Submit
C:\Users\Admin\AppData\Local\Temp\79871CB5-BAB0-7891-9BCB-8447AD6B9D9E\BExternal.dll

Filesize
129KB

MD5
3e3becf439465e96f35b4ecdbac44641

SHA1
6511b37c7ace73216d35c2aa7af2034e1780eb56

SHA256
592d8164fd85e2f0324ba06ed27f7eb39989f53e5121a4562f7d78323228c0b9

SHA512
dcf6edb55b77130e03e0c51ec6043d515ce0397a1443642743c37211d2aa081dc1c16002e3af768248361296b149a1ab4605f64cba2310c967c26cd6663d0e83

Download Submit
C:\Users\Admin\AppData\Local\Temp\79871CB5-BAB0-7891-9BCB-8447AD6B9D9E\Babylon.dat

Filesize
12KB

MD5
825e5733974586a0a1229a53361ed13e

SHA1
9ec5b8944c6727fda6fdc3c18856884554cf6b31

SHA256
0a90b96eaf5d92d33b36f73b36b7f9ce3971e5f294da51ed04da3fb43dd71a96

SHA512
ff039e86873a1014b1f8577aec9b4230126b41cc204a6911cd372d224b8c07996d4bb2728a06482c5e98fb21f2d525395491f29d428cdd5796a26e372af5ad4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\79871CB5-BAB0-7891-9BCB-8447AD6B9D9E\HtmlScreens\loading.html

Filesize
644B

MD5
f50fa4673555652289652753183fd1ee

SHA1
f496797f0d34eb866d6328d2fd1492b485f74d0a

SHA256
afb21b51cead30ed14f79293d50b9c3c7a706b5287aad6cde06ea44a364df812

SHA512
6e92b13343ad35a8a8c61e54ce3abb9a28abeec4aa8c765326e0d1ec111c7656d8f0f349c44820fb1aba6730c22f84f7411c0c0b24322bdaa8a977b79baa23da

Download Submit
C:\Users\Admin\AppData\Local\Temp\79871CB5-BAB0-7891-9BCB-8447AD6B9D9E\HtmlScreens\navError.html

Filesize
926B

MD5
0c464e407c81764ebc09eacbe41f0b3e

SHA1
245afe550a05215e5873d8f5f21c22d12aa46b6a

SHA256
770a302bc58b513472aa603ae44a365a6f4f8cbddc13d2692f71b09f143f8a26

SHA512
71070fcd243cbb3e4452874ecaf8e20e13cbbbad0009ce543ca49601facc1ab1906c298849d3b8fb5747df1109f8e85946243ec7bfa0ead97ca0aed9ec8d3dfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\79871CB5-BAB0-7891-9BCB-8447AD6B9D9E\HtmlScreens\pBar.gif

Filesize
3KB

MD5
26621cb27bbc94f6bab3561791ac013b

SHA1
4010a489350cf59fd8f36f8e59b53e724c49cc5b

SHA256
e512d5b772fef448f724767662e3a6374230157e35cab6f4226496acc7aa7ad3

SHA512
9a19e8f233113519b22d9f3b205f2a3c1b59669a0431a5c3ef6d7ed66882b93c8582f3baa13df4647bcc265d19f7c6543758623044315105479d2533b11f92c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\79871CB5-BAB0-7891-9BCB-8447AD6B9D9E\Latest\setup.exe

Filesize
8KB

MD5
5790a04f78c61c3caea7ddd6f01829d2

SHA1
9d783d964338a5378280dd3c3b72519d11f73ffa

SHA256
726b0e7e515f7bd62c912b094fa95c7c2285a44e03d264f5dd9e70729c0e9606

SHA512
9134fc02095e313fcb528fa32c8534929fddfb7b7b139a829f2b3eb32cd4c606f6d2ec6dff57a890ea250ce1430eb272461accfe05164bd4cfa496c0a1474ad0

Download Submit
C:\Users\Admin\AppData\Local\Temp\79871CB5-BAB0-7891-9BCB-8447AD6B9D9E\Setup.exe

Filesize
1.8MB

MD5
74af846f2ad4aec60779623fc8bbcd83

SHA1
9f2fbfe260c9111f88e8edc6dfc068d08c1491c5

SHA256
f795ffc4c850a6a214aac740258c6560a72a5a5c1759bb9cd231df2e1a271edf

SHA512
157e612a02e0a6ca87f5d8b572950cc85c8980641bc1f973b20836c1e91d0df0a132a58191a99efdba0b5c4923bc412083b833a12a1ef3554ade745c07a2605f

Download Submit
C:\Users\Admin\AppData\Local\Temp\79871CB5-BAB0-7891-9BCB-8447AD6B9D9E\SetupStrings.dat

Filesize
89KB

MD5
407846797c5ba247abeb5fa7c0c0ba05

SHA1
44386455eed8e74d75e95e9e81e96a19f0b27884

SHA256
0147b5b11b935310752666fcf1e6afc922b76ff03d01a0d1ee2babeac10ca1e3

SHA512
7399a9228f971698db7362aad28d3f9694c0bf453d4529e48bc7869af0960452cfe1a5f0a5754e7d567d81b5aa1e35be05a9e36ec745e5470d20fd44a61d20af

Download Submit
C:\Users\Admin\AppData\Local\Temp\79871CB5-BAB0-7891-9BCB-8447AD6B9D9E\bab033.tbinst.dat

Filesize
205B

MD5
90713ab7a74884cd36a5fb4cfcdece8a

SHA1
7bb56d08fd69a98e543b923bd0a9156f92a9c473

SHA256
bc40813f6d07dbc1a4d4c74363460d1ad6ee76275729de4c4f10ec40d8cc46eb

SHA512
639d68135fb54264f2e21081d6ca9ffe73a94035982f4a2d7133d6d402cdd3ef4a695eeb61ad173dc6d1b8167d1f5df2be61a972c96f07ac357ecec887a0d191

Download Submit
C:\Users\Admin\AppData\Local\Temp\79871CB5-BAB0-7891-9BCB-8447AD6B9D9E\bab091.norecovericon.dat

Filesize
174B

MD5
4f6e1fdbef102cdbd379fdac550b9f48

SHA1
5da6ee5b88a4040c80e5269e0cd2b0880b20659c

SHA256
e58ea352c050e6353fb5b4fa32a97800298c1603489d3b47794509af6c89ec4c

SHA512
54efc9bde44f332932a97396e59eca5b6ea1ac72f929ccffa1bdab96dc3ae8d61e126adbd26d12d0bc83141cee03b24ad2bada411230c4708b7a9ae9c60aecbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\79871CB5-BAB0-7891-9BCB-8447AD6B9D9E\bab307.sp_pop0.dat

Filesize
178B

MD5
0b7be9c4b72c2c5166bfd61ca5ebbfed

SHA1
aea0aa4e8226c1b4efce92e909da773744baa6d4

SHA256
673bf972d308bc6108360575608cf72f393413f2d3993489b06da4a6efc749bd

SHA512
4dcd7ea01b05550acb00b71e7e9fdd52a04fe1cc574655030dcae94b87dad86bfb7973adf9185de03bcacb100fff758b1a2f928fcb951e2b31e320860a2226d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\79871CB5-BAB0-7891-9BCB-8447AD6B9D9E\bab327.ff_2.dat

Filesize
179B

MD5
acc576624b76c140ce6e78885d279efe

SHA1
f5816e66ab9da86bdff210f96399078c36a4af54

SHA256
78dc1600b62ca4aac2ce5c94f7b1973800349ac56804aba4b17c410e0fff4c17

SHA512
449cdfa0a93191ae9d109c689f09ed444ccf53a4b087a9e5005527561c1598233d05396d1b118db6fe6d6dc45c6dc9909238200f8fa8d4a4dbf903deca19201b

Download Submit
C:\Users\Admin\AppData\Local\Temp\79871CB5-BAB0-7891-9BCB-8447AD6B9D9E\sqlite3.dll

Filesize
508KB

MD5
0f66e8e2340569fb17e774dac2010e31

SHA1
406bb6854e7384ff77c0b847bf2f24f3315874a3

SHA256
de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f

SHA512
39275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05

Download Submit
C:\Users\Admin\AppData\Local\Temp\79871C~1\IEHelper.dll

Filesize
6KB

MD5
9cb62aa0c5c554f2557d29d1601c8347

SHA1
f2fb5115b7d03e90f6e9d4b1f6e882385aa00f5f

SHA256
a65ba80d23494077575f505c20c9f9516aa21b9bded2b7032b6d5e7bc1737fa5

SHA512
0a325a02c323d52c9f374bc22e5182f5f49f485a689b6ca561196222ff18127f84ea7a48ac438277b9dcd1237c983f03eab54606eacbb1f79aadb0a0f84f0cea

Download Submit
C:\Users\Admin\AppData\Local\Temp\crpB343.exe

Filesize
754KB

MD5
5ac98c84160a9400db448d153c959bb6

SHA1
829d808c091045f45c513a6e4ab17055a52a9320

SHA256
e4f1009192f163aacafc3ac23f3fbce358122040a5dbf99b86c9f4cac9809ecc

SHA512
36f4e7f4c0f2bd647d23714b08d322ff8383e52ede16f5719f09e710e133669586af0ae7c3af2ab98a066724b2f1dffc114437d7d8820e98614b86470ade2376

Download Submit
memory/4236-90-0x0000000060900000-0x0000000060970000-memory.dmp

Filesize
448KB

Download