6514b345465786d232a61f8aca8e3b60e2bf8a3e45f237086e55caac0c19cb4d

max time kernel
881s
max time network
849s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
13-01-2025 17:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_1d93e8597dd860cf81cd913c4b997818.html
Size

25KB
MD5

1d93e8597dd860cf81cd913c4b997818
SHA1

a7dacf6a32b194720a87130a16f2222c44f036eb
SHA256

6514b345465786d232a61f8aca8e3b60e2bf8a3e45f237086e55caac0c19cb4d
SHA512

c35592acafe20b18914ba7ee31201faa7534136df292d7c14436fb3bcbdd5f07b96b3b63897509068b8263ec4e12f55e192de027996dac8e63e08712fb891e98
SSDEEP

384:PqlIcCtF4JVGTHyk9v1o99t5W9ISFaTGHx6QckT/gbpLOXguLZ:sZtSF5zg9ExLZ

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\936ea4b6-eefe-449e-91c6-c11314807472.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20250113172352.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4504	msedge.exe
4504	msedge.exe
1152	msedge.exe
1152	msedge.exe
1836	identity_helper.exe
1836	identity_helper.exe
1732	msedge.exe
1732	msedge.exe
1732	msedge.exe
1732	msedge.exe
1672	msedge.exe
1672	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 2144	1152	msedge.exe	80
PID 1152 wrote to memory of 2144	1152	msedge.exe	80
PID 1152 wrote to memory of 2272	1152	msedge.exe	81
PID 1152 wrote to memory of 2272	1152	msedge.exe	81
PID 1152 wrote to memory of 2272	1152	msedge.exe	81
PID 1152 wrote to memory of 2272	1152	msedge.exe	81
PID 1152 wrote to memory of 2272	1152	msedge.exe	81
PID 1152 wrote to memory of 2272	1152	msedge.exe	81
PID 1152 wrote to memory of 2272	1152	msedge.exe	81
PID 1152 wrote to memory of 2272	1152	msedge.exe	81
PID 1152 wrote to memory of 2272	1152	msedge.exe	81
PID 1152 wrote to memory of 2272	1152	msedge.exe	81
PID 1152 wrote to memory of 2272	1152	msedge.exe	81
PID 1152 wrote to memory of 2272	1152	msedge.exe	81
PID 1152 wrote to memory of 2272	1152	msedge.exe	81
PID 1152 wrote to memory of 2272	1152	msedge.exe	81
PID 1152 wrote to memory of 2272	1152	msedge.exe	81
PID 1152 wrote to memory of 2272	1152	msedge.exe	81
PID 1152 wrote to memory of 2272	1152	msedge.exe	81
PID 1152 wrote to memory of 2272	1152	msedge.exe	81
PID 1152 wrote to memory of 2272	1152	msedge.exe	81
PID 1152 wrote to memory of 2272	1152	msedge.exe	81
PID 1152 wrote to memory of 2272	1152	msedge.exe	81
PID 1152 wrote to memory of 2272	1152	msedge.exe	81
PID 1152 wrote to memory of 2272	1152	msedge.exe	81
PID 1152 wrote to memory of 2272	1152	msedge.exe	81
PID 1152 wrote to memory of 2272	1152	msedge.exe	81
PID 1152 wrote to memory of 2272	1152	msedge.exe	81
PID 1152 wrote to memory of 2272	1152	msedge.exe	81
PID 1152 wrote to memory of 2272	1152	msedge.exe	81
PID 1152 wrote to memory of 2272	1152	msedge.exe	81
PID 1152 wrote to memory of 2272	1152	msedge.exe	81
PID 1152 wrote to memory of 2272	1152	msedge.exe	81
PID 1152 wrote to memory of 2272	1152	msedge.exe	81
PID 1152 wrote to memory of 2272	1152	msedge.exe	81
PID 1152 wrote to memory of 2272	1152	msedge.exe	81
PID 1152 wrote to memory of 2272	1152	msedge.exe	81
PID 1152 wrote to memory of 2272	1152	msedge.exe	81
PID 1152 wrote to memory of 2272	1152	msedge.exe	81
PID 1152 wrote to memory of 2272	1152	msedge.exe	81
PID 1152 wrote to memory of 2272	1152	msedge.exe	81
PID 1152 wrote to memory of 2272	1152	msedge.exe	81
PID 1152 wrote to memory of 4504	1152	msedge.exe	82
PID 1152 wrote to memory of 4504	1152	msedge.exe	82
PID 1152 wrote to memory of 4652	1152	msedge.exe	83
PID 1152 wrote to memory of 4652	1152	msedge.exe	83
PID 1152 wrote to memory of 4652	1152	msedge.exe	83
PID 1152 wrote to memory of 4652	1152	msedge.exe	83
PID 1152 wrote to memory of 4652	1152	msedge.exe	83
PID 1152 wrote to memory of 4652	1152	msedge.exe	83
PID 1152 wrote to memory of 4652	1152	msedge.exe	83
PID 1152 wrote to memory of 4652	1152	msedge.exe	83
PID 1152 wrote to memory of 4652	1152	msedge.exe	83
PID 1152 wrote to memory of 4652	1152	msedge.exe	83
PID 1152 wrote to memory of 4652	1152	msedge.exe	83
PID 1152 wrote to memory of 4652	1152	msedge.exe	83
PID 1152 wrote to memory of 4652	1152	msedge.exe	83
PID 1152 wrote to memory of 4652	1152	msedge.exe	83
PID 1152 wrote to memory of 4652	1152	msedge.exe	83
PID 1152 wrote to memory of 4652	1152	msedge.exe	83
PID 1152 wrote to memory of 4652	1152	msedge.exe	83
PID 1152 wrote to memory of 4652	1152	msedge.exe	83
PID 1152 wrote to memory of 4652	1152	msedge.exe	83
PID 1152 wrote to memory of 4652	1152	msedge.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1d93e8597dd860cf81cd913c4b997818.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffe995146f8,0x7ffe99514708,0x7ffe99514718
  2⤵
  PID:2144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1400,3091934950192342955,8777792179832318037,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
  2⤵
  PID:2272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1400,3091934950192342955,8777792179832318037,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1400,3091934950192342955,8777792179832318037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:8
  2⤵
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1400,3091934950192342955,8777792179832318037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3564 /prefetch:1
  2⤵
  PID:4748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1400,3091934950192342955,8777792179832318037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3596 /prefetch:1
  2⤵
  PID:1052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1400,3091934950192342955,8777792179832318037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
  2⤵
  PID:1700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1400,3091934950192342955,8777792179832318037,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
  2⤵
  PID:4592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1400,3091934950192342955,8777792179832318037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1
  2⤵
  PID:2072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1400,3091934950192342955,8777792179832318037,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:1216
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1400,3091934950192342955,8777792179832318037,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6492 /prefetch:8
  2⤵
  PID:3368
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:1636
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff6d1705460,0x7ff6d1705470,0x7ff6d1705480
    3⤵
    PID:2836
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1400,3091934950192342955,8777792179832318037,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6492 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1400,3091934950192342955,8777792179832318037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
  2⤵
  PID:3876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1400,3091934950192342955,8777792179832318037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:1
  2⤵
  PID:2756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1400,3091934950192342955,8777792179832318037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:1
  2⤵
  PID:3920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1400,3091934950192342955,8777792179832318037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:4640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1400,3091934950192342955,8777792179832318037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1900 /prefetch:1
  2⤵
  PID:1700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1400,3091934950192342955,8777792179832318037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
  2⤵
  PID:1956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1400,3091934950192342955,8777792179832318037,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1
  2⤵
  PID:656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1400,3091934950192342955,8777792179832318037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
  2⤵
  PID:3764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1400,3091934950192342955,8777792179832318037,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:3736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1400,3091934950192342955,8777792179832318037,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5544 /prefetch:8
  2⤵
  PID:3020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1400,3091934950192342955,8777792179832318037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6960 /prefetch:1
  2⤵
  PID:4716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1400,3091934950192342955,8777792179832318037,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6772 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1400,3091934950192342955,8777792179832318037,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6600 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1672

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3592

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c6c51122c811a0f047374c84954de8db

SHA1
46b9923064d07adc31ab16fc5a6358b46a429329

SHA256
0e2b81c17f8dfc47696bfaabe2abbe02912406734e3e2db6848615ceeb88bef8

SHA512
d75eb7e979694b47f0fde49b3514e100677d2ee7c0fc5f880d2ed9eedb5c215e15a6410db913fb7d9b1c8d4caa9235a8587e0525e4e78c4ab5170b23f8dd4d96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ea1c2801aa63b0b7d559edd3adc7cfdc

SHA1
535995078ba0c227fe78a9bc340e848907e420e4

SHA256
d5daf639f0e5d8039eb65ce05767ae58bfa4b04a6a5b0b01b7a42bfcecc9756c

SHA512
877abc639d9913465eba3e82e2192a03d6e63ca341e0954c9b62b109d1f0547048423f4f0b6825c4a1846b7964f1bd14272663d7166df6a71446328f9241b06b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
67KB

MD5
69df804d05f8b29a88278b7d582dd279

SHA1
d9560905612cf656d5dd0e741172fb4cd9c60688

SHA256
b885987a52236f56ce7a5ca18b18533e64f62ab64eb14050ede93c93b5bd5608

SHA512
0ef49eeeeb463da832f7d5b11f6418baa65963de62c00e71d847183e0035be03e63c097103d30329582fe806d246e3c0e3ecab8b2498799abbb21d8b7febdc0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
19KB

MD5
1bd4ae71ef8e69ad4b5ffd8dc7d2dcb5

SHA1
6dd8803e59949c985d6a9df2f26c833041a5178c

SHA256
af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725

SHA512
b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
63KB

MD5
226541550a51911c375216f718493f65

SHA1
f6e608468401f9384cabdef45ca19e2afacc84bd

SHA256
caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5

SHA512
2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
29e95141bb2a354dd8ec24ea8a84fd44

SHA1
57372b37753fc544b8ac87abd5415494cc3b42e0

SHA256
19bd0510345241c4cfc5ef75eb29934f349f50949cfa414d4ae1b5ec93f66f26

SHA512
4f805b4d6dc912c725f2eb46eb14ead05bd987d431c1542c3dc8da82b6d70b3bc1019ca5b175222a13fde8d74b673b9db5a5bfd114208df6ca936d504b77346d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
87a86205c24c5bdaed30dc93c83c5e1e

SHA1
b02748980ff015d4d4c0a54cdae00f0683fe1564

SHA256
4b737f518e2c4a4d066aa3e021b0d2a6166e350ec78a7d1213a598bfd5b2015d

SHA512
7e48a299cbff804fc5aabf0361d12f30c158e9ae08f9121baf6350a9f0a1bfcf38ce1dd8399c61eb21db6af75740982d65dcae80fb12997d01ec504e4c753f73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
865B

MD5
8d2c6f383a597e4073df8c92ae881192

SHA1
05b2630c2293110938216aaf2ff29fbb50742c84

SHA256
a67a5b3f0475cdd50b401bb8f40b3ea19ebf43733cb826b13e4b5673f0f22baf

SHA512
3d764283896bf52f7b477b39dcc09b17d45a3433eae4dd71979f827944ea68b0bb4c1309dd39a26392c4efc275f8fe2e66bcb30d5a47cdef2270a1244f0fc87c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
080c0926238cc4cb9eaa64ffa847ec1d

SHA1
580a2c85f5657106f44df10c84feecc9eb047007

SHA256
03ede8d57536efdbc0e241edacefa41c1be25f26e9925ffd543711ab4db79d23

SHA512
3e45758c53fc3610c5da02516a612ac1662dd67e6d5761fd66cb22c4bfee54ae53fd503fa3a0c530623ccc119226394df155f33af252dcab602c6944f6071531

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
3b5793c5d08baf9664c77db42043f80e

SHA1
f40294c8c88cf2e1f68bd0985e05532972bc0155

SHA256
70991e6947e7bedd646534bf68d50d8f63c371817d917c34fde9116c7fcc305c

SHA512
646f30ab53aecd7f95d80d4c9b8052a5898a8ba856abbbf243012c49180b4e1ee04b2052c50c977968564ffa170b02fc6980f7c45d9697a01f58eb3864f9bc72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
463362cd3efa81eedd47e3ec0a4413ec

SHA1
8050f9773f4aab8d5573a4855fda5514a3a457d7

SHA256
0402be5f29c22d6e5aa9648e8cc5c5796a658a2d22d54ac8c3b5d341be99c221

SHA512
6260536f3419527a6ebe5b46446e44454416293a220378760961fe74dde83c822a761b2879d8c8c62199234539b9182f4eed2c726669e8326cfb22b91fc05b64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
adb1be07e4fe03ad007145a1394a40a1

SHA1
1a0f580b2469fc7c5c29242b1098de7316506906

SHA256
10c120909ac90897a9ee57af0616f6c7f6e112f1d98f6e230677fb0665e808a5

SHA512
941daab5095e59de2915bc4ccbd899a4d537386481308cf23a9d99946f86d1df71c0f714dced8e79cea0c4ae1042a59743ac207b75b9bb3222a207a72117e284

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe58bac0.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1f315b051c21fa64554633d3938606f5

SHA1
a36d122d6759e1e3f5dea7b0499723bb3e41560e

SHA256
05b6eda9687c1edd1343c335f387fe8c675a9f03cba1d0c3f3cc6b8c4293f728

SHA512
9e33a09f6b742353c7ac134817947eecd80e71be458d05d1fd526fd84b5620d69c91962b256dea2d337c4921b6eeb1a60cc4cda85f09260a44f58cd327d93977

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d0e737ef434e765b300c1dae42708355

SHA1
d5dc8df8f95faf1aa16909a44bc4d3edb7fb5347

SHA256
e619af1869c12f786da1b8b37af9642a12256ee8e02d6156c22744b74d10be09

SHA512
64fd5e8b11fc298a392df0cb8e8319f5ff68201015ea0359b2221ee9ad826351418e605be7a4a58886d62ad283d04785f0e99559546e0ea065fa306ddeb79b52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
21f7e4cca0662055bf0b1059900ff058

SHA1
1293187c3cfd3b5cd3739c4ddf17a847318146c8

SHA256
ed3ef52b8ab212e78b15347f95eea7f52e16f31585bb030e3daf96a92acb2847

SHA512
5b90f9b254695e7feca069b2ae421bad94fd15a3481e77dde6ed6ed5fb2d8937bb6f077e0450c3ce66d1f00e8ec3012cf39628d96c2638d18dbc9f10ea888e89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ca9a5c4774c497e926799dafeb5b5861

SHA1
c09ebdf084efb9f59c03ec663cec7ec645694466

SHA256
900b08ff90e843e27ff22a3f489e0bad20462881f158014309b171f0602d3d80

SHA512
10b84bf6f13ebe4d5306e139096229d89af72b77a63ef1b032504cf36d4b1d561ea3f67366b6fc3fafa74f91de0201692ce61ab0bc34d160ce3712ea361d76c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
db0cc03b1657f5dda4b38846f4eb7157

SHA1
1deac63712a9f66b4a33ef65305ac5f0c678a34f

SHA256
2b79c7a18fb021ed166360ffa784c4fb44b5784d7bc8e6187dfaa80ca4c07761

SHA512
55dfbe0425daebd6fe6cf54019e690fd4dcd28917a91d1fa0db57bc120d84d2f11bf119d836b8f0cc2e5c1387fbeb911b1a08a452fc493c06850d80621f45f3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
fccad2652971ce1f105ce6354c7d5235

SHA1
47e2387537bb38fc7db14eb46607dbecc093796e

SHA256
c9f86fcf54928f7f4f85f83bc696505cb63d1300f7a1ffad4b97f3cd92784c40

SHA512
31a536c04ade93a676958046da98f24b439ac8541011be47d1514a6556788d052c1950cd37968c1a9bf57ce6e0b29db9ca3f2d22e28c8b6cb653527b0d74b3a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c7ea5473c8bf3d648dacd149311a269e

SHA1
3cb9a7e6fb47e548d6b7d387bbc41eeabacf6a90

SHA256
9dcecd6c44791d0235d7f79109a10a53411a94958db6bf29cbe8054f0b475cdd

SHA512
f19e4fc36579152b0c9f8864d4af1e1a244e9c2c0081a5db3aba11bb77eaef228cc0e71371777b389a52353b43365daa5cf5368f863e9975451f865a882612b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
022ee89153aae0ec14370e5536daf4fc

SHA1
2f70ffdfa887f6190eb7c7457d9557785187e6ba

SHA256
622ecf78df6f9215d2d336057720b65fd35a3d537826a136d9f7d72c38951449

SHA512
d63cc2071efd175504de95e4fb989a2193819aedcd33ec5c6ff11d1924448aa20033d46d6699f1f72349fc3fcfe5375591a4275292bf9b978c6f2b0761b77d79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe582eac.TMP

Filesize
538B

MD5
d58d7f0b97909d90eee4bfd65268a832

SHA1
ddf5510eb6ef9dc88b1a6c2c8f46409613be12e2

SHA256
f47d9d1cec1d96f049ecf3e82a10e5e69c3c90d5f55f2b26539c218013323d59

SHA512
0cbe122fc9cb9a9d6df90fc244a55e2c2508b7d32f4c6b1b86b5fb0d88407ceea9ae03f1bad339a197af5d57ea449206d2cba61bf93349aa4d64b40c9424c11f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
9a24bd366f2cad3e794942141a70e905

SHA1
32814da0de6fe98f15bff1054cbf588a6c532616

SHA256
e02fee29eca5fd63a1436fdd5f9381d3c463da107fd8c31450627e06ee3679f6

SHA512
3d772eeb6b39687c87fdceebd7efdf47544428b6b537f9560e22501d9e04e520341e787f1eb722304b97a804c015fbc509ad0e1cb6e5e7077b21a1c3ec121908

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
22b11e8ae116281ca2f89ddb61ac4483

SHA1
e7ed01169c4181f0e489a40b5677768a30762dd7

SHA256
657051ee898cc69f1233d12d3c130aeabb1a1b12ca050e191a4498736becc689

SHA512
f918f41fa610b02d98daff794ac011360679546f0d8aa5acc844283e566bcc360048fc1e023dec8c51f6094cf634147722daf306b382b27f9ee4ed021028cad0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
ac252f03cd603aec5d3d4813a9426097

SHA1
91a423f90f2e545ba332879aa0a5f9b0b4702548

SHA256
f200fbd181d5ec6a367f20290d47245568d0e76e292e58e902926ea440b4299c

SHA512
4adbc45c49719d3b155887fb2be9a8e0b4084462995ca12798afa570abf342d2702cbbedabe1a709bb1d46926ae635169d85dc39bb8e8512ef4b4e9973c9e27a

Download Submit