Analysis
-
max time kernel
140s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
01/04/2025, 17:16
Static task
static1
General
-
Target
JaffaCakes118_9a603e700c9246d1e4f3856baa68ce4d.exe
-
Size
652KB
-
MD5
9a603e700c9246d1e4f3856baa68ce4d
-
SHA1
16ab3308f3c5dc2ef6a8402674fa5c91ca7a476b
-
SHA256
6a540832cac28b33c698e66fcbfeee868573c2a4fc50d5a70b8091d8b0739d13
-
SHA512
2c9786ba2c983360dc85c5806322f046b944b610a51d55ac2c69a9cb70d5e708f9ff7147b1b378e5886632fed3cf65da2ac6a7971befd8b9eee84f98a494c734
-
SSDEEP
12288:i0SlJmmF99W7CQV1POhmmp+ZGnTtmg3Fxx7JvdakTNacsvH:rJw9g7CQjcmi+QnTN3vJxdjpaD
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation JaffaCakes118_9a603e700c9246d1e4f3856baa68ce4d.exe -
Executes dropped EXE 1 IoCs
pid Process 5956 hpet.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops Chrome extension 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hahpjplbmicfkmoccokbjejahjjpnena\1.2_0\manifest.json hpet.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\msedge_url_fetcher_5116_1041446092\GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_90_1_0.crx msedge.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_9a603e700c9246d1e4f3856baa68ce4d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hpet.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier msedge.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page Before = "http://go.microsoft.com/fwlink/p/?LinkId=255141" hpet.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page Before = "http://go.microsoft.com/fwlink/?LinkId=54896" hpet.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://search.b1.org/?bsrc=hmior&chid=c162341" hpet.exe -
Modifies Internet Explorer start page 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://search.b1.org/?bsrc=hmior&chid=c162341" hpet.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry msedge.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133880013869442714" msedge.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-446031748-3036493239-2009529691-1000\{7E2A9764-1E5F-4BA6-ABCD-2AEBC5E2E4DA} msedge.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 5956 hpet.exe 5956 hpet.exe 5956 hpet.exe 5956 hpet.exe 5956 hpet.exe 5956 hpet.exe 5956 hpet.exe 5956 hpet.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 5116 msedge.exe 5116 msedge.exe 5116 msedge.exe 5116 msedge.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 836 JaffaCakes118_9a603e700c9246d1e4f3856baa68ce4d.exe 5116 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5956 hpet.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 836 wrote to memory of 5956 836 JaffaCakes118_9a603e700c9246d1e4f3856baa68ce4d.exe 97 PID 836 wrote to memory of 5956 836 JaffaCakes118_9a603e700c9246d1e4f3856baa68ce4d.exe 97 PID 836 wrote to memory of 5956 836 JaffaCakes118_9a603e700c9246d1e4f3856baa68ce4d.exe 97 PID 836 wrote to memory of 5116 836 JaffaCakes118_9a603e700c9246d1e4f3856baa68ce4d.exe 100 PID 836 wrote to memory of 5116 836 JaffaCakes118_9a603e700c9246d1e4f3856baa68ce4d.exe 100 PID 5116 wrote to memory of 5736 5116 msedge.exe 101 PID 5116 wrote to memory of 5736 5116 msedge.exe 101 PID 5116 wrote to memory of 436 5116 msedge.exe 103 PID 5116 wrote to memory of 436 5116 msedge.exe 103 PID 5116 wrote to memory of 2508 5116 msedge.exe 104 PID 5116 wrote to memory of 2508 5116 msedge.exe 104 PID 5116 wrote to memory of 5832 5116 msedge.exe 105 PID 5116 wrote to memory of 5832 5116 msedge.exe 105 PID 5116 wrote to memory of 2508 5116 msedge.exe 104 PID 5116 wrote to memory of 2508 5116 msedge.exe 104 PID 5116 wrote to memory of 2508 5116 msedge.exe 104 PID 5116 wrote to memory of 2508 5116 msedge.exe 104 PID 5116 wrote to memory of 2508 5116 msedge.exe 104 PID 5116 wrote to memory of 2508 5116 msedge.exe 104 PID 5116 wrote to memory of 2508 5116 msedge.exe 104 PID 5116 wrote to memory of 2508 5116 msedge.exe 104 PID 5116 wrote to memory of 2508 5116 msedge.exe 104 PID 5116 wrote to memory of 2508 5116 msedge.exe 104 PID 5116 wrote to memory of 2508 5116 msedge.exe 104 PID 5116 wrote to memory of 2508 5116 msedge.exe 104 PID 5116 wrote to memory of 2508 5116 msedge.exe 104 PID 5116 wrote to memory of 2508 5116 msedge.exe 104 PID 5116 wrote to memory of 2508 5116 msedge.exe 104 PID 5116 wrote to memory of 2508 5116 msedge.exe 104 PID 5116 wrote to memory of 2508 5116 msedge.exe 104 PID 5116 wrote to memory of 2508 5116 msedge.exe 104 PID 5116 wrote to memory of 2508 5116 msedge.exe 104 PID 5116 wrote to memory of 2508 5116 msedge.exe 104 PID 5116 wrote to memory of 2508 5116 msedge.exe 104 PID 5116 wrote to memory of 2508 5116 msedge.exe 104 PID 5116 wrote to memory of 2508 5116 msedge.exe 104 PID 5116 wrote to memory of 2508 5116 msedge.exe 104 PID 5116 wrote to memory of 2508 5116 msedge.exe 104 PID 5116 wrote to memory of 2508 5116 msedge.exe 104 PID 5116 wrote to memory of 2508 5116 msedge.exe 104 PID 5116 wrote to memory of 2508 5116 msedge.exe 104 PID 5116 wrote to memory of 2508 5116 msedge.exe 104 PID 5116 wrote to memory of 2508 5116 msedge.exe 104 PID 5116 wrote to memory of 2508 5116 msedge.exe 104 PID 5116 wrote to memory of 2508 5116 msedge.exe 104 PID 5116 wrote to memory of 2508 5116 msedge.exe 104 PID 5116 wrote to memory of 2508 5116 msedge.exe 104 PID 5116 wrote to memory of 2508 5116 msedge.exe 104 PID 5116 wrote to memory of 2508 5116 msedge.exe 104 PID 5116 wrote to memory of 2508 5116 msedge.exe 104 PID 5116 wrote to memory of 2508 5116 msedge.exe 104 PID 5116 wrote to memory of 2508 5116 msedge.exe 104 PID 5116 wrote to memory of 2508 5116 msedge.exe 104 PID 5116 wrote to memory of 2508 5116 msedge.exe 104 PID 5116 wrote to memory of 2508 5116 msedge.exe 104 PID 5116 wrote to memory of 2508 5116 msedge.exe 104 PID 5116 wrote to memory of 2508 5116 msedge.exe 104 PID 5116 wrote to memory of 2508 5116 msedge.exe 104 PID 5116 wrote to memory of 2508 5116 msedge.exe 104 PID 5116 wrote to memory of 2508 5116 msedge.exe 104 PID 5116 wrote to memory of 2508 5116 msedge.exe 104 PID 5116 wrote to memory of 2508 5116 msedge.exe 104 PID 5116 wrote to memory of 2508 5116 msedge.exe 104 PID 5116 wrote to memory of 2508 5116 msedge.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9a603e700c9246d1e4f3856baa68ce4d.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9a603e700c9246d1e4f3856baa68ce4d.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe"C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe" -home -home2 -hie -hff -hgc -et -channel 1623412⤵
- Executes dropped EXE
- Drops Chrome extension
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.4shared.com/rar/YZGvj_Nc/GTA_IV_torrenttraduocrack.html?ref=downloadhelpererror2⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2c4,0x2ec,0x7ffd6aa7f208,0x7ffd6aa7f214,0x7ffd6aa7f2203⤵PID:5736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1764,i,18177251423667597077,15935955058057015702,262144 --variations-seed-version --mojo-platform-channel-handle=2568 /prefetch:33⤵PID:436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=1956,i,18177251423667597077,15935955058057015702,262144 --variations-seed-version --mojo-platform-channel-handle=2648 /prefetch:83⤵PID:2508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2540,i,18177251423667597077,15935955058057015702,262144 --variations-seed-version --mojo-platform-channel-handle=2532 /prefetch:23⤵PID:5832
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3496,i,18177251423667597077,15935955058057015702,262144 --variations-seed-version --mojo-platform-channel-handle=3528 /prefetch:13⤵PID:1404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3532,i,18177251423667597077,15935955058057015702,262144 --variations-seed-version --mojo-platform-channel-handle=3560 /prefetch:13⤵PID:5176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=5040,i,18177251423667597077,15935955058057015702,262144 --variations-seed-version --mojo-platform-channel-handle=4968 /prefetch:13⤵PID:1628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=1616,i,18177251423667597077,15935955058057015702,262144 --variations-seed-version --mojo-platform-channel-handle=4976 /prefetch:83⤵PID:3852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4292,i,18177251423667597077,15935955058057015702,262144 --variations-seed-version --mojo-platform-channel-handle=5184 /prefetch:83⤵PID:4720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5528,i,18177251423667597077,15935955058057015702,262144 --variations-seed-version --mojo-platform-channel-handle=5536 /prefetch:83⤵PID:3728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5428,i,18177251423667597077,15935955058057015702,262144 --variations-seed-version --mojo-platform-channel-handle=5860 /prefetch:83⤵PID:1216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5428,i,18177251423667597077,15935955058057015702,262144 --variations-seed-version --mojo-platform-channel-handle=5860 /prefetch:83⤵PID:5972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6072,i,18177251423667597077,15935955058057015702,262144 --variations-seed-version --mojo-platform-channel-handle=6056 /prefetch:83⤵PID:5352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5948,i,18177251423667597077,15935955058057015702,262144 --variations-seed-version --mojo-platform-channel-handle=5592 /prefetch:83⤵PID:3540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5564,i,18177251423667597077,15935955058057015702,262144 --variations-seed-version --mojo-platform-channel-handle=6260 /prefetch:83⤵PID:4404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6232,i,18177251423667597077,15935955058057015702,262144 --variations-seed-version --mojo-platform-channel-handle=6268 /prefetch:83⤵PID:5148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3748,i,18177251423667597077,15935955058057015702,262144 --variations-seed-version --mojo-platform-channel-handle=5804 /prefetch:83⤵PID:5280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6376,i,18177251423667597077,15935955058057015702,262144 --variations-seed-version --mojo-platform-channel-handle=5424 /prefetch:83⤵PID:5016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=872,i,18177251423667597077,15935955058057015702,262144 --variations-seed-version --mojo-platform-channel-handle=6368 /prefetch:83⤵PID:2564
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵PID:5604
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start1⤵PID:1564
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start2⤵PID:2884
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD58625e8ce164e1039c0d19156210674ce
SHA19eb5ae97638791b0310807d725ac8815202737d2
SHA2562f65f9c3c54fe018e0b1f46e3c593d100a87758346d3b00a72cb93042daf60a2
SHA5123c52b8876982fe41d816f9dfb05cd888c551cf7efd266a448050c87c3fc52cc2172f53c83869b87d7643ce0188004c978570f35b0fcc1cb50c9fffea3dec76a6
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
107KB
MD540e2018187b61af5be8caf035fb72882
SHA172a0b7bcb454b6b727bf90da35879b3e9a70621e
SHA256b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5
SHA512a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12
-
Filesize
2KB
MD5e1c61d1bf5480e4c87c8b57d1777cc02
SHA1761c80b05c90c673c825f80df4df828afe104b49
SHA256d4f3fdf024b28887dfa81e07af0737143256138e58259f371e7e829658b1c493
SHA512c87b214ce4a891bdc632659c91924405e025d4a1ff312227c136debf15e0ecf81924a607021d023e5fb1227850419b1eb7432f77def7152d1fe0a5300b773fcb
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
40B
MD520d4b8fa017a12a108c87f540836e250
SHA11ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA2566028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856
-
Filesize
16KB
MD561ad4a74e039554a00b34ff8662c9480
SHA161b8e5b212d54467315c8b0db3ed37f26afa3239
SHA25656c7b8669825b3115dc4314bf72fd4c7efa7a2f6c68df81f759e81015b4d3e67
SHA512ce91083a95107c4d2afc9102f0616b21fe483983dbf340635c718e388a5282f381601462e121d7796b784be5de6dc493f1f32a58cf3b65c52b316ae9e25e4176
-
Filesize
16KB
MD518d06bcaf20780d0e75ed64a0c9fe081
SHA16630cdb738f823d259af0f371f57c192b5297aa3
SHA2568a713201fffbc79834af26d68172e5dc3b493622d0da63c154671d47c6f95bcd
SHA512d8892a806e9e1a6bbf516262376a16e7ea39835f4db94360e84d7b0ef7cce529d04fdeb9ad305cddf09a65e674dba2e614e515f2831c0d7d3cd3860935004e29
-
Filesize
36KB
MD5ad6171c5125961be684e5b82e12bbcfe
SHA1e750b8e2c3aa71285d360aed02faffc614f41d7d
SHA2560dd2871f349fed1c8e5ef92017e0c071d237e2642bc29fa248a7599a8680af1d
SHA5128234046ce4dfa87f9a0a57c0189a36786f9224a06cd5222303e8f0b8ce9567b187e8cc2716a1f4b9105d778344c663d15b1c42ebece7649601d642fcd91b2e70
-
Filesize
22KB
MD5c2a19ed6f765fdcce04f34cb72cf7810
SHA12a645ffd24275c4a2ffa9f6b877b827e34a5e21e
SHA2565dd49d1ee8918fbe701a8f4fe0102430aaa0461b3882c0d48414ae96a1bdbb29
SHA512d93180a75948dea2bfe342659d2d984c4ff14c3d117fdd7e7a1a901e6cf8ab911d391925f8cfd832d82181d2aff46a47bf7a5c9e7396bab56bc9cab65d33196e
-
Filesize
467B
MD5df4a13b126cb99a27a3d8857d32bd36d
SHA1849964683c36f5318453f49efbc41746fe8e1bad
SHA25651a25d3449746a9a49475af3180ddbfb6ca5730a8851bb27f9d704971b3e8f9e
SHA51283bb9d9d894f0a3a243539334816bdcff15c46156d1a7338bed45b3347a20b3c434d13faf3254fde7d6f15284fafb87e763fa6a8c3c1e051f3fc5cde56ced051
-
Filesize
900B
MD5889bb011c1550ebf6243c693db4e050a
SHA1c5cc2ae9255e0dfbbd580004db0d93bb8533e44c
SHA256cedbaa286364fdd9554797f5a566211b6696db3ab4b7f86e89351160d7db3e7b
SHA512b3f22af8019d1457af8f924ed811bdb29da0261b52ced52609705116fc5028e3c34789fd3e896b42132ebf22f5ed373f55c1819628d09f55f3d677822f2728da
-
Filesize
23KB
MD50c14c519ba71d05a6912622ca1439cdf
SHA16f59992501ccf5bbb85bc2360a28fb9908a8737d
SHA25696e913e496a1dfc99d12f46b3328d913017be657f1119643a818d0180ff944a9
SHA512b0252a314324242e94d9aa4f01c66ed5aab81eb43d03b185502d78014d70f022ea7b592c1bbe1e0fdfa4daefe7d7e5c6915713c8acaa8ee04c99b9565824f9b4
-
Filesize
19KB
MD541c1930548d8b99ff1dbb64ba7fecb3d
SHA1d8acfeaf7c74e2b289be37687f886f50c01d4f2f
SHA25616cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502
SHA512a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75
-
Filesize
41KB
MD59243947ec18b65328e0769195f52ec8b
SHA1699df8cf4f37749813d18caaa4cecf96b59a5271
SHA256a972b0d7bbfa9d4f22cfa02c629e461a627c6e110084777b6d9e1f2d978846a9
SHA51239912d30eeb98122099e4d7abf8355564776d8ca1d44e7f5c8ca14973fc74544bb0a35d1ec2ec47a02a6a8529fa9a799dcc02083593227676424c91a331eb336
-
Filesize
41KB
MD50e8e7b164404c286b436dda6b27a1a87
SHA15fe1ecc61ae449240f4ec96bbd130c1bbc48f205
SHA25604596ec3bc38493eca1d0ce64d665748a2055d8d8bf4d075297780ca8baeb300
SHA5129a243d8464fa97a6dde5560458291e37c4c3d6698e06adca5e432c860acc58e587ffbd9b247c7f0f43a6f105f418ffbbbd202588a15a5eb3e6bb5f9268fb2893
-
Filesize
55KB
MD52aad7f71a9a7c3b57c499ccf4ca45f9a
SHA1d44efcc36e164f4bf78ea105a8e6a99e5d7f2679
SHA2566952bba775d50bae45ef0ac0c6a65e04e6d248fff10f588071ee17e6cef5acac
SHA512a5ebeec27c99f02d61bb35db89a3d99ac2194e26eb3162c03cb86c02b5c164108253acebaa1a15b8f19d5b450d11065d074b373870631269c231f62864f0bf55
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres
Filesize2KB
MD5ce386f5129d973a23b88bc4cd09aa61f
SHA182c5750e35771c344c75f9723b93883b2d598142
SHA2566dfd4e1ed9ea378825eff84f61761e35feae529fe490dad8d2da7435fec49ca0
SHA5128a6c82a5caa4196118b909497453289cfb81a17678b4b087495dc7aa28d1a62ea5f9ef92466bc078558c4b9a40e5ff8e4fa8b3ae6fe83465b68d0ccd7664d6a5
-
Filesize
467KB
MD597bc7c2a98ee92297fcb2cecf1b222f9
SHA1b3e08065fff002513c36cfe85e0ca607c68fbce3
SHA2560effc6288b6ce1f933c8b97dc8ec5e6ee883f0628bea176538f65b0b2297d1fe
SHA512a53e1220dfba16fe44f20bfc32dd986054751fb124a1c0917af4c34a45e7a2187ae05098a7681f9ed65cee852e3fbecf8fa49cc015b224dc50566659859986cc