Malware Analysis Report

2024-11-15 08:30

Sample ID 240407-28t6wshf24
Target e616360b2f0f67a471775b8a9ffabc42_JaffaCakes118
SHA256 4541daa34997fc7c5f8e9cb8224f1059ff215965c2c33c597515ff293a8af3db
Tags
redline sectoprat build2_mastif agilenet infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4541daa34997fc7c5f8e9cb8224f1059ff215965c2c33c597515ff293a8af3db

Threat Level: Known bad

The file e616360b2f0f67a471775b8a9ffabc42_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

redline sectoprat build2_mastif agilenet infostealer persistence rat trojan

RedLine payload

SectopRAT payload

SectopRAT

RedLine

Executes dropped EXE

Obfuscated with Agile.Net obfuscator

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 23:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 23:15

Reported

2024-04-07 23:18

Platform

win7-20240221-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e616360b2f0f67a471775b8a9ffabc42_JaffaCakes118.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\e616360b2f0f67a471775b8a9ffabc42_JaffaCakes118.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2796 set thread context of 2896 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "418693606" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002dcc56832ee45b40af0f973e997a3e3e0000000002000000000010660000000100002000000025f5a57f3fbc198c208d64e934d890f280f1af13f392c9f334718c08fdd02d53000000000e8000000002000020000000bb202ef8f44aea590384b7969e934da4461f0240aac62ed9df5e40ff2858454020000000fb85c7c9bf8ae23a073dfcceef2c0018b005ad1803b8e413ec4953544b2d45c940000000c3f8a47c3de064cb5b1aa2bb945fcee68d8b803b24f491307ea6547816180473fd3c9b89c71dcd4e58d0ead700b51b8f67d058245de2958a6f66a77054847cee C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30a238944189da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BE979E01-F534-11EE-9DC0-D20227E6D795} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002dcc56832ee45b40af0f973e997a3e3e000000000200000000001066000000010000200000003e5a6b34ca5901354aa4ed79ee7793b4610db8a6c76b3e1db7e408b4190bcfc8000000000e80000000020000200000003a15d562e23e3bc2d9f5b8f599fb3315226d7a5cf49a15bf46c9dba8bae143b69000000077231fae53dc144ce3645c71d860659ab922010f6a89a2c023fb16396293349de8ce7b6aa35ea5bc9c95052d990fed497d44403e67b5c29ed9593afd5a28de36b8e5de29303b960ea72ef23e1114b70c8df6eb673a6be7e4da7ff12ac2a8942a98354dfbe31f491ad597e71100a6e65e9f49ff21313baf2761dd35148764a63daa2b95dc32dbbbfa9037ab4c8fcb67c0400000004fd8ac5749471b9d1d4e5917794786e35b4b626c7266649452a5b38e38e6340c580ff037267b65465827f99c264d54afb9692472a15875f24679f88ca643429b C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2676 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\e616360b2f0f67a471775b8a9ffabc42_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
PID 2676 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\e616360b2f0f67a471775b8a9ffabc42_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
PID 2676 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\e616360b2f0f67a471775b8a9ffabc42_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
PID 2676 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\e616360b2f0f67a471775b8a9ffabc42_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
PID 2676 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\e616360b2f0f67a471775b8a9ffabc42_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
PID 2676 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\e616360b2f0f67a471775b8a9ffabc42_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
PID 2676 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\e616360b2f0f67a471775b8a9ffabc42_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
PID 2844 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 1880 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1880 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1880 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1880 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2676 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\e616360b2f0f67a471775b8a9ffabc42_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2676 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\e616360b2f0f67a471775b8a9ffabc42_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2676 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\e616360b2f0f67a471775b8a9ffabc42_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2676 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\e616360b2f0f67a471775b8a9ffabc42_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2676 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\e616360b2f0f67a471775b8a9ffabc42_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2676 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\e616360b2f0f67a471775b8a9ffabc42_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2676 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\e616360b2f0f67a471775b8a9ffabc42_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2704 wrote to memory of 2208 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2704 wrote to memory of 2208 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2704 wrote to memory of 2208 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2704 wrote to memory of 2208 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2796 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2796 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2796 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2796 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2796 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2796 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2796 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2796 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2796 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2796 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2796 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2796 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\e616360b2f0f67a471775b8a9ffabc42_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e616360b2f0f67a471775b8a9ffabc42_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\7zS316C.tmp\Install.cmd" "

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1XQju7

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2704 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE"

Network

Country Destination Domain Proto
US 8.8.8.8:53 iplogger.org udp
US 104.21.4.208:443 iplogger.org tcp
US 104.21.4.208:443 iplogger.org tcp
US 8.8.8.8:53 apps.identrust.com udp
US 8.8.8.8:53 apps.identrust.com udp
NL 23.63.101.170:80 apps.identrust.com tcp
NL 23.63.101.171:80 apps.identrust.com tcp
US 8.8.8.8:53 x2.c.lencr.org udp
BE 23.55.97.11:80 x2.c.lencr.org tcp
BE 23.55.97.11:80 x2.c.lencr.org tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe

MD5 3973c47bf5f334ea720a9d603d2c6510
SHA1 bf2b72dc12d4d41e08b452e465c40d010b2aba4e
SHA256 4e9a1202844e30f1d62d837cdb440764c851740ab8ee2bd4a8a31475bd449eea
SHA512 cafc322ba71bafad2b15b82553a2a0749d0b6cb8349fe7fd24de25f7dca48c5aa0c9e7d170571c87a55381ec21d33045d7ba9a17891aabee187358da9b406861

C:\Users\Admin\AppData\Local\Temp\7zS316C.tmp\Install.cmd

MD5 21661026606353f423078c883708787d
SHA1 338e288b851e0e5bee26f887e50bfcd8150e8257
SHA256 6a77796213adbc0eb764c070a3fdfcb5bfa3ad9b6215c1be43f09bfd32014782
SHA512 61760ab64e2c38d9bd5102ab0106e451a5c91e1598906f92e1285b7ae1ca1c6e02480d4157d0f350d2dc816088b5b0838a5d7c7b9d80444ecbf9d62b9ca5b65b

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE

MD5 0c6ef320b361f01d63147dec80c3f34c
SHA1 c04adc3da100118f72e41c1c4645cbf8fa813cee
SHA256 bf89a45619528967430c483c01da54306e4f1b200a8c062697218fdd60bac93f
SHA512 f204ea35dffab3bd703ccf3a52e8ce26be5cde8f24b485b8a0c34a7dc9948bfcae3c7d2d268d5e4fd736dd55245ee995a4bfe0726e2b7fbb379095c69e9ddb69

memory/2796-48-0x0000000000EC0000-0x0000000000FCA000-memory.dmp

memory/2796-49-0x00000000749C0000-0x00000000750AE000-memory.dmp

memory/2796-50-0x0000000000E50000-0x0000000000E90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab3822.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/2796-69-0x0000000000960000-0x0000000000978000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar3923.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 61011b1ac57999de8543b1bfb0284fde
SHA1 49ec4817788d91af0e6ec79a2e0e08b65e945059
SHA256 53b51fa815baa8238996b897ee95921cd998e492b4c267cf2b1fda70698438de
SHA512 a51aee5eb656eebf639cbc905e600497265bcde5a1111145bfc8ead6c6b8959a6413cf99d44318afb57cfddef4900e69635e0673b44068745e7153a82503d74d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 881fdb423e91a622b7aebf1fb103466f
SHA1 816b721778ce2ddca7459c8e3775031aa11bb6d9
SHA256 14d9f52edd6af91a9e4f3aefc8f12bf911b825154e7eb945e9334bde181f1b40
SHA512 af0087c12f75243fa1d6da5e685009eaa4f33e6c66ca09e3ce50f1938dc4e9c0f475ce47129dda47359526a511ff746df3869dfa3a1fcd47838a1409575c22bf

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9ZQLLOZN\favicon[1].png

MD5 18c023bc439b446f91bf942270882422
SHA1 768d59e3085976dba252232a65a4af562675f782
SHA256 e0e71acef1efbfab69a1a60cd8fadded948d0e47a0a27c59a0be7033f6a84482
SHA512 a95ad7b48596bc0af23d05d1e58681e5d65e707247f96c5bc088880f4525312a1834a89615a0e33aea6b066793088a193ec29b5c96ea216f531c443487ae0735

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\3pl5scb\imagestore.dat

MD5 d9112ad9df8c821f1c255a9458747850
SHA1 4094666e16e2508f8b64cc9ef1cacbb551e4b1aa
SHA256 aee49b9521f4b908746285e27ec24c1fccc7e4264422db6c2f7e2de487db5e76
SHA512 ed5044a8b29628e2ad6d6432da055e91c039ecd5df64dbfeef6217a5e89f94c61f1aedc96172dea7d70cb14149e1796e3e913b4927bc0c624f26c9c85a32b752

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 818a036efb99cce050bf570b351dad3a
SHA1 26ae1aedfd5200533ed5ae1c04ff422f36311b04
SHA256 e71b0db967f802a0d302bc2d9ac1749fd10e21b971a4d709fb2d3910f30085dc
SHA512 98eac8015eb45d2944c9471c482557431530f0faf6d564b4eccaf13cba23af2610ba5ffca33a33731bab9b27efa74e82850f9bf55967ebb21769a381c5efd0a8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d886de0b7bd5466e132304f328ff1f9c
SHA1 338f3da34aefe59625bf1e13a2b04d5d8973a282
SHA256 2794c469421c103f4cb316023d2ed82b777cc3256eaae816c3520b3b02afefb0
SHA512 22ed00c6f9c1b0188cd7216878fec5770f1c4620a5506536912b6139f0e523bf2579272afe34ee45ac6bf813f0be15788fb5718670af63f0e39bfbb5dee10a3d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 04faaa8ef443725fbe2308014f9042ff
SHA1 b02e45d96c5889fe078b28829cbc44b4711f624f
SHA256 868ba2b79e746e8c99e0f46705118bea89b196c7bc626da6fc3d62c7e40fcfe3
SHA512 4e55f94058b65d34660910d2d561796a93cd6145b3d7959d013c8bc9990ff36a1a07be885fce8136a622e82e22d823324f6b7e36417aab653643a9b1f1de5ff6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f413ffe804fee6fa671b826d11f922f8
SHA1 7eceafc39c510043361fc730d9e5ef2407d0b579
SHA256 67bbf55b9186c3a19162cad81e774778a5dc7feabc8321ea28c2ee8ca2c9a16f
SHA512 3bd2e03202dde75368ebacdb4953ad7198344f216a9218ef019df95ea4cec393aa7e6a50405a13d0ad7c8838d88e0263730ee52f1b29b07d143b45072da62b45

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2fcb6614e9cbf7af57cc0abcfe99e303
SHA1 78dc96d74fab14eba4f3d2f9c09ebb3b29cd2912
SHA256 728034c8e663cbf52c6126b5509333b7055c2ac0ae424a759f6ab2c55a8c41fa
SHA512 f07a8cfbd9aea37ce6b9cbf7d52321708fb61b9e1e83c33e5650fb181bf05c5b816ca4d595b8fda9eae4706ad286d9fd738a2cc31e722eac334b3a080fac161f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 11135afc808f76272ce31a089ed842f5
SHA1 e7c58fb249254407b94136c01ccb7824597efb09
SHA256 e466cdd217204d7461d075eca297ff276585d63b44413105387b3df77be08ad0
SHA512 0f41befd8619219f461bc55dec22c44d7a7ee213a26675b6392d55cebaabb6e3670955f328bfc2f82842d79a53cc25e8fdb560a01a9e87eab996b9b5e2c7618c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f513ad01343f92c4a628775155f18e71
SHA1 8025ae45038de7cf2805b4f5822e388056960955
SHA256 7729ac69c3d4dcd84f2e361a1ca51e25d53f640eae2693f89e50c276a63b9d4f
SHA512 eb96f299aeef38dc129e8fbd4caa07985c5875607f7de32747c9647c7615061f6bf725d4eb4384fca1a678a0e784aa55821b92b357f755705db91cfd6c1f441b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ff3062509ed72ead6ea13b9dd4e978ae
SHA1 db673415b312c0f884580c785f7252d9723ff162
SHA256 218ae7373c45893ec3612fa915295a86ed05ce9bb0cbb7b5f078d10e07063fae
SHA512 7f4cc6e14232d2201b2b120e3ebfe9c9e893a3eb4d13a9cbb22d3b362bed4bb935aadaea86048a728df3c802125a808f994778b748ddda2e87f58f2b3ab2d297

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 469815c5d8b0671d089a95ffb61a98ab
SHA1 74f51ac6436f8c1ab42f2698712fe223192ffe25
SHA256 a41adbc42a3d4ab7e3842b593966664bb68e2621220237692c0102d6a2acc09b
SHA512 0853aecf3d341a20395460f6c0ee5471a974f183b8dcaab8585b51d34123b1cab6fe7e5bbc337f56401a435b78b38daa3434d453374927d8d754b973ea35557e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 34a5232b70629624a1536ae36e42508b
SHA1 70b60140743f794d4ad0b783b830ef93451265f4
SHA256 1c66085682e0b4f06bfc11937ff1979914f27f75a5a0e8725b06d94db3b1f195
SHA512 6f67a964e4f3b534ad69dfe5447b86d07eb25a4848ba02346ff369b95467dcd1291c4a30ac7cb2fec5821a16f980b43ed980d45db3dbf2d90bb8de216a02ac4c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ff5b3c702bac2c2114b89e7cc56b2489
SHA1 919e875ad04e24143418a471e7f30b643e4967a1
SHA256 689e428b8195a05b4c2e27ddc49e4da9903ef9444d4fcdfa037f54feacaf1319
SHA512 a2a29bbcd32ae803998ca7099f49e3d72eb1973f646eb9f5e363213c9ef57fdb0d99b428ca49862ef2e59f852b1975f09fd718fd80e3e83f7ca612a261434c32

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 983d409640200c6b1a32a2b0a0d50be1
SHA1 a29f5c2965b7ea8e39b7e42f013e8c96c9a9d4f6
SHA256 fc83d2c0fb8744e9a18959cc0d26ac9fc31e058d72014f3593e05211ed47936c
SHA512 073dbb0e6714d8adee1849571fd198d4f66f277d5f594793ce19ed556d86d24b02d627c6af1b06035c5b0f13ec137e8e92f2c17f059ac5a4b87d4f9f625d96cc

memory/2796-629-0x00000000749C0000-0x00000000750AE000-memory.dmp

memory/2796-630-0x0000000007F50000-0x0000000007FDA000-memory.dmp

memory/2796-631-0x0000000000BD0000-0x0000000000BEE000-memory.dmp

memory/2896-637-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2896-636-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2896-635-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2896-634-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2896-639-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2896-633-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2796-642-0x00000000749C0000-0x00000000750AE000-memory.dmp

memory/2896-643-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2896-645-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2896-646-0x0000000074940000-0x000000007502E000-memory.dmp

memory/2896-647-0x0000000074940000-0x000000007502E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c155b07e7ce88b4a2561934c2160bf44
SHA1 b665da16c5fd5e2e524d68c4c43d658862597a9a
SHA256 224040b4e5c68d7ad5b8bf822447ba38fa5e061dfaf8cba84e57afbfbd66883d
SHA512 773a36a816efac430695e8b8c04d8def16b391cbdd28376caa8fdba6a8e9c2cad53a3f313d3b2afee647a01c2841d73feb979f69195b91f52c2877b5ea5a2875

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8e0ac991b13200a357432ee7163d0189
SHA1 8f0d2284bb78faf40f6d7d5fb450893b4deebef6
SHA256 d48bd0d4291095a68df7323e1e87c02490f3dbd1a647aaab7662af27790be704
SHA512 046890c8f907e42f0b876bed8288c8f15957eb1baf03df951b102eabeddaed40f8af66e47cdd9075ba3ab39a225a1d7476d9cf73124133e25a8ef89677500fb4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 2f90df37241bcf428b31cbb5537bbc70
SHA1 99a2f80d9e165165a22134b69f72939d3a2471c5
SHA256 e8eb967fc2c60eea5cc28ea0ca0de1180273942955b66d8472b1c9b01e44b154
SHA512 673086e404fa44be4edf914777f97874c5601d8075fb2e2f365fa479ee8d856fa341dca2718a60b25a34415a0c90cfe31c032beb8733041aef0980f16c73ec3a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 28984c872bf99165ccd6630140133d37
SHA1 092375afd0f41a87c1d42362e330aba9f0edb7e5
SHA256 f1648fda6cae1aa9df8bd21dae692a8fa142d235c628e98114f345dd273f412f
SHA512 2efbe3ffa9548693d4fe6cc1ba984099359215093dda6cddbe4752b2ee1275410d753a994b3f923d789fb4872c0fc3edb47f370c5cb3d1545c44e811cb380ac0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 096d0c7b547ed6be03a493d29c0c4d1f
SHA1 09a280cebbebb03d1f55a7b40136ae84ae503e17
SHA256 9853f62727ed35cef767e52199a513b22ed70a905ba56faf564c68174dadaa07
SHA512 b397e2d8e650e4c0a8c190b90dd667ac06efecbb37579e0500bba68972025d9edbb573025b360c7b45b00c3160132925ae283f40bd2695d4b68a7001e87dd851

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ebee313bec39bdad7bfd47f86e6c31b3
SHA1 a6568054c8fc80a1cd451f71ef51fb9508a5650b
SHA256 c9cd3492782dc59004f4b48c8647e0d2b585fdda11d79a957ea9e50dac8acafb
SHA512 cd2e0b69b4acb40f2d6d33507d48ce5d20e1c01fed49a35299e1607ed0b7ac8a5541f4cb992ca67572701ddc8b0a1d011cb8bf2bb26f508e443f9f28fdea8db8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a02b9d72c60192e18c716bccd1536521
SHA1 03009a654ed2441a719205aa46599e7bb966b2af
SHA256 38bc577737651fe830fc48b18afafc19af3e924faf647adae30039058428bc2a
SHA512 68f840e839cb0426d2f8c83ef30909ab6dd9660879908b4de9abdc73e2778b81313a34b920a0e7439134bbf7abf447a88bf4a5ec9d3681ce370aeb6473ec4af6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4875f8fb8db3f75f5fada8b1ed517488
SHA1 9360dd1638eb2f35494eeacbc8c875210d53ba72
SHA256 a416cd3847350076c87eb0f81c5c6440a82ae6b0234307b700d35d41d46f1484
SHA512 284f5be1950d44f6a6efbd2f39a4d616a3dd6589e1f9ecb6f639e5fa89e6d285144215544b8ecd158edcfeb7452c9432548a6c35f0453c31fde421412bbc7323

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 79c80de272fdabff85223a7f6c73b709
SHA1 0f6070437f22faf2fa477d4fefde8011cd1eca16
SHA256 7d2c5ed649f33577c2095f05aea987919eb356f51057cb1a564e4885ebe16a09
SHA512 9e8ffaf930a8bc331ba65fd6044322df3ee783ad532cd70e49fe45eb82658f6d510a09353d564889f4f699413ccc0801ab29f055ce68bc868af76764324f43a5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 47b32c4b170ce876aeb5dad209450fe4
SHA1 1eec55aaec72033b9b9735feb637b4f9ff41b6d3
SHA256 c37ae3d8e75740d0b64c2243a331c626b548b4c9a01707f9dab47c9ba26745cf
SHA512 ad925b4acc112c9770cf56c655733590a893f0d1793419072d9fa76cf0d6eba0bae6d15ce480d414f782a852d3caa46825778adc52116ecd21ed82056264a3a6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e74eaf1a4907ddc2222964798c5244e6
SHA1 ae6d0798f8eaaa1f359f5d75a716158f52c6d4ac
SHA256 ae60a1fc5e55219882e5efc4762f1d23a8a31b60bd67fa29cd5da56f14cf144c
SHA512 dd4565f1b203049855b90be754634af206e514361207061ce7108c069612c9a435a9b5c56e7399f3311973024704e0d701e820da6084e61f5e9dad4036dd2dee

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 207874d8b6231e838f6c17abebec1e1c
SHA1 7885940b01b0d7d4d13fc4a3d8c40c5173008b7a
SHA256 559c807dfd77038579fd00b91b30f66fce0a17e7631baea4393ee422d1a17b2b
SHA512 c3cbff396311ce1d8b60d68c1b689d033f3c48c01f01e153232949a736b7525dddb4a0c81dfc527e9fa1738cc2551407ebf674e4b09b05492d4d28f6ded25a2e

memory/2896-1042-0x0000000004E00000-0x0000000004E40000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 23:15

Reported

2024-04-07 23:18

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e616360b2f0f67a471775b8a9ffabc42_JaffaCakes118.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\e616360b2f0f67a471775b8a9ffabc42_JaffaCakes118.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3236 set thread context of 3180 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1464 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\e616360b2f0f67a471775b8a9ffabc42_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
PID 1464 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\e616360b2f0f67a471775b8a9ffabc42_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
PID 1464 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\e616360b2f0f67a471775b8a9ffabc42_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
PID 2804 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 1168 wrote to memory of 2316 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1168 wrote to memory of 2316 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2316 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2316 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1464 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\e616360b2f0f67a471775b8a9ffabc42_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 1464 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\e616360b2f0f67a471775b8a9ffabc42_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 1464 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\e616360b2f0f67a471775b8a9ffabc42_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2316 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2316 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2316 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2316 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2316 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2316 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2316 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2316 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2316 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2316 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2316 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2316 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2316 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2316 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2316 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2316 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2316 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2316 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2316 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2316 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2316 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2316 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2316 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2316 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2316 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2316 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2316 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2316 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2316 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2316 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2316 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2316 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2316 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2316 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2316 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2316 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2316 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2316 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2316 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2316 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2316 wrote to memory of 664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2316 wrote to memory of 664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2316 wrote to memory of 2884 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2316 wrote to memory of 2884 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2316 wrote to memory of 2884 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2316 wrote to memory of 2884 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2316 wrote to memory of 2884 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2316 wrote to memory of 2884 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2316 wrote to memory of 2884 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2316 wrote to memory of 2884 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2316 wrote to memory of 2884 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e616360b2f0f67a471775b8a9ffabc42_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e616360b2f0f67a471775b8a9ffabc42_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zS42A6.tmp\Install.cmd" "

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1XQju7

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdfaf646f8,0x7ffdfaf64708,0x7ffdfaf64718

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2228,7038464289049145784,16485116281483497703,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2228,7038464289049145784,16485116281483497703,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2228,7038464289049145784,16485116281483497703,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,7038464289049145784,16485116281483497703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,7038464289049145784,16485116281483497703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2228,7038464289049145784,16485116281483497703,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2228,7038464289049145784,16485116281483497703,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,7038464289049145784,16485116281483497703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4092 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,7038464289049145784,16485116281483497703,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,7038464289049145784,16485116281483497703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,7038464289049145784,16485116281483497703,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3560 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2228,7038464289049145784,16485116281483497703,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4784 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 iplogger.org udp
US 104.21.4.208:443 iplogger.org tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 208.4.21.104.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 apps.identrust.com udp
NL 23.63.101.170:80 apps.identrust.com tcp
US 8.8.8.8:53 170.101.63.23.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
US 8.8.8.8:53 udp
RU 95.181.157.69:8552 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe

MD5 3973c47bf5f334ea720a9d603d2c6510
SHA1 bf2b72dc12d4d41e08b452e465c40d010b2aba4e
SHA256 4e9a1202844e30f1d62d837cdb440764c851740ab8ee2bd4a8a31475bd449eea
SHA512 cafc322ba71bafad2b15b82553a2a0749d0b6cb8349fe7fd24de25f7dca48c5aa0c9e7d170571c87a55381ec21d33045d7ba9a17891aabee187358da9b406861

C:\Users\Admin\AppData\Local\Temp\7zS42A6.tmp\Install.cmd

MD5 21661026606353f423078c883708787d
SHA1 338e288b851e0e5bee26f887e50bfcd8150e8257
SHA256 6a77796213adbc0eb764c070a3fdfcb5bfa3ad9b6215c1be43f09bfd32014782
SHA512 61760ab64e2c38d9bd5102ab0106e451a5c91e1598906f92e1285b7ae1ca1c6e02480d4157d0f350d2dc816088b5b0838a5d7c7b9d80444ecbf9d62b9ca5b65b

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE

MD5 0c6ef320b361f01d63147dec80c3f34c
SHA1 c04adc3da100118f72e41c1c4645cbf8fa813cee
SHA256 bf89a45619528967430c483c01da54306e4f1b200a8c062697218fdd60bac93f
SHA512 f204ea35dffab3bd703ccf3a52e8ce26be5cde8f24b485b8a0c34a7dc9948bfcae3c7d2d268d5e4fd736dd55245ee995a4bfe0726e2b7fbb379095c69e9ddb69

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 e0811105475d528ab174dfdb69f935f3
SHA1 dd9689f0f70a07b4e6fb29607e42d2d5faf1f516
SHA256 c91388c87878a9e2c530c6096dbdd993b0a26fefe8ad797e0133547225032d6c
SHA512 8374a721ea3ff3a1ea70d8a074e5c193dbba27ba7e301f19cea89d648b2378c376e48310c33fe81078cd40b1863daec935e8ac22e8e3878dc3a5bb529d028852

memory/3236-22-0x0000000000830000-0x000000000093A000-memory.dmp

memory/3236-21-0x0000000074FC0000-0x0000000075770000-memory.dmp

memory/3236-23-0x00000000052E0000-0x000000000537C000-memory.dmp

memory/3236-29-0x0000000005930000-0x0000000005ED4000-memory.dmp

\??\pipe\LOCAL\crashpad_2316_KXAHIDFMPYGBQOCT

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3236-34-0x0000000005420000-0x00000000054B2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 47b2c6613360b818825d076d14c051f7
SHA1 7df7304568313a06540f490bf3305cb89bc03e5c
SHA256 47a22bea2e7d0154c59bf5d8790ec68274eb05e9fa6cf0eab0d648121f1a02ac
SHA512 08d2366fc1ce87dbe96b9bf997e4c59c9206fcfea47c1f17b01e79aeb0580f25cac5c7349bb453a50775b2743053446653f4129f835f81f4a8547ca392557aac

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 21a0f66e94cd085daef2560d75baedf0
SHA1 b597dd844ac88df48f7b3f1ec85af6e0ad372ba4
SHA256 f0ae5d5d4aaf8e63070670e5855e2e6e4d38844880bd97339d7d2c2ce49be03d
SHA512 13dca13d353876051bb827c7057fb9a6226fa8831f757130116a3ab7d741d2acd117648f580f3c8ce08211c922633a8e40e14d96e9f50c8010a0c3079d148877

memory/3236-42-0x00000000055A0000-0x00000000055B0000-memory.dmp

memory/3236-43-0x00000000053D0000-0x00000000053DA000-memory.dmp

memory/3236-44-0x0000000005520000-0x0000000005576000-memory.dmp

memory/3236-53-0x00000000080E0000-0x00000000080F8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 9bb0635811ab41b9d2e7ceee4d3de0c0
SHA1 fd5b58e7d39d840e66f98e4f378e2829c92e6235
SHA256 2df77cd637e058d03d4c7095b8813b07a4bf80888bc214971a9023952d74a0a3
SHA512 1f697610a46b68402dad8040fecb906d38e8b612cb4b0a17381efb192d0ca41faff73a8397c015319a24d1420e86f58d5b50e56172255a9dd550dd579a3bd3c3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 3e96248d20fc21fdabcde7e2ae63bae6
SHA1 274f96d717b0a1f5a9de260f4e2df6c3213f0035
SHA256 6a2058def7833a67a5faa92f13c176cdddc89c9818e3ffe21d5a6ca3f60a8359
SHA512 9b5d39b0e8d0d3b140c5d078b4e8b783ae90da8c89f77332c9e4fb54c6b396d7833265d464f66ade67645db7580bc17dd289c8c1bb8e289ffb746534e13d263a

memory/3236-82-0x0000000074FC0000-0x0000000075770000-memory.dmp

memory/3236-83-0x00000000055A0000-0x00000000055B0000-memory.dmp

memory/3236-93-0x0000000008140000-0x00000000081CA000-memory.dmp

memory/3236-94-0x000000000A870000-0x000000000A88E000-memory.dmp

memory/3180-96-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RUNTIM~1.EXE.log

MD5 17573558c4e714f606f997e5157afaac
SHA1 13e16e9415ceef429aaf124139671ebeca09ed23
SHA256 c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553
SHA512 f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc

memory/3236-100-0x0000000074FC0000-0x0000000075770000-memory.dmp

memory/3180-101-0x0000000074FC0000-0x0000000075770000-memory.dmp

memory/3180-102-0x0000000005E40000-0x0000000006458000-memory.dmp

memory/3180-103-0x00000000058E0000-0x00000000058F2000-memory.dmp

memory/3180-104-0x0000000005940000-0x000000000597C000-memory.dmp

memory/3180-105-0x0000000005B30000-0x0000000005B40000-memory.dmp

memory/3180-106-0x0000000005980000-0x00000000059CC000-memory.dmp

memory/3180-107-0x0000000005C50000-0x0000000005D5A000-memory.dmp

memory/3180-121-0x0000000074FC0000-0x0000000075770000-memory.dmp

memory/3180-131-0x0000000005B30000-0x0000000005B40000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 4bc8a3540a546cfe044e0ed1a0a22a95
SHA1 5387f78f1816dee5393bfca1fffe49cede5f59c1
SHA256 f90fcadf34fbec9cabd9bcfdea0a63a1938aef5ea4c1f7b313e77f5d3f5bbdca
SHA512 e75437d833a3073132beed8280d30e4bb99b32e94d8671528aec53f39231c30476afb9067791e4eb9f1258611c167bfe98b09986d1877ca3ed96ea37b8bceecf