Malware Analysis Report

2025-01-19 07:16

Sample ID 240531-dkm6nsch41
Target 85cd9f5023142b5edbeea0158c2a9fe3_JaffaCakes118
SHA256 85e102eaeb3eb3dc8807c31e76325b817ebeb1b9d36c20182cdf61baafc507e6
Tags
ramnit banker spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

85e102eaeb3eb3dc8807c31e76325b817ebeb1b9d36c20182cdf61baafc507e6

Threat Level: Known bad

The file 85cd9f5023142b5edbeea0158c2a9fe3_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ramnit banker spyware stealer trojan upx worm

Ramnit

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Program Files directory

Suspicious use of WriteProcessMemory

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-31 03:04

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 03:04

Reported

2024-05-31 03:06

Platform

win7-20240215-en

Max time kernel

119s

Max time network

128s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\85cd9f5023142b5edbeea0158c2a9fe3_JaffaCakes118.html

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\px64EB.tmp C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423286519" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000b684095eb99b947ad81ee10f7d3569100000000020000000000106600000001000020000000009a5da84ce87b97724b98c38ab71ddf1fb34d562bce747b60556f136dd459c0000000000e80000000020000200000007dce91275761777e773ba25a5346d38d3d7a5a189c4eacc4f88a22b7ab571684900000008bcc8eb767d18171067281bb3aa0f0b637313414198106bdd049119cb31506a304087f269f06bd2aa6692053657ef801d6f292f48b4b4bad732a99c71c91cf296f4386a8b0b17be91720258b9c3b1ffa037f344efe30eeaacb9070a57b4ee9cf566d8a10a9c98174622bc8b9e959f80a39980d00f9091c2f810cfb7cead119f6765284503ad5961deb97df1842814fab400000005815b973ba84335efc9a8db732d532f7b23e0d39e4aab82f547e4387b5224ddc40517ef6e58188747a9d10a72816e15b7fd7a1d71bb32e5136c39fe74c8b11ec C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90f1ae6f07b3da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000b684095eb99b947ad81ee10f7d3569100000000020000000000106600000001000020000000ed3f17b6d81687a054f917e5c1cd9abdb77ab6c36af33db8f7ba0cf0d242d2cf000000000e8000000002000020000000bbf26382f527273dbab666e5c1a87640cfc62ce68c44e18038c52a3e05f669d3200000000f03a5976f792bc49405346b6f494effcfb1229138110666435ade0a410219a04000000032838fddd05340f4d6c20ac70fd7e214293b8e5ce67732b43f446ac1522b15c190511dbf493665c2ebfb8a67f9cbb610ee1342e69528e719acd1e5123c56f2cc C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{74434671-1EFA-11EF-9EA5-C6F68EB94A83} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2700 wrote to memory of 2540 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2700 wrote to memory of 2540 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2700 wrote to memory of 2540 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2700 wrote to memory of 2540 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2540 wrote to memory of 2856 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2540 wrote to memory of 2856 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2540 wrote to memory of 2856 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2540 wrote to memory of 2856 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2856 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2856 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2856 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2856 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2344 wrote to memory of 2312 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2344 wrote to memory of 2312 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2344 wrote to memory of 2312 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2344 wrote to memory of 2312 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2700 wrote to memory of 1448 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2700 wrote to memory of 1448 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2700 wrote to memory of 1448 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2700 wrote to memory of 1448 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\85cd9f5023142b5edbeea0158c2a9fe3_JaffaCakes118.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2700 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2700 CREDAT:275475 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.0431a.com udp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 8.8.8.8:53 amos.alicdn.com udp
US 8.8.8.8:53 wpa.qq.com udp
CN 203.119.169.82:80 amos.alicdn.com tcp
CN 203.119.169.82:80 amos.alicdn.com tcp
US 8.8.8.8:53 api.bing.com udp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
HK 43.159.234.172:80 wpa.qq.com tcp
HK 43.159.234.172:80 wpa.qq.com tcp
HK 43.159.234.172:443 wpa.qq.com tcp
HK 43.159.234.172:443 wpa.qq.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 8.8.8.8:53 ocsp.digicert.cn udp
US 8.8.8.8:53 ocsp.digicert.cn udp
GB 79.133.176.219:80 ocsp.digicert.cn tcp
GB 79.133.176.166:80 ocsp.digicert.cn tcp
US 8.8.8.8:53 pub.idqqimg.com udp
HK 203.205.136.81:80 pub.idqqimg.com tcp
HK 203.205.136.81:80 pub.idqqimg.com tcp
HK 203.205.136.81:443 pub.idqqimg.com tcp
HK 203.205.136.81:443 pub.idqqimg.com tcp
US 8.8.8.8:53 ocsp.dcocsp.cn udp
US 8.8.8.8:53 ocsp.dcocsp.cn udp
GB 79.133.176.213:80 ocsp.dcocsp.cn tcp
GB 79.133.176.223:80 ocsp.dcocsp.cn tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
CN 203.119.169.82:80 amos.alicdn.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/2856-10-0x0000000000230000-0x000000000023F000-memory.dmp

memory/2856-9-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2344-16-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2344-20-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2344-18-0x00000000001D0000-0x00000000001D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab992.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3d886129ac7510a7f7a5238d83bccd57
SHA1 60be1f5cbb3535b4d67ed0afb5fdf0464ca26684
SHA256 43e8ec9531c6feef322135c07698f9f8bab3c562841148f6f5dbb88173941b1a
SHA512 213f1a6d57f64299ab3ada8c2a49a74c9c6587a78861614441b60116f7a9a5de8055624323bd220c5489d2be6f44bd72330bf984cb62caf8741eef810baaca5e

C:\Users\Admin\AppData\Local\Temp\Tar995.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\Local\Temp\CabB0C.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarB21.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 ab978149e79c895e863cf52c7eeae260
SHA1 d87d52a222764deeea5e1360a82f7b32beaf2165
SHA256 df0c79ef7924ea5ec0471fab39b5970070a065e45e28ba7f03d8b07b80037816
SHA512 6884e316fb816674da328852f035f7477aa3f6e12a0de0e4f62bac220bfa79eb251a9022567c156c26519e61c90946ba4a50026f7b89ec28585789556d3b0124

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 92c90a272eaad99de60b0ef9cecff0e2
SHA1 15f0d42815b40e2db98ce93dc49bf606f9351fa8
SHA256 b17194e0af585a2182c98a99bca08f52226c811d3cfc51b87567ec554f821f3a
SHA512 caf7d0c79836065b5f858773a014e448ef9888bc1aa17ee6c333d2f9f5bf6c982d15c4cf89b3cbaaa8b44f95c5557811976ce8801dd698cc5010d3000ae95882

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9cab4b90b2a1bab8b7e49e1c44a6ca70
SHA1 8ae2b20e073f9f6016f35fd901a4421a1a027a4e
SHA256 4cc3c3a295b4ef0032b4f9102cb6867bd02e9011b1847632356dccf83b160418
SHA512 5fd106494ef56d607ccd99f240f889973716d97e1ec2020cab29f987cfdeee2851e4379522413f56b1e225d6fd58e674468b4e79b78bc0dc4d952ab468ccfa3d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f159c3e7f0333403230a9630baba98d8
SHA1 dd6c93176e1155a399a6da2ec615ce4b148798b5
SHA256 b4b646434d246f47e9cf14a5892e0165e442b6e625bd31b819621ff546a4882f
SHA512 f9fe15b1f946915244f0f175a8db91cf01ecfdd6132079c45e9f51390a65f6b80340498467f6476030ad335c164c093d28b9b15be4d7becf3874bf2035516877

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c79ed204a602f1f3d15a64e1599a0dd3
SHA1 a84f501aa4ea9a7436f7ba225c43e128c4a77705
SHA256 6521ff8a34d11d0d87fb566baca548c8207162d4f4ee8f0769c31f75ee1a152d
SHA512 286ef6a967a90a87db15f418929acff09430bbd4ddd529db00467c970f5b971d791cd04f7cd25456f862150b131fe58c296bee5940a5eea6131057737f578352

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5f4259fc1711b5d632fa82dd85d04ac5
SHA1 b37dc220d6670edd14e83a53aeccf35a2e4b00e5
SHA256 5eae62fdddbfc1836458a2a6d33994e5f58af1087c4034aa78c007d15f04b53b
SHA512 5f5249398b8afe50af3bc44e9fae3705da4021694875ae989484a8c3a5eb9575f3afbabb017342cd5977499ed02d779c13c6fe8928a287c5e69b665905a4c4f7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 09b74fb9e1d6944ac53190053af21a50
SHA1 ece35c37670d8483c7d9a981411549c0250dea9f
SHA256 4666d126563ef273733594da8f3a0e28afff0980adc9aa6162a06bf541b5d6b6
SHA512 4ccc77843fe6bc6f4ad5aac8a8981864470a9a3cdd11e7eac7b5e4e7399c1ad531aaa283265334b7688ca1b4a50a31d1d9f84bf75a02ce21ef7bc30258d08bbe

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 65ef4512712fd4dde1c18a50b1721fb1
SHA1 898373402df0013bcfcfd026d410f00b878f4b0f
SHA256 d2620df5dcc7f34a73fb91edd496c6498fb8354313c6585a96e5933668493f33
SHA512 0589af074ea67a092855dc0628c6998bc68d86aa9f4bdd5063ddd94b510bf4d299ab6c511c9d41fe6f08c7ba7cdd9a68de7c1406763da17e532dfb4fd5bcd921

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 76189705cca6cda9316b2bac53e48fb3
SHA1 ada86dd6f21f2415e4ff25556449c8e3b5ea48b5
SHA256 9647e64f1d28197347d8135d38cb51c7b7e5a582401f872d934f0a0c964fa305
SHA512 3ea96671a3b6c7f7ff756e78f888ff725ee890f996249c50fdda77d6fedf49dfaddbdd884e62a21be4685c25372a43869470adaac6c99ff25c1d5b400bedd6a6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 698cdb345207da2be088f299373b577f
SHA1 a76568630d6c3defe5f756465951c463e2b9e09b
SHA256 1269dc9acf4f201aebdbded4a02f909a8f02daa65b5e85208477d9c4a90574cd
SHA512 54af33058d5577ca3ee118e7f874c5a6d8e42528e3d5c2b40673c6d061ea30060e8bb934243b1bc0423c8255868df62653d8c016c8ca7a280cf1fb7ac2441f48

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 10c4dc8b38fce05f6903315be4c86105
SHA1 f121668028348f1383ac7ffab8edc921e2041644
SHA256 9877f083c30003b24ebfffb00ce32e1c5f0030a198abe96a1c467dde6b45f33c
SHA512 2bbd00aab62b2845550ff8a2977a1cd07fbb3570e5f3e187e198415a9d4911a1fdb5e33c0fef400d8e8f0a2801e773ffb94134f8dc4d65cc315632549589ae6e

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-31 03:04

Reported

2024-05-31 03:06

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\85cd9f5023142b5edbeea0158c2a9fe3_JaffaCakes118.html

Signatures

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4660 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 4232 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 4232 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 4232 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 4232 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 4232 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 4232 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 4232 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 4232 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 4232 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 4232 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 4232 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 4232 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 4232 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 4232 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 4232 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 4232 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 4232 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 4232 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 4232 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 4232 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 4232 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 4232 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 4232 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 4232 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 4232 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 4232 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 4232 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 4232 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 4232 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 4232 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 4232 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 4232 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 4232 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 4232 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 4232 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 4232 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 4232 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 4232 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 4232 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 4232 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 1612 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 1612 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\85cd9f5023142b5edbeea0158c2a9fe3_JaffaCakes118.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9b7db46f8,0x7ff9b7db4708,0x7ff9b7db4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,17136386818018550487,13488653935565182360,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1772 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1992,17136386818018550487,13488653935565182360,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1992,17136386818018550487,13488653935565182360,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,17136386818018550487,13488653935565182360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3156 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,17136386818018550487,13488653935565182360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,17136386818018550487,13488653935565182360,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=212 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.0431a.com udp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 16.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 177.50.91.154.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 8.8.8.8:53 35.166.122.92.in-addr.arpa udp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 8.8.8.8:53 amos.alicdn.com udp
CN 203.119.169.175:80 amos.alicdn.com tcp
CN 203.119.169.175:80 amos.alicdn.com tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 8.8.8.8:53 hm.baidu.com udp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 8.8.8.8:53 wpa.qq.com udp
CN 14.215.183.79:445 hm.baidu.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
HK 43.129.2.11:80 wpa.qq.com tcp
HK 43.129.2.11:80 wpa.qq.com tcp
US 154.91.50.177:80 www.0431a.com tcp
HK 43.129.2.11:80 wpa.qq.com tcp
US 154.91.50.177:80 www.0431a.com tcp
CN 111.45.3.198:445 hm.baidu.com tcp
CN 111.45.11.83:445 hm.baidu.com tcp
CN 183.240.98.228:445 hm.baidu.com tcp
CN 14.215.182.140:445 hm.baidu.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
HK 43.129.2.11:443 wpa.qq.com tcp
HK 43.129.2.11:443 wpa.qq.com tcp
US 154.91.50.177:80 www.0431a.com tcp
HK 43.129.2.11:443 wpa.qq.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 8.8.8.8:53 pub.idqqimg.com udp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
HK 203.205.137.184:80 pub.idqqimg.com tcp
HK 203.205.137.184:80 pub.idqqimg.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
HK 203.205.137.184:443 pub.idqqimg.com tcp
US 8.8.8.8:53 11.2.129.43.in-addr.arpa udp
US 8.8.8.8:53 hm.baidu.com udp
US 8.8.8.8:53 184.137.205.203.in-addr.arpa udp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
CN 203.119.169.175:80 amos.alicdn.com tcp
CN 203.119.169.175:80 amos.alicdn.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp
US 154.91.50.177:80 www.0431a.com tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4158365912175436289496136e7912c2
SHA1 813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59
SHA256 354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1
SHA512 74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

\??\pipe\LOCAL\crashpad_4660_ATXMIJEHSOJCDKSP

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ce4c898f8fc7601e2fbc252fdadb5115
SHA1 01bf06badc5da353e539c7c07527d30dccc55a91
SHA256 bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa
SHA512 80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\ab9400f3-6a9f-468f-bfd1-69469f9e5bb5.tmp

MD5 5f1f833fccedf07ff895887f36670c5b
SHA1 6abfd3d07985231a5d38e0ec63d381450d18dc32
SHA256 1fac653329f3a8fd4b758c3c6831569456cd83ae750671518cc25f15405b2638
SHA512 3d97b6e5cdb7dba6e1baaa0f12d2e411d3bd2d3c223d8fa8cbc2eb0ecb937ab56f169c5db143f12fcba4e18a539ae6f8c01a7e819770c5d060e9033c39d47a5b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 e460411095bd67c3715fceba1104ecf9
SHA1 774437b99a12f36b334f37c510a29423c359d8ad
SHA256 2d958bffc20c378104a48f006298fe3cd645c6f06e734787cdee5f8b141ea6f6
SHA512 e3e1b2d67b3e48bb4280d070a41f19ce089a14def0d7059364af208d2063f0705471a995e9085076d948368a68d4e2c734063f50711d49eba25574dfba9e95c8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 066fae16af084af80e60e7bbd2b5126d
SHA1 7ec43321df8ed8af0e026295f2d85a2f96c259a0
SHA256 7cb39491d870fa7a0ef7390f2718857dc72b5d151660d6bedd474a09a5e10868
SHA512 a978c2af969248d8a5e6f81ee3a98e6893977eba9562b7ef073e29774450cb91c1bfcc11cb5dbf32e63a21d838d736cf43ec5c988d55a91fd148577d609cf5b2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 3fb6a98f5802bc60af3ba1728c1fa072
SHA1 45b06539abeeabe4a32dd6485cfd41fe7c079774
SHA256 162d10d5bac0130082a6f710aa77a743ffbd036536a4d2a604617e9fed831a94
SHA512 17723843ff18fa1287dea559d8ffff2b4cda148be93f4b0e9094c397dbd458844dc5065491c01508fbe0b6667e834c99ab74060112a5b6909d6f0b18f93d9026