2bb495e189ed48efb6cb6d9ee3b32509892daa175be1f3dd6a0dd4bf9a67850c

Analysis

max time kernel
149s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 11:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
Size

73KB
MD5

8a9de2ed6e842310557166f21ddd7bfd
SHA1

0dbc55e096ad32ec54dfcd762752e574b4f42053
SHA256

2bb495e189ed48efb6cb6d9ee3b32509892daa175be1f3dd6a0dd4bf9a67850c
SHA512

bd3ee8c60ace27d5bdcd4b60c0738d32aa149e55829b71b79fcdedf9e1b8120213c4a011a0ce26697d7baf03969784aa448001c948cfde5550bdc37dcc6ee4e7
SSDEEP

768:s9CsTIbXuXeDObNckYKTwkiws5ObYq5wLbOutyVOA8ae3JEI4++RHCgIuXcYnVO0:s4bX+bNcOwZIpmOuYANaeOIYHRB8liG

Score

7^/10

defense_evasion discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5928	eqsEBF6.tmp

Loads dropped DLL 20 IoCs

pid	Process
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\RCX92ED.tmp	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\RCX97D5.tmp	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Weather.exe	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVLP.exe	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\RCX9B50.tmp	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\xlicons.exe	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.43\MicrosoftEdgeComRegisterShellARM64.exe	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\RCX95BA.tmp	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ImagingDevices.exe	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal.exe	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\RCXA833.tmp	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\RCXADD7.tmp	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmpshare.exe	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\RCX952B.tmp	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Cortana.exe	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\msedge_proxy.exe	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wab.exe	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\RCX92FE.tmp	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\RCX99AE.tmp	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\RCX9AE9.tmp	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\misc.exe	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-1000-0000000FF1CE}\misc.exe	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\RCX9FDC.tmp	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\RCX9925.tmp	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
File opened for modification	C:\Program Files\Windows Media Player\wmlaunch.exe	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\RCXAB3C.tmp	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateBroker.exe	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\RCX9764.tmp	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\MicrosoftEdgeUpdate.exe	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\RCX9255.tmp	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
File opened for modification	C:\Program Files\Mozilla Firefox\RCX9F1F.tmp	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
File opened for modification	C:\Program Files\Windows Mail\RCX9F94.tmp	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
File opened for modification	C:\Program Files\Windows Media Player\RCX9FA6.tmp	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\RCX95F1.tmp	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\RCX9C0B.tmp	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
File opened for modification	C:\Program Files\Windows Media Player\wmprph.exe	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
File opened for modification	C:\Program Files\Windows Media Player\RCX9FCA.tmp	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\RCX9775.tmp	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eqsEBF6.tmp

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5768 wrote to memory of 5928	5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe	86
PID 5768 wrote to memory of 5928	5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe	86
PID 5768 wrote to memory of 5928	5768	JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe	86

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5768
- C:\Users\Admin\AppData\Local\Temp\eqsEBF6.tmp
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a9de2ed6e842310557166f21ddd7bfd.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5928
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\JAFFAC~1.EXE > nul
  2⤵
  PID:5608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\cookie_exporter.exe

Filesize
121KB

MD5
a21d5a981facdfaaa90d67be9c330905

SHA1
bc4d1f8dd1b8eac4c821b8ccbc2628c8e3d9f149

SHA256
3bc5a4cb94f168c5c7af95623f8a34fc4834646a07c4f325bfc8c732ad2848bb

SHA512
5fe576fdb232468b31396a97e54cbed449e64758af6fe7bb72a5ee4aa764bb56204b3ff9ccb4659f9dd87fde062240710a848cd221b32e34a818e5ea394671ba

Download Submit
C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\cookie_exporter.exe

Filesize
242KB

MD5
43a347d8f5aa1dca87a10cb30414f705

SHA1
6ef4c9bab2f17e1f4b267f89f0f1e428e02209c5

SHA256
ea905e4b24bdef9e52f473ddd3c519cfdb15fc065aaf1b4b75d33e280b591c8d

SHA512
ab0a013923fa88bbe23e123a9b8570cb7b8089523b4dec9cd259f74a434038a7d8bb5083debd6819bf7a5e43c7d9472eea0740b5c572327dcd9efafd4b179640

Download Submit
C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\identity_helper.exe

Filesize
2.1MB

MD5
006e76d788b99fde8b2449bab71227a5

SHA1
ee2275f50d9a959c9d5096b89720fad00a023dae

SHA256
042aee2ae3aaffacc7835d849eb81f001b4db120f07218c055c81935ad3585e4

SHA512
3f187b157426167cc3dcfeaf7859e425601adbd936152cf5e60ff0fbd9b5f58dad0e9e6591971ab9ed85100031c8193d89cead4f0490f1f45f73c947ba3fa3a3

Download Submit
C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\msedge_proxy.exe

Filesize
1.1MB

MD5
ddbcaddf9eefe5f411f93e2aad851873

SHA1
85278e3e9f059603d0c2248d2bb62a7029f0f5c4

SHA256
b8ef4f115e60b145947e1f33b71915e16406e5d83fb1f4b26bf921aa19f133fb

SHA512
3b74b159556cd2769ba09db33b6a945480e022300e64a2016dd1360c7e2e2c560afdac8460a85105c243a68accd596f30d82377c51b3b97e838e392098ad518f

Download Submit
C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\msedge_pwa_launcher.exe

Filesize
2.9MB

MD5
e2e474f49eef7378c4d882684069d9e4

SHA1
038b46a0c9e1d8fe9473aaee872d5442665087f3

SHA256
f2a7559bdcbd4d5a62085df59acf2f211c23a4af9992a13d079421adedc6f4ed

SHA512
017e3bcc91e409dae366cd2f2fa46f6ce3243236932ac96ced4abf05adada13c854afaba3efaa4fd494b29f465582c703cc735168b8503010622924c6cefd14e

Download Submit
C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\pwahelper.exe

Filesize
2.1MB

MD5
2b67994ec787c8ed364d54666a741ecf

SHA1
f7e11874781600e7d63db258e16b473d76c0ac6f

SHA256
de44c34089020853c82ab2aa62e9c50b0fc4036a379812d38fd190693a926c26

SHA512
eccd729d81c76f959cefb177133bfc82321dd7b78d93b955d79de1ba4fb5f89820072804abae337ecb87a4f8d2c3701924c36c49576be9ca09ef2f403afb8ef8

Download Submit
C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\RCXAE39.tmp

Filesize
24KB

MD5
1328cd4250310b45bdfbf66b1f310946

SHA1
4b405347565ea1023108ed339183e7c9d35f97b5

SHA256
be888bfcbbe6e367bee57a38141d3290ee6e073f877ba52ae0004662b444516e

SHA512
2035ee226420ecc2e4a3dcdd7a61977ae573df54d1c01c9a5143bc97a02e501790a4a8a92679737b2ceea017cb1158cc9d5eb5f737ebd923188593a58845cbcd

Download Submit
C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.43\MicrosoftEdgeUpdateCore.exe

Filesize
286KB

MD5
f792028f6d941d38ce549f13dbb376cc

SHA1
7fc7bbeb293105346d80391a7822d0a17a5b68b1

SHA256
1341e2e1c1bb3541e4d3ad3c028fbce83ed7eeab2cdfe3a02abac1216ec84b54

SHA512
fdf72a89d34acec997390781508d9fab4b2238cbcccf8b8514020b4d1608bdb26c7d9150ae8e560fa5d45fbfb29c995705135ade5e8c8a0f4162f448121a181d

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\cookie_exporter.exe

Filesize
121KB

MD5
da37d72b7480f9bcbaf7837541a5716d

SHA1
cd923870d65b5b5144829151cb110581248271cc

SHA256
cf23c1b80173187f20bb449b764ab4fa4e3c61d9c8f5a9a3861ea08862f4cc2f

SHA512
a2c53e606563b09c9d3d7954fbca78b43fdaafe9ec6f7b4631587488282bd0395ff039c4bd831c7932043a6872b4777388929ece52cda7b8153611242f759c5c

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedge.exe

Filesize
7.5MB

MD5
748b0e75ba289e20d21d93544486c69d

SHA1
f7e454d1808410a9e62d3fcb8e63cd35ddb4a6e9

SHA256
afbd82cb5761bf2da316bf17db391709ce9f092180bfff1c18c2b05d42a6b2ea

SHA512
e6b41a0ca505445e0d852e39fd0cac7411d1ebfc930eb4f80e456ea8c7792f8a4cf26244c60672c13f25df773f53aa4d586537e67a02dcb96c7b08a9123b52e3

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedge_proxy.exe

Filesize
1.1MB

MD5
8a3f3c35ae7137d1a691b3d52d654ea5

SHA1
90c98ea634625cca997089461be7223d7685b10a

SHA256
cc6b96a2702a0e25e7af57e8b0fa75942d37a80486b588432ab9cd11bd64c36a

SHA512
79a6235a75301127ca5f3b63aaa14715d5f0d7c1f690021523698af821b8f98b1c1c858878b8effcb88a6d6f3b05f144c0d1a7bbf4860b43d53cdcbe5129555a

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedge_proxy.exe

Filesize
2.1MB

MD5
c6bdacd90741ae258f1bab4afb8800fb

SHA1
2cf54fd31c94c82da6c00f1a137b5565f0e795b3

SHA256
0536bcb4b2917924401a44140af11703e698266d40fd5694713d8401667cd3ee

SHA512
36fd02d9d08497acc1ca980b9da3f4be52a3c930fe1e89647869450fccdbb2910371fb9650f795b9324e7e7fdbacdec9ab11b227b99bae4a7a47a6a9a0bb6336

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedge_pwa_launcher.exe

Filesize
2.9MB

MD5
d9cea6499f2ecb320876d646653df575

SHA1
ad09a96654b885f7ab1a5aff23fe29f9c83bdf83

SHA256
afe26cc96e18e6436b6f87ace6641f8c873e82e982ed61ee6ff3e0b481327100

SHA512
fe83ee4a33e788f664d301279213c139a6e875f8227e0c7a052ab9520c438c1559071722465a4161ae08691ca47016ff5552f85d6d547ab84e6144a148c2a8ef

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\pwahelper.exe

Filesize
2.0MB

MD5
f602e15cfc859f2d470aa1c6ac206f6e

SHA1
acd3c684bdd3c305ae739aae68571e61903f54bf

SHA256
5c5a647503412087e96324cfc23455d828fa4a1d88a2edfe6a64b8a52d925292

SHA512
4dd0c8de682e10e3f5f1b732e4db2103d024caa8c5d2ac88121e670e27879786c94616a7c6b9f1939a8f1013e7e2acc67d3b96db4650b68956ff50e10f9c87ad

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\RCXB80F.tmp

Filesize
39KB

MD5
486599a3d5ff471d58cba6ebde56567e

SHA1
3d15684b5cd5b54682bbef0f87811738c38da6f3

SHA256
ed0a7f51249e8b9613742aedbb692fb8d6684be5b47361a3212262b47e82de44

SHA512
24c27cf7482bcafe3a5c2b7e18306649bc7e084617b70885cd769ecb081dfa6c1d49bbd53d768547c2c1311cc6cbdf4d9630a88c90ff231c72a65e206e4bd845

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
12KB

MD5
aa08e94834828337c60c23d63ec8af5f

SHA1
9e23ab8f4a5075614274b5a10530149e2260560d

SHA256
e5698ffda00cbfdc03b674fd751ba062436a474ebfa7214977d3795796e9da5a

SHA512
732763151c65a865c811b6dc2e0d9a9cceeb2d0e800950110d75f9e8c143fe74ee15da2c629762ef98c130dc264a188bd33396f71255e2f0489f5ea7ec8baf12

Download Submit
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\RCX9C5C.tmp

Filesize
3.9MB

MD5
99009446727d7db6f09b3647a59b3927

SHA1
ed068181606e8a7be5f2d69488f983a6214ceb41

SHA256
d24037c0861f8dcc2f28b80332c5d99f53fd6d770393ed9fbf51a27bbf9d7dee

SHA512
f05e55fb7cea3b771e661bedbb523e9cad3c952160e329373bf93ee3c39419eab0ad9f6cb30a3500d2036b32e735b24b96ab9e24d9c8b782525731fc6e5972d7

Download Submit
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\RCX9DD8.tmp

Filesize
4.1MB

MD5
d36bdcf37b3c67860a065b9e04f67818

SHA1
25430d8f6f16461e04d979246af1643c84b6230d

SHA256
59fc48f1efead2be09a9cf3922f28af104522d7a64727b1f4101fa1c655f0b24

SHA512
84c9e510d9f2873ce2e2fe933594f5d5f03792ab0ba4bee7ed03a7f7b63947d340c1ddcac87238486bb11804a7d81504cc7a91aa18dd54d724301abdb1c808e9

Download Submit
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-1000-0000000FF1CE}\RCX9E27.tmp

Filesize
1007KB

MD5
9ae1356094eb2e4147b2cf53d73867da

SHA1
bec29320b0c234eaeba9534c795a88cefd3e1fbf

SHA256
c753784f7373026a7d09ec14e279b6fcfa9b9b269936db1b675bd73cf1581b7f

SHA512
71f2413f1ef5bea2b30abe5a7ac0ed5d7f37da6f251e08bb188e2ec89a67995987435f6ee30b547c48c52a05ec9fd4dc530484452d22aa3484e28aaf1158a7d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\RCXBAF5.tmp

Filesize
367KB

MD5
c05febce5b7b9f0dbde4d83c70c516ba

SHA1
42d2c559a94075313b8c81402fe6569abb32b976

SHA256
68b7906c3c95d7a6d281000f291293b906e2f20945eada8aadf70233324ad82b

SHA512
1642a43e3ddf746339b0a72e7c8c96d2aacd4530cea174e7b36cde973c95cdd458d9873365d5340faf7a497d276aa6eee22a5f244a8506c71e64eca9763953af

Download Submit
C:\Users\Admin\AppData\Local\Temp\eqsEBF6.tmp

Filesize
61KB

MD5
c183b7e8c4dd96af66d7ace48d2d9b05

SHA1
e344488c9f1f3aec1b9878ec30820cb99c56f129

SHA256
8b9b0e4cfea6e006999b0c6c50d9da6a3c0fda5aece6e752c3ab5016637a6199

SHA512
cab52dea1734fd0e1df3cdbbd576ffa7561656af3d9b47b37e66e55364f9909dc70b2faa25ad4029b66107500328916e538ad65757f0e87f04a4c0ab043a64c3

Download Submit
memory/5768-0-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download