4ec2bf3ca394d1a0e38d118c79a0b3413be0c2a7d945b80d05a336eff6ae121d

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2025 03:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_da10bb1b0e7536c0862734898c09fa09.html
Size

84KB
MD5

da10bb1b0e7536c0862734898c09fa09
SHA1

f0d7213e713d735ef19eba670b58a42321c46b00
SHA256

4ec2bf3ca394d1a0e38d118c79a0b3413be0c2a7d945b80d05a336eff6ae121d
SHA512

e159f1579b6d25f2a7f33b53976b901ece0539b4c125a5632db778a8c495a1507e781d52eb88efba51a5718de94d8e14d632c3d7769aa1075d57490b4e982787
SSDEEP

1536:yC/A/L5ETQu69o+THasslRNodJhBN88CB3MrXJr/qPPwGcUuZXmGl:yCA/469o+THasslRNodJhBN88sMrXV/P

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3960	msedge.exe
3960	msedge.exe
4596	msedge.exe
4596	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	6020	dwm.exe
Token: SeChangeNotifyPrivilege	6020	dwm.exe
Token: 33	6020	dwm.exe
Token: SeIncBasePriorityPrivilege	6020	dwm.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4596 wrote to memory of 3024	4596	msedge.exe	83
PID 4596 wrote to memory of 3024	4596	msedge.exe	83
PID 4596 wrote to memory of 396	4596	msedge.exe	84
PID 4596 wrote to memory of 396	4596	msedge.exe	84
PID 4596 wrote to memory of 396	4596	msedge.exe	84
PID 4596 wrote to memory of 396	4596	msedge.exe	84
PID 4596 wrote to memory of 396	4596	msedge.exe	84
PID 4596 wrote to memory of 396	4596	msedge.exe	84
PID 4596 wrote to memory of 396	4596	msedge.exe	84
PID 4596 wrote to memory of 396	4596	msedge.exe	84
PID 4596 wrote to memory of 396	4596	msedge.exe	84
PID 4596 wrote to memory of 396	4596	msedge.exe	84
PID 4596 wrote to memory of 396	4596	msedge.exe	84
PID 4596 wrote to memory of 396	4596	msedge.exe	84
PID 4596 wrote to memory of 396	4596	msedge.exe	84
PID 4596 wrote to memory of 396	4596	msedge.exe	84
PID 4596 wrote to memory of 396	4596	msedge.exe	84
PID 4596 wrote to memory of 396	4596	msedge.exe	84
PID 4596 wrote to memory of 396	4596	msedge.exe	84
PID 4596 wrote to memory of 396	4596	msedge.exe	84
PID 4596 wrote to memory of 396	4596	msedge.exe	84
PID 4596 wrote to memory of 396	4596	msedge.exe	84
PID 4596 wrote to memory of 396	4596	msedge.exe	84
PID 4596 wrote to memory of 396	4596	msedge.exe	84
PID 4596 wrote to memory of 396	4596	msedge.exe	84
PID 4596 wrote to memory of 396	4596	msedge.exe	84
PID 4596 wrote to memory of 396	4596	msedge.exe	84
PID 4596 wrote to memory of 396	4596	msedge.exe	84
PID 4596 wrote to memory of 396	4596	msedge.exe	84
PID 4596 wrote to memory of 396	4596	msedge.exe	84
PID 4596 wrote to memory of 396	4596	msedge.exe	84
PID 4596 wrote to memory of 396	4596	msedge.exe	84
PID 4596 wrote to memory of 396	4596	msedge.exe	84
PID 4596 wrote to memory of 396	4596	msedge.exe	84
PID 4596 wrote to memory of 396	4596	msedge.exe	84
PID 4596 wrote to memory of 396	4596	msedge.exe	84
PID 4596 wrote to memory of 396	4596	msedge.exe	84
PID 4596 wrote to memory of 396	4596	msedge.exe	84
PID 4596 wrote to memory of 396	4596	msedge.exe	84
PID 4596 wrote to memory of 396	4596	msedge.exe	84
PID 4596 wrote to memory of 396	4596	msedge.exe	84
PID 4596 wrote to memory of 396	4596	msedge.exe	84
PID 4596 wrote to memory of 3960	4596	msedge.exe	85
PID 4596 wrote to memory of 3960	4596	msedge.exe	85
PID 4596 wrote to memory of 1688	4596	msedge.exe	86
PID 4596 wrote to memory of 1688	4596	msedge.exe	86
PID 4596 wrote to memory of 1688	4596	msedge.exe	86
PID 4596 wrote to memory of 1688	4596	msedge.exe	86
PID 4596 wrote to memory of 1688	4596	msedge.exe	86
PID 4596 wrote to memory of 1688	4596	msedge.exe	86
PID 4596 wrote to memory of 1688	4596	msedge.exe	86
PID 4596 wrote to memory of 1688	4596	msedge.exe	86
PID 4596 wrote to memory of 1688	4596	msedge.exe	86
PID 4596 wrote to memory of 1688	4596	msedge.exe	86
PID 4596 wrote to memory of 1688	4596	msedge.exe	86
PID 4596 wrote to memory of 1688	4596	msedge.exe	86
PID 4596 wrote to memory of 1688	4596	msedge.exe	86
PID 4596 wrote to memory of 1688	4596	msedge.exe	86
PID 4596 wrote to memory of 1688	4596	msedge.exe	86
PID 4596 wrote to memory of 1688	4596	msedge.exe	86
PID 4596 wrote to memory of 1688	4596	msedge.exe	86
PID 4596 wrote to memory of 1688	4596	msedge.exe	86
PID 4596 wrote to memory of 1688	4596	msedge.exe	86
PID 4596 wrote to memory of 1688	4596	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_da10bb1b0e7536c0862734898c09fa09.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc7dda46f8,0x7ffc7dda4708,0x7ffc7dda4718
  2⤵
  PID:3024
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=fallback-handler --database="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --exception-pointers=93046174564352 --process=176 /prefetch:7 --thread=2368
    3⤵
    PID:5748
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 3024 -s 744
    3⤵
    PID:4632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,7037359304011704743,11716852237308089601,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
  2⤵
  PID:396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,7037359304011704743,11716852237308089601,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,7037359304011704743,11716852237308089601,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8
  2⤵
  PID:1688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7037359304011704743,11716852237308089601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:2968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7037359304011704743,11716852237308089601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7037359304011704743,11716852237308089601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
  2⤵
  PID:4124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7037359304011704743,11716852237308089601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
  2⤵
  PID:4032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7037359304011704743,11716852237308089601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
  2⤵
  PID:2144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7037359304011704743,11716852237308089601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
  2⤵
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,7037359304011704743,11716852237308089601,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3704 /prefetch:2
  2⤵
  PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,7037359304011704743,11716852237308089601,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4132 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3392

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:212

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4040

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:6020

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1836

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8749e21d9d0a17dac32d5aa2027f7a75

SHA1
a5d555f8b035c7938a4a864e89218c0402ab7cde

SHA256
915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304

SHA512
c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
34d2c4f40f47672ecdf6f66fea242f4a

SHA1
4bcad62542aeb44cae38a907d8b5a8604115ada2

SHA256
b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33

SHA512
50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002d

Filesize
77KB

MD5
f58560cfa44439caea2ac5f598d46459

SHA1
5718bbef7cc8bf4399c0251418c00852374e11c6

SHA256
cf53f38d51ebc8b3b36d13f314317f1a17d5d58afa63bfa3e89249e995f049da

SHA512
b8b2f81d8bd559ad6f19b6dce64bdc3eed592aa7bcba4e9a0e57c150cabfe4b0b6bb28b9f3c4ce99c6f0b2af214b2fc41323f09f65b27f29d65f8700ea9c0945

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000038

Filesize
77KB

MD5
54b0cd52399c5fe7337fdc40f6587e58

SHA1
8daccb9654c5e3bc863fc1fc93874ce3bcc8304c

SHA256
aa63b2fcb201decc5954394cd7a6417874c479fb3deba178b263537cb0e29017

SHA512
de0aaf827af56f72f1d86cf9c5ef58f627600f253824467f29dfecd84c9eb3730e945423903d8b802de1643e9f757acf6d77beb41cb7638fadb829c4a49df24b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003b

Filesize
77KB

MD5
0ce568c0192a7312387e75c569b3bbb9

SHA1
febc7f929c53d70426f79bf8055b9f1ae5481809

SHA256
0d68cbff1ec09481d0c1684c62c4a4973b97dbf661288871d8952b6058a60611

SHA512
f896849ee04c7cfb326fd987d5507429823a7541883cd208043c5b19c54b57f2579eb6f5f5853865974c85c086198eaca5e57073efcb08d0d4e20978f2a3a539

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000c8

Filesize
77KB

MD5
fe19c6f44cf02c900d9b7dc201a9587d

SHA1
83cda7eb57dfa91c86847407842304acfbb854f4

SHA256
4944c7b1e0fa321170a36875996c169b443e6e6e31f3708373c9c478c9b8b037

SHA512
7f2dd54dd7c2a067f4b348c718af517a1d2042bd4c0378007c8040a0cd0ef878ec43c6bf4b9600fc84696cbfc0b796fae99ade193b932fbd49b75300d8affd1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000108

Filesize
77KB

MD5
5f9bbd5f9cd72c23221119aed2c6c195

SHA1
4dcaa1da2618b2a553dc6bddb273c733238505c4

SHA256
2c285098f77cd4243d754008a7674cd7364f758a21084537bac62afb81c0de08

SHA512
e0951d0bf1c0d7a64756cf5706eef0f71567fd90e794570f7549bcb46a349d612cdd8074532cf5367fa33abe4a6a4dfb1307d1b92a30397135c6b6ba6c3f4ec6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0001e0

Filesize
73KB

MD5
c0d2296e3c28ad4b4ddec5179ef009f7

SHA1
d8adce67ed27b8972d4a0367b7025a79569c6aae

SHA256
803f7eda422efa35adfbd28c1d624a80b820636fa90bb133f6895b11a82a7c44

SHA512
88eaac7b1a2a2a6af7dd4243e57e7637b6af9f2d9064a6180949b7378867b9e01a04ad4b88dbc5449e377743a7efff30182e5f90d575572e7d067a4e31beac0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0002b5

Filesize
91KB

MD5
792c37517be95956ad1360d90916ded4

SHA1
20a908bdea3dd08d4a45471376f557b80726e1c3

SHA256
ea8138e402107c426928b05b1f6e8b86fb1ede52f35fad3881ed264f68a5fc04

SHA512
ae84c402fc691b2abb8dc4c16d741254bb15d1a62562d2a22e3e3aa7817f74e94e963e34583d03bd28755d8511b362d8a4c8a8606ec0c879c490ed2310874443

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000399

Filesize
77KB

MD5
1bea2dd046c6a7465e9108d8b4763440

SHA1
0ebce6424748d5a94221fce199ccaf9d4821e089

SHA256
37d4b005ce188ef13aaaac4a268b5c4bdb4f5b69e3bb1f3375f595800077c3f7

SHA512
c7ffb650243aa5536e6508a276c44fca3d65a07db796b4e984c3b46a53984d0e1cc46248aeb572af0255f1a283d0af07a235f9cfd31b42eb3f60589112dd9837

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000498

Filesize
77KB

MD5
766cf35a3991e1cb880749b6e50c7744

SHA1
ad15a0e53a5cb36bed3afbe12bb57ee16f4ac3c9

SHA256
a0cfc17818e7accaa6ac448f5a243388be55ecbf9cbdbb1968bdced18e910e84

SHA512
01481d2726e94a832cad3d1f392b8e443ba0ad072cac214d86d6b22f51cfe2562dcd14b0d08992cad7c1a0b7ac96a13220f9e70ef1028b15ea916bc9df98d00b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\5d1960d8536b0ee0_0

Filesize
207B

MD5
099dac5877eea759be09923d0a31d2f1

SHA1
213761b089f96787150dfab316bd3b72d030d241

SHA256
e300ed590efd208823cc3ad51c36afd028ecc0a6c84d975faf99a604a784c7aa

SHA512
76936c6514f04c3371e7ff12c02c147f673196d2454c0aa8b28652632b40b6af23e2fb33a120bc761e595476a1b70a4fa32c451e19b1cad07222a88bd3062a0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
24KB

MD5
350612844328ddf6069d623efdcab635

SHA1
c57617f49a3ccb031b4a1d7d79e482ad6d94ac59

SHA256
cf41dd746b1e438d21cabd6dcc9d207828118fb5bf4f644a13157c553b90dc16

SHA512
d021c1bc189bb8532ae3ebe732c0c16842b5510bd3e2f6e0f621d58c45527d865963c69443309c747a7daacb7d804317bbcf15a2fb2f376ec1f933673ca3fd1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
147c8120e67180cbfcc1fc166ab0fb21

SHA1
72a71f77fa70b1bab543f42f4e88c6d9ced68717

SHA256
39d008b4ad7f36831cffc01feaaca31508baafded9e2dac2c67b718934536503

SHA512
ab7d3fb6a6790967867d2755ad564f52d4afc10d6c5f6d4c07e4ecf54448e3aa96b60e37600be961bc55c0115470c3419fe0a827d195fd8779e2b78be15fab8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
6771977e8e7044d03b8f8b9f992940cd

SHA1
c5825fb242736830bea0dcb5f43ca4001b9d1119

SHA256
29c628579b56951784bec33c89ea89c5cdeb73aa135f1c11e3fdc7b90279b7b8

SHA512
9bfec7dba0cabff81eb5718bf9f68df722b345f7dd735b40a774d87cc749fa668ae1f4beb9ae3f2256cb5a488746abda22e40029b1e4a63469d5e7b94918ece7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
dbf99396b309247b17f8dc3f9f39df2c

SHA1
e606e8f32b2cdaa24a7cec6bb84843979dc422de

SHA256
097ec7d1b0b02c784fde7e1a8e49c7d963ca1b8b6e2ba26e43c509a9bc238144

SHA512
c447b52375bb60f4a9d5d5b0c95c5209e60d92f2b9a9024278dec8ce060d91f84d9675b1ab64e7c079a45c3c681466f3625eef9c084a2b1b0e212405eb6424c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2cf6c943f73ff17a5724f6a20110e4b4

SHA1
c06de2c3d2ace833e235cde9db93478a7314aea5

SHA256
3997682e768bb24de4baa4d4d935bef20d751dd973852bb8f93ebbff7dda4420

SHA512
ac3b4c15ee342dec10b4db60570bb20a80763903732f2b284b95066a05e72202814fd5087ff01c4e85abc4b9d22f366768e49ec65476ded0909d5087e27d54f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
6feaa957950423b685ea72749cd8d7b1

SHA1
342a82a879664ff09df8c0f1f70f37966b85699d

SHA256
1174d6b1258b274bc32bdf4181de2c5a6b2a2f999517c225354aeaf308f354c3

SHA512
9640fb633187172790ad464cea5b9d65cc381ba7b9e9f43b5dceebd04d777cec0075e375f44b5473fab2729e1397016aad5dcd5b3effe850e582e50d4b02c88d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
f1597645b1413520a93b5c7c63d93d37

SHA1
7db8168355f35a9849bc61477470ea49490c8763

SHA256
1856186afb322eee8a3eb4468ac7afa37ba21834cfcdbe81aaa1660d26694634

SHA512
15a10926a75b60aab46a52422f8e3a95e2f68c74092be9a936b2c535476e6af0d22d30fd67d833b057d21a2644345c362177e444db300fd61b772725e7d2112c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
5c4fb528c64ea768c146972972f69054

SHA1
c172120af607dc3f9ff98a0233ee9122ef37a42a

SHA256
115ee481273c95d622ee5bf42b7de307ffdaa9acce7e69029b3728954e59c6db

SHA512
234cf7e98fc018e8b011f77aa48ea3df0fb730be5423f2f68256473dc54441d4d18a110175c3f8b41dd5403feed1cac58742c968f075d2e0fca24b836c630700

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
ff4f1c02deb3ae3a2e53ae4f0d2621aa

SHA1
ca9b9fa11ac19aacc52c77886918a54facc2f14c

SHA256
9685e2be378e01a5251021b2315b95d3cc9dcf6de7618fa0153f304037cb9c42

SHA512
6b895e7502a5a4024f9c7550e8f97392e4a5bf1e5aa354d7e888f15b3c158fd5bb4c4b74f46c68c001b743ad3d6132d383f692beb07ce5cb489c64640c420fa7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
870B

MD5
f226d028954cf619b8ff821c2b793f2a

SHA1
96501d8a4fd594e7f508d2b77c9b299739f0a44e

SHA256
e754afd61d50bb22869797d9f0fac0b1794b5b05f531ebf5a3cd341395c0d455

SHA512
06c1c8f7ac90c4795c144c73d2603825850cbe0c8950f46a38c9a57248b9c0d674dd31ead9421f34fb86ed6bcc8bf26864c309a907270f08f1d1ebe153e753a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
e5d2d783ef06b19cc3b6af58ebae5ac6

SHA1
b5401c5639ab117f0f8078c2d8c55ba65dc11ee8

SHA256
07712d8517fecf05ae3d675e22cb2c76cbe38a859a91af028a78e18b2e2e24ef

SHA512
51db814337b915781c6d09bd58350b017c5356a89488c37650c64183fa6f75246e0f94949642a860881fbdba7892eb7930fc76f38cce03182a586435f414018f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
276239464eed5fd0668771908fac427a

SHA1
b7fddbe967da18aefe0d22648a6d4ba1f8501b9c

SHA256
5368665b607705bdbd2a0c04ef96e344ae6c774fb69c201a5f11836f20e84575

SHA512
4f0d1af360495b259e54937c0d998e689ff44df01ed0579295ad16066fe7bad8fb997b63f570294d13d717b4432ff277e65c96aaf5e3883993d5e02e4bdb2de9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
b7837e864faaf59ec28421dfe2ed9cec

SHA1
3a8730fd6d362a3e6fba96527d606142e81ab46d

SHA256
686e00d5cb1dcf8838df820b4d21d4dd1dad7fa3c1dfd01959c9e7a9d467f989

SHA512
ac098d31b08ca0143cecedb43317b2c84c231d88aedc0a093804b1660e29b40ef877dc9406a117f1c2c882fc29a5edd8d6393e06a50428c11a89adbf8551232b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581d76.TMP

Filesize
706B

MD5
22d6aaf1e66c4bfdecb6902faaa3215c

SHA1
feed6105c35c2cced2b6e7d07603a618cc5e2582

SHA256
0423982a35e6642e584f821fd75dba917ca2424fd6659ecae2e54eabf7aab90d

SHA512
09a821aa72251d1950fe25dd23c842f9743150c6ae5b5b8a79cec8a67fbbd277164dda772974f8814872e2c6e03f8aa1c0be87a9646c4bc82c1fe4b4da2ffe02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3f90c7f2f344af890dbeeb7f4b87c99f

SHA1
cf855b19e736267c4b767c3df8a8840740a8a923

SHA256
2d81adee009b9bec3c247d120599649f49fd50f4ab7ac69b3ecf2cace56729d9

SHA512
ab6cddd86ee927ea72776b780a576c9e7a2f07ade512e0e3ab3b5a08ae00b04f82a14104b03ffb69bb166c1dcc117f7f95eccb4514bfb82bef5d289ec3691f13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6a49adacf326e8a10cb4d7c454182e0b

SHA1
c6800a254bfccaafeff60297b4277f0b3f6c5503

SHA256
ea086dd9616caea2bdee998c08a953a90f79509dd52908a76c6bcdb32a41f079

SHA512
69a416e8aaf47875d554a32b681b637ba96f17fd5712a17a9b03db4bd9bcbcd6099785ba6fa88d96bdac3acaee2813ae5ce1bb6c754b3322c075ec29b3908979

Download Submit