1a662f940661ace52ebc43b1b856a1593709ca1c2d2080ab98a07084952830df

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2024, 13:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a632bb34396aac037f56ce14b98c120_JaffaCakes118.exe
Size

1.3MB
MD5

3a632bb34396aac037f56ce14b98c120
SHA1

bd8d77436c8ff1a51327b0cfc383bb279f43236d
SHA256

1a662f940661ace52ebc43b1b856a1593709ca1c2d2080ab98a07084952830df
SHA512

c122916787c4b30e66e2ff8c863a6cf3669ba19d5508b15e2a12f3c416b4817915ec5cb2ab5a1de268e77da9badd9b25105a41e88ead5c81199e02711ea6721d
SSDEEP

24576:NrJKUKCvzuei/bc6EGn5u5TtyJ8adjCzjyhhcDkPQcKiwMH5yUKc5thLfrXa7sj0:N1Kbazur/bc6/nRJ/aOheDkPQcKiwMHX

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1540	crpE57F.exe
3688	hpet.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hahpjplbmicfkmoccokbjejahjjpnena\1.2_0\manifest.json	hpet.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3a632bb34396aac037f56ce14b98c120_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crpE57F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hpet.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page Before = "http://go.microsoft.com/fwlink/p/?LinkId=255141"	hpet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page Before = "http://go.microsoft.com/fwlink/?LinkId=54896"	hpet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://search.b1.org/?bsrc=hmior&chid=c162341"	hpet.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://search.b1.org/?bsrc=hmior&chid=c162341"	hpet.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3688	hpet.exe
3688	hpet.exe
3688	hpet.exe
3688	hpet.exe
3688	hpet.exe
3688	hpet.exe
3688	hpet.exe
3688	hpet.exe
3688	hpet.exe
3688	hpet.exe
1400	msedge.exe
1400	msedge.exe
2328	msedge.exe
2328	msedge.exe
404	identity_helper.exe
404	identity_helper.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTcbPrivilege	1540	crpE57F.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1540	crpE57F.exe
1540	crpE57F.exe
1540	crpE57F.exe
1540	crpE57F.exe
1540	crpE57F.exe
1540	crpE57F.exe
1540	crpE57F.exe
1540	crpE57F.exe
3060	3a632bb34396aac037f56ce14b98c120_JaffaCakes118.exe
1540	crpE57F.exe
1540	crpE57F.exe
1540	crpE57F.exe
1540	crpE57F.exe
1540	crpE57F.exe
1540	crpE57F.exe
1540	crpE57F.exe
1540	crpE57F.exe
1540	crpE57F.exe
1540	crpE57F.exe
1540	crpE57F.exe
1540	crpE57F.exe
1540	crpE57F.exe
1540	crpE57F.exe
1540	crpE57F.exe
1540	crpE57F.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
1540	crpE57F.exe
1540	crpE57F.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
1540	crpE57F.exe
1540	crpE57F.exe
1540	crpE57F.exe
1540	crpE57F.exe
1540	crpE57F.exe
1540	crpE57F.exe
1540	crpE57F.exe
1540	crpE57F.exe
1540	crpE57F.exe
1540	crpE57F.exe
1540	crpE57F.exe
1540	crpE57F.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1540	crpE57F.exe
1540	crpE57F.exe
1540	crpE57F.exe
1540	crpE57F.exe
1540	crpE57F.exe
1540	crpE57F.exe
1540	crpE57F.exe
1540	crpE57F.exe
1540	crpE57F.exe
1540	crpE57F.exe
1540	crpE57F.exe
1540	crpE57F.exe
1540	crpE57F.exe
1540	crpE57F.exe
1540	crpE57F.exe
1540	crpE57F.exe
1540	crpE57F.exe
1540	crpE57F.exe
1540	crpE57F.exe
1540	crpE57F.exe
1540	crpE57F.exe
1540	crpE57F.exe
1540	crpE57F.exe
1540	crpE57F.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
1540	crpE57F.exe
1540	crpE57F.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
2328	msedge.exe
1540	crpE57F.exe
1540	crpE57F.exe
1540	crpE57F.exe
1540	crpE57F.exe
1540	crpE57F.exe
1540	crpE57F.exe
1540	crpE57F.exe
1540	crpE57F.exe
1540	crpE57F.exe
1540	crpE57F.exe
1540	crpE57F.exe
1540	crpE57F.exe
1540	crpE57F.exe
1540	crpE57F.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1540	crpE57F.exe
1540	crpE57F.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 1540	3060	3a632bb34396aac037f56ce14b98c120_JaffaCakes118.exe	86
PID 3060 wrote to memory of 1540	3060	3a632bb34396aac037f56ce14b98c120_JaffaCakes118.exe	86
PID 3060 wrote to memory of 1540	3060	3a632bb34396aac037f56ce14b98c120_JaffaCakes118.exe	86
PID 3060 wrote to memory of 3688	3060	3a632bb34396aac037f56ce14b98c120_JaffaCakes118.exe	87
PID 3060 wrote to memory of 3688	3060	3a632bb34396aac037f56ce14b98c120_JaffaCakes118.exe	87
PID 3060 wrote to memory of 3688	3060	3a632bb34396aac037f56ce14b98c120_JaffaCakes118.exe	87
PID 3060 wrote to memory of 2328	3060	3a632bb34396aac037f56ce14b98c120_JaffaCakes118.exe	89
PID 3060 wrote to memory of 2328	3060	3a632bb34396aac037f56ce14b98c120_JaffaCakes118.exe	89
PID 2328 wrote to memory of 4700	2328	msedge.exe	90
PID 2328 wrote to memory of 4700	2328	msedge.exe	90
PID 2328 wrote to memory of 4632	2328	msedge.exe	91
PID 2328 wrote to memory of 4632	2328	msedge.exe	91
PID 2328 wrote to memory of 4632	2328	msedge.exe	91
PID 2328 wrote to memory of 4632	2328	msedge.exe	91
PID 2328 wrote to memory of 4632	2328	msedge.exe	91
PID 2328 wrote to memory of 4632	2328	msedge.exe	91
PID 2328 wrote to memory of 4632	2328	msedge.exe	91
PID 2328 wrote to memory of 4632	2328	msedge.exe	91
PID 2328 wrote to memory of 4632	2328	msedge.exe	91
PID 2328 wrote to memory of 4632	2328	msedge.exe	91
PID 2328 wrote to memory of 4632	2328	msedge.exe	91
PID 2328 wrote to memory of 4632	2328	msedge.exe	91
PID 2328 wrote to memory of 4632	2328	msedge.exe	91
PID 2328 wrote to memory of 4632	2328	msedge.exe	91
PID 2328 wrote to memory of 4632	2328	msedge.exe	91
PID 2328 wrote to memory of 4632	2328	msedge.exe	91
PID 2328 wrote to memory of 4632	2328	msedge.exe	91
PID 2328 wrote to memory of 4632	2328	msedge.exe	91
PID 2328 wrote to memory of 4632	2328	msedge.exe	91
PID 2328 wrote to memory of 4632	2328	msedge.exe	91
PID 2328 wrote to memory of 4632	2328	msedge.exe	91
PID 2328 wrote to memory of 4632	2328	msedge.exe	91
PID 2328 wrote to memory of 4632	2328	msedge.exe	91
PID 2328 wrote to memory of 4632	2328	msedge.exe	91
PID 2328 wrote to memory of 4632	2328	msedge.exe	91
PID 2328 wrote to memory of 4632	2328	msedge.exe	91
PID 2328 wrote to memory of 4632	2328	msedge.exe	91
PID 2328 wrote to memory of 4632	2328	msedge.exe	91
PID 2328 wrote to memory of 4632	2328	msedge.exe	91
PID 2328 wrote to memory of 4632	2328	msedge.exe	91
PID 2328 wrote to memory of 4632	2328	msedge.exe	91
PID 2328 wrote to memory of 4632	2328	msedge.exe	91
PID 2328 wrote to memory of 4632	2328	msedge.exe	91
PID 2328 wrote to memory of 4632	2328	msedge.exe	91
PID 2328 wrote to memory of 4632	2328	msedge.exe	91
PID 2328 wrote to memory of 4632	2328	msedge.exe	91
PID 2328 wrote to memory of 4632	2328	msedge.exe	91
PID 2328 wrote to memory of 4632	2328	msedge.exe	91
PID 2328 wrote to memory of 4632	2328	msedge.exe	91
PID 2328 wrote to memory of 4632	2328	msedge.exe	91
PID 2328 wrote to memory of 1400	2328	msedge.exe	92
PID 2328 wrote to memory of 1400	2328	msedge.exe	92
PID 2328 wrote to memory of 3504	2328	msedge.exe	93
PID 2328 wrote to memory of 3504	2328	msedge.exe	93
PID 2328 wrote to memory of 3504	2328	msedge.exe	93
PID 2328 wrote to memory of 3504	2328	msedge.exe	93
PID 2328 wrote to memory of 3504	2328	msedge.exe	93
PID 2328 wrote to memory of 3504	2328	msedge.exe	93
PID 2328 wrote to memory of 3504	2328	msedge.exe	93
PID 2328 wrote to memory of 3504	2328	msedge.exe	93
PID 2328 wrote to memory of 3504	2328	msedge.exe	93
PID 2328 wrote to memory of 3504	2328	msedge.exe	93
PID 2328 wrote to memory of 3504	2328	msedge.exe	93
PID 2328 wrote to memory of 3504	2328	msedge.exe	93

C:\Users\Admin\AppData\Local\Temp\3a632bb34396aac037f56ce14b98c120_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3a632bb34396aac037f56ce14b98c120_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Users\Admin\AppData\Local\Temp\crpE57F.exe
  /S /notray
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1540
- C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe
  -home -home2 -hie -hff -hgc -spff -et -channel 162341
  2⤵
  - Executes dropped EXE
  - Drops Chrome extension
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Suspicious behavior: EnumeratesProcesses
  PID:3688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.4shared.com/mp3/veP0IOZC/Natiruts_-_20_Quero_Ser_Feliz_.html?ref=downloadhelpererror
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc46f246f8,0x7ffc46f24708,0x7ffc46f24718
    3⤵
    PID:4700
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,9151428632173817820,9046326379657241434,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
    3⤵
    PID:4632
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,9151428632173817820,9046326379657241434,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1400
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,9151428632173817820,9046326379657241434,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:8
    3⤵
    PID:3504
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,9151428632173817820,9046326379657241434,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
    3⤵
    PID:772
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,9151428632173817820,9046326379657241434,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
    3⤵
    PID:864
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,9151428632173817820,9046326379657241434,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:8
    3⤵
    PID:1740
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,9151428632173817820,9046326379657241434,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:404
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,9151428632173817820,9046326379657241434,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:1
    3⤵
    PID:2984
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,9151428632173817820,9046326379657241434,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:1
    3⤵
    PID:3148
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,9151428632173817820,9046326379657241434,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
    3⤵
    PID:2184
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,9151428632173817820,9046326379657241434,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1
    3⤵
    PID:1628
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,9151428632173817820,9046326379657241434,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=212 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4812

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4532

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36988ca14952e1848e81a959880ea217

SHA1
a0482ef725657760502c2d1a5abe0bb37aebaadb

SHA256
d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

SHA512
d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fab8d8d865e33fe195732aa7dcb91c30

SHA1
2637e832f38acc70af3e511f5eba80fbd7461f2c

SHA256
1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea

SHA512
39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9d712b88d84e88f764809a646330c396

SHA1
50eea02e2a7d14db3338af8479903ed857eeccc3

SHA256
1fe86b0c989e81282e4791c4580aa0ce0dfa385db303b08605ae8e34bc0a0596

SHA512
ff5500256057e87d84ae9f06b600cdfd03eb4afa5717fc75141ebfbf189fe2119375323677b159cb1f98c31a7b4162da184d0afda4cf72271152c36b468e61d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6e66738073d299f6f8317cea23b10ff5

SHA1
103c09cf31fd8206a78387d32da786ff1c6c89c3

SHA256
30bed483d92d698b9c20917e0b78df991e24a466f08bab43c5b300f0b74b497e

SHA512
8b4290d822f6ff2bb132980f1c89e121b66217178de877aee846078552bb6083f303be8cf4262ddf75b38bea99d4b793f2237f6ae8e9e05f70575907d92da6f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a06e2c1ffbb486f39850c5afc6c0105b

SHA1
178fbf8c67c601cf6f04f0c841b964bfd91c0c90

SHA256
e0a5c189748d267b712a90212c7b53e4153924fedd9f1da94bee0e73ee3cecc1

SHA512
ce9a4e8ea6f9b0e62310866eb32d7eb6ba22452474b5aade8b4b77bae47297f3638e3fdba9b1eedfb2dd104f540231865a351d6789adf1cf848f9a4b3a9a61e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\crpE57F.exe

Filesize
804KB

MD5
dc61ef7550384b682a212cd1b7224cfa

SHA1
554f45ce56845471fb27695d62d63083b3f9eeed

SHA256
6b9d76eb7947fb680fe13c36c0614e802cb6cea4fdaa69e54cece0416f333b7a

SHA512
af8923c9af7244ffe4edf24266d19644a70a8750f1ff31562b97879832365575db4279339d2f9101407b166310c8db1c5538d23331e3196226080d1a0ba52e0f

Download Submit
C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe

Filesize
331KB

MD5
a3e93460c26e27a69594dc44eb58e678

SHA1
a615a8a12aa4e01c2197f4f0d78605a75979a048

SHA256
3a81cefbc928fe136056257b8b57733164f2d1fa9d944dc02897b31b171335c6

SHA512
39d17b7190f3ff5b3bc3170c8e21d7bba5c32c0f55bd372af2e848ff1ef1392083218a562f3361fdc2db95e4133a19c4ec1cab3e982174d76b8276358dac6530

Download Submit