1be2ae8c73c2cb1b8ba9c894b970ec2ce909bcfa310b7b903636371339a7fced

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-10-2024 16:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30c193853a6e9f45ed1fe0bff832556c_JaffaCakes118.exe
Size

1.3MB
MD5

30c193853a6e9f45ed1fe0bff832556c
SHA1

01ed79e0659e66d7a03e4a534c7c0b52599f48d9
SHA256

1be2ae8c73c2cb1b8ba9c894b970ec2ce909bcfa310b7b903636371339a7fced
SHA512

918efa7bcefcaec35892bdf417613cee0ecd81f30b15a234a5200b17c28a6b175d8c797a4a5bc019bbc0fdde5e578007cf338d1d72315a1777ef03d0c0303bf4
SSDEEP

24576:frJKUK/juqkncxnfS//2oYP+ENxuIW/Rjl/lVlP64htKQtsVELVDiicYQRebMyHz:f1Kb/juqgcxfSE+HIuRjl/lVlP64htKB

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2028	crpA3A3.exe
1948	hpet.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hahpjplbmicfkmoccokbjejahjjpnena\1.2_0\manifest.json	hpet.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hpet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	30c193853a6e9f45ed1fe0bff832556c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crpA3A3.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page Before = "http://go.microsoft.com/fwlink/p/?LinkId=255141"	hpet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page Before = "http://go.microsoft.com/fwlink/?LinkId=54896"	hpet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://search.b1.org/?bsrc=hmior&chid=c162341"	hpet.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://search.b1.org/?bsrc=hmior&chid=c162341"	hpet.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1948	hpet.exe
1948	hpet.exe
1948	hpet.exe
1948	hpet.exe
1948	hpet.exe
1948	hpet.exe
1948	hpet.exe
1948	hpet.exe
1948	hpet.exe
1948	hpet.exe
5036	msedge.exe
5036	msedge.exe
4476	msedge.exe
4476	msedge.exe
3328	identity_helper.exe
3328	identity_helper.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe
4040	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTcbPrivilege	2028	crpA3A3.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2028	crpA3A3.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
2032	30c193853a6e9f45ed1fe0bff832556c_JaffaCakes118.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
2028	crpA3A3.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
2028	crpA3A3.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
2028	crpA3A3.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2028	crpA3A3.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
2028	crpA3A3.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
2028	crpA3A3.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
4476	msedge.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
2028	crpA3A3.exe
2028	crpA3A3.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2028	crpA3A3.exe
2028	crpA3A3.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 2028	2032	30c193853a6e9f45ed1fe0bff832556c_JaffaCakes118.exe	86
PID 2032 wrote to memory of 2028	2032	30c193853a6e9f45ed1fe0bff832556c_JaffaCakes118.exe	86
PID 2032 wrote to memory of 2028	2032	30c193853a6e9f45ed1fe0bff832556c_JaffaCakes118.exe	86
PID 2032 wrote to memory of 1948	2032	30c193853a6e9f45ed1fe0bff832556c_JaffaCakes118.exe	87
PID 2032 wrote to memory of 1948	2032	30c193853a6e9f45ed1fe0bff832556c_JaffaCakes118.exe	87
PID 2032 wrote to memory of 1948	2032	30c193853a6e9f45ed1fe0bff832556c_JaffaCakes118.exe	87
PID 2032 wrote to memory of 4476	2032	30c193853a6e9f45ed1fe0bff832556c_JaffaCakes118.exe	89
PID 2032 wrote to memory of 4476	2032	30c193853a6e9f45ed1fe0bff832556c_JaffaCakes118.exe	89
PID 4476 wrote to memory of 1172	4476	msedge.exe	90
PID 4476 wrote to memory of 1172	4476	msedge.exe	90
PID 4476 wrote to memory of 3280	4476	msedge.exe	91
PID 4476 wrote to memory of 3280	4476	msedge.exe	91
PID 4476 wrote to memory of 3280	4476	msedge.exe	91
PID 4476 wrote to memory of 3280	4476	msedge.exe	91
PID 4476 wrote to memory of 3280	4476	msedge.exe	91
PID 4476 wrote to memory of 3280	4476	msedge.exe	91
PID 4476 wrote to memory of 3280	4476	msedge.exe	91
PID 4476 wrote to memory of 3280	4476	msedge.exe	91
PID 4476 wrote to memory of 3280	4476	msedge.exe	91
PID 4476 wrote to memory of 3280	4476	msedge.exe	91
PID 4476 wrote to memory of 3280	4476	msedge.exe	91
PID 4476 wrote to memory of 3280	4476	msedge.exe	91
PID 4476 wrote to memory of 3280	4476	msedge.exe	91
PID 4476 wrote to memory of 3280	4476	msedge.exe	91
PID 4476 wrote to memory of 3280	4476	msedge.exe	91
PID 4476 wrote to memory of 3280	4476	msedge.exe	91
PID 4476 wrote to memory of 3280	4476	msedge.exe	91
PID 4476 wrote to memory of 3280	4476	msedge.exe	91
PID 4476 wrote to memory of 3280	4476	msedge.exe	91
PID 4476 wrote to memory of 3280	4476	msedge.exe	91
PID 4476 wrote to memory of 3280	4476	msedge.exe	91
PID 4476 wrote to memory of 3280	4476	msedge.exe	91
PID 4476 wrote to memory of 3280	4476	msedge.exe	91
PID 4476 wrote to memory of 3280	4476	msedge.exe	91
PID 4476 wrote to memory of 3280	4476	msedge.exe	91
PID 4476 wrote to memory of 3280	4476	msedge.exe	91
PID 4476 wrote to memory of 3280	4476	msedge.exe	91
PID 4476 wrote to memory of 3280	4476	msedge.exe	91
PID 4476 wrote to memory of 3280	4476	msedge.exe	91
PID 4476 wrote to memory of 3280	4476	msedge.exe	91
PID 4476 wrote to memory of 3280	4476	msedge.exe	91
PID 4476 wrote to memory of 3280	4476	msedge.exe	91
PID 4476 wrote to memory of 3280	4476	msedge.exe	91
PID 4476 wrote to memory of 3280	4476	msedge.exe	91
PID 4476 wrote to memory of 3280	4476	msedge.exe	91
PID 4476 wrote to memory of 3280	4476	msedge.exe	91
PID 4476 wrote to memory of 3280	4476	msedge.exe	91
PID 4476 wrote to memory of 3280	4476	msedge.exe	91
PID 4476 wrote to memory of 3280	4476	msedge.exe	91
PID 4476 wrote to memory of 3280	4476	msedge.exe	91
PID 4476 wrote to memory of 5036	4476	msedge.exe	92
PID 4476 wrote to memory of 5036	4476	msedge.exe	92
PID 4476 wrote to memory of 1840	4476	msedge.exe	93
PID 4476 wrote to memory of 1840	4476	msedge.exe	93
PID 4476 wrote to memory of 1840	4476	msedge.exe	93
PID 4476 wrote to memory of 1840	4476	msedge.exe	93
PID 4476 wrote to memory of 1840	4476	msedge.exe	93
PID 4476 wrote to memory of 1840	4476	msedge.exe	93
PID 4476 wrote to memory of 1840	4476	msedge.exe	93
PID 4476 wrote to memory of 1840	4476	msedge.exe	93
PID 4476 wrote to memory of 1840	4476	msedge.exe	93
PID 4476 wrote to memory of 1840	4476	msedge.exe	93
PID 4476 wrote to memory of 1840	4476	msedge.exe	93
PID 4476 wrote to memory of 1840	4476	msedge.exe	93

C:\Users\Admin\AppData\Local\Temp\30c193853a6e9f45ed1fe0bff832556c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\30c193853a6e9f45ed1fe0bff832556c_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Users\Admin\AppData\Local\Temp\crpA3A3.exe
  /S /notray
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2028
- C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe
  -home -home2 -hie -hff -hgc -spff -et -channel 162341
  2⤵
  - Executes dropped EXE
  - Drops Chrome extension
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Suspicious behavior: EnumeratesProcesses
  PID:1948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.4shared.com/mp3/eWaW0U82/_-_scrubb.html?ref=downloadhelpererror
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4476
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb6d9d46f8,0x7ffb6d9d4708,0x7ffb6d9d4718
    3⤵
    PID:1172
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,16787566384029873715,5683921549533733034,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
    3⤵
    PID:3280
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,16787566384029873715,5683921549533733034,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5036
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,16787566384029873715,5683921549533733034,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
    3⤵
    PID:1840
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16787566384029873715,5683921549533733034,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
    3⤵
    PID:4496
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16787566384029873715,5683921549533733034,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
    3⤵
    PID:2584
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,16787566384029873715,5683921549533733034,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 /prefetch:8
    3⤵
    PID:3676
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,16787566384029873715,5683921549533733034,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3328
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16787566384029873715,5683921549533733034,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1
    3⤵
    PID:4128
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16787566384029873715,5683921549533733034,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:1
    3⤵
    PID:60
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16787566384029873715,5683921549533733034,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4120 /prefetch:1
    3⤵
    PID:3804
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16787566384029873715,5683921549533733034,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:1
    3⤵
    PID:4252
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,16787566384029873715,5683921549533733034,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2304 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4040

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2924

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36988ca14952e1848e81a959880ea217

SHA1
a0482ef725657760502c2d1a5abe0bb37aebaadb

SHA256
d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

SHA512
d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fab8d8d865e33fe195732aa7dcb91c30

SHA1
2637e832f38acc70af3e511f5eba80fbd7461f2c

SHA256
1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea

SHA512
39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
60e67e2707232e828f07c10b40baa255

SHA1
8100abf3df5749c92d5de81a2ba22647da5dad3f

SHA256
da70a898d314b50e314ac32bd7b31bc2223e0a23b7123a3a5aa064612efdedc8

SHA512
0cd4f0dc0f16b57592c226ec679a70c4d17e499aa6edae296352dc0984b849417cae6a92e7f9ae9e0d38d5b670b30e03eca8f567b5aad62af4d7b12134488c98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f62323f283435a3c806b5fba5eabbaae

SHA1
fb299cf28d94b696f7549178ee4278d11543cbe3

SHA256
8e41f728c5f08ea6fc836c8d76fe8febbc84237dbf7bc86aa123c6b26aad41f7

SHA512
c30d86e882e326309f7569544d23c0109d5be0606a4b36ab3ed6473d31d8ab1be34e28024fc986886763e1f9e2620cb4b68e84f67463e4120ecb06220c63aca9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
cac4f0224c5495aa34b00a0dba3bf676

SHA1
27059a216f6b310fc1dcd1b8bdbd6274c2637791

SHA256
4334c8d5e63b822c3a52d414784e3a675e0beed95b8b2a5ee18c595c848950d4

SHA512
4203d23b23758d40051ff487d581efed16ed0ca986ec8b2fc255ee81fbce96e149740e56daeec2f20575c593023f375c7e0bcb58dff7189009a80445fa6186a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\crpA3A3.exe

Filesize
806KB

MD5
661cf9c90eb099fb7b6a394dd8cde2e4

SHA1
3704e119ea16a3c336f63dc808176a22fbb8582a

SHA256
1570e0efe0cb98623913d942cf40f2eb5b10458f49842097125c6d6d8604cd07

SHA512
13c26a514c2022a10b42566a527ef98adaaa9932ffd07612ccdeb371888c037be3b429c956ecb7705699a2b6e3463758735332c9e26ea5f4493a91f30dfb4761

Download Submit
C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe

Filesize
331KB

MD5
a3e93460c26e27a69594dc44eb58e678

SHA1
a615a8a12aa4e01c2197f4f0d78605a75979a048

SHA256
3a81cefbc928fe136056257b8b57733164f2d1fa9d944dc02897b31b171335c6

SHA512
39d17b7190f3ff5b3bc3170c8e21d7bba5c32c0f55bd372af2e848ff1ef1392083218a562f3361fdc2db95e4133a19c4ec1cab3e982174d76b8276358dac6530

Download Submit