Malware Analysis Report

2025-01-19 07:18

Sample ID 240531-dxq34aee66
Target 85d903398d6034bc8feaab55ad02031d_JaffaCakes118
SHA256 729c576a6acde71c8e1a65aface6681413bebd7354151e70e06a670e175e56a8
Tags
ramnit banker spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

729c576a6acde71c8e1a65aface6681413bebd7354151e70e06a670e175e56a8

Threat Level: Known bad

The file 85d903398d6034bc8feaab55ad02031d_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ramnit banker spyware stealer trojan upx worm

Ramnit

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Program Files directory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-31 03:23

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 03:23

Reported

2024-05-31 03:26

Platform

win7-20240508-en

Max time kernel

136s

Max time network

121s

Command Line

wininit.exe

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\pxC81F.tmp C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b00000000020000000000106600000001000020000000ee972f984c794347e35370cbb42d69edbafa630432fd787f141a5097145c8127000000000e8000000002000020000000710c80f9199733f7510a2ed5191a70964115212cfd763d5f7d2b7d72cba6c5d19000000023c7b9b0dc48a50439d2c8fceee1b3e0e4653559554335739b357483548fd26a10238bc3b1a918739ea9c01af2b0295eadfe6cdada34b20deda8aa6e153d41fe836febe3a685c9a0245ad9f3fd6786d04652faddb4a365e36cf15ae48fb64223de5834c2ad904aae8da0bce0327921b4c5051518aec12ea5027a65930776dcf615144c8873a169176b40e7dd4427ba454000000014968f45c686b37e53279c53007a923628da6ed7ae0e5e9f826bb07d3d8f77399248574f998226326ec71a2408ab142db97cc0be80867590f2c33e67c47a6551 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b000000000200000000001066000000010000200000004df8c41bada1c520096e759b359c0980a4fbd5301b5221485c725074f1ee5b4c000000000e8000000002000020000000a4c28251462b5e916dd62b510493b7d91142e94b469825df7a5bb015b151fc9c20000000690615f5305ca843bc3e8b412c8720dd85215124140cf4e638497b29b152bbe440000000565eef3522f7b6ecf5a57e209ecd7cccaef387bd24e5b6512e16739fd3734c02a28b4dc9acd01828610c013580ab935daee9c669cf0fc5790eb67238af85958d C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 300ab83c0ab3da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{28DC63D1-1EFD-11EF-A18A-FED6C5E8D4AB} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423287680" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1944 wrote to memory of 2804 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1944 wrote to memory of 2804 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1944 wrote to memory of 2804 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1944 wrote to memory of 2804 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2804 wrote to memory of 1644 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2804 wrote to memory of 1644 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2804 wrote to memory of 1644 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2804 wrote to memory of 1644 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1644 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\wininit.exe
PID 1644 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\wininit.exe
PID 1644 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\wininit.exe
PID 1644 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\wininit.exe
PID 1644 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\wininit.exe
PID 1644 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\wininit.exe
PID 1644 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\wininit.exe
PID 1644 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\csrss.exe
PID 1644 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\csrss.exe
PID 1644 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\csrss.exe
PID 1644 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\csrss.exe
PID 1644 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\csrss.exe
PID 1644 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\csrss.exe
PID 1644 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\csrss.exe
PID 1644 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\winlogon.exe
PID 1644 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\winlogon.exe
PID 1644 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\winlogon.exe
PID 1644 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\winlogon.exe
PID 1644 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\winlogon.exe
PID 1644 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\winlogon.exe
PID 1644 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\winlogon.exe
PID 1644 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\services.exe
PID 1644 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\services.exe
PID 1644 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\services.exe
PID 1644 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\services.exe
PID 1644 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\services.exe
PID 1644 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\services.exe
PID 1644 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\services.exe
PID 1644 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsass.exe
PID 1644 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsass.exe
PID 1644 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsass.exe
PID 1644 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsass.exe
PID 1644 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsass.exe
PID 1644 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsass.exe
PID 1644 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsass.exe
PID 1644 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsm.exe
PID 1644 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsm.exe
PID 1644 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsm.exe
PID 1644 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsm.exe
PID 1644 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsm.exe
PID 1644 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsm.exe
PID 1644 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsm.exe
PID 1644 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 1644 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 1644 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 1644 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 1644 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 1644 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 1644 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 1644 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 1644 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 1644 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 1644 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 1644 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 1644 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 1644 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe

Processes

C:\Windows\system32\wininit.exe

wininit.exe

C:\Windows\system32\csrss.exe

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\services.exe

C:\Windows\system32\services.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\sppsvc.exe

C:\Windows\system32\sppsvc.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\85d903398d6034bc8feaab55ad02031d_JaffaCakes118.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1944 CREDAT:275457 /prefetch:2

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 bdimg.share.baidu.com udp
CN 112.34.113.148:80 bdimg.share.baidu.com tcp
CN 112.34.113.148:80 bdimg.share.baidu.com tcp
CN 163.177.17.97:80 bdimg.share.baidu.com tcp
CN 163.177.17.97:80 bdimg.share.baidu.com tcp
CN 180.101.212.103:80 bdimg.share.baidu.com tcp
CN 180.101.212.103:80 bdimg.share.baidu.com tcp
CN 182.61.201.93:80 bdimg.share.baidu.com tcp
CN 182.61.201.93:80 bdimg.share.baidu.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
CN 182.61.201.94:80 bdimg.share.baidu.com tcp
CN 182.61.201.94:80 bdimg.share.baidu.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab2676.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar270A.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3bef957ddb614ce21827cceb346aa19e
SHA1 b0290bfd33b65037d4e1d5bbcce4b0588bdac576
SHA256 dc4a549ed7fe648d3e231fb3ad8b1cd6758310d2c9b2e448dc30943c2ca86e57
SHA512 b0a76ceb1504d343ebd2cda0785753ab2ae3b9f8ce36fe59b48c7091388a366aa5a2ea1ca3ce744571c9d05d9d16cd5cde84cfadbd5583e9ce3dee6a39d71441

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 145f76193e8e9781bedece8f5f3e4697
SHA1 d356d732b7bda062e7181b60c341941c6c9e7b1f
SHA256 06396655907a2254fb21af9dcfde22b087647a11bd3d6a24f68d2a6e612a4de1
SHA512 cd7b264c18c580173be2480b15e3411472f16e8a71ed2db1395e6859df0e81e25dae663faf5bf6d32ce27752b8a1b54695df663a6a91fdb1cba74cbc00a93b99

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 798710d576a374579c69df2035f7a6e4
SHA1 9c562c4b5d3e6a59d53a2ee0324a745da37c7b32
SHA256 f357ff44f0896f8f1785b4b99a6a87a40478a2588b101b6c8ee12ad978f3797b
SHA512 2e27acd8574dc92abb19325afaf9fabbab986c257abb5aa778314412285b45c744160f80240bfbb96dee8e121df6e67bd7d693521bb17d41b18ea5ea6bfec320

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c1515619ed5e2ac63f53e163481a7975
SHA1 c30634948eda9427e754ad6f96893f895f12d590
SHA256 aad7b342dc13a0fe969023c8334b29bf092a496f99997dd093c4c2988315b369
SHA512 2b729663dfd19254ddc54dd6ace488803dae75a4e05f0af48f3f7904fa41d22cbc335e90a5dc49bff2c1ead46b1b23b89bdafd8a6f0e703af4506df60d5d7238

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ae75d88abbf86c56c00fbd4448b20228
SHA1 27624a42e1be938e1db604354225b905886847d7
SHA256 2054d9638f726c8725c369b82d6dca7593f95091ef9bbb24ad081390e5ecd1b5
SHA512 24ef17b97866c02d10416445420df542d99122f54e22823227bc075af9ac482c2f0202d56062f20743a00e86cd833c812e513f1f08aeb5149cda33892f7c3e66

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b4539d130bb0119649a3412edaabd7e5
SHA1 4b8ff593e49ed32d6db4ad1882aa8bca8ac90f59
SHA256 4ca29ea77e5be706aa1e4be6bb43b4ad025280ee56c514248b34ee1bba89191e
SHA512 dc5ec812b9122c6e06178cc986bc9a4799e45b41312aeba6d63411d9f370be3db5e242efc49e21e634f1f9885ae0fa1fb80cf007cd1cce7b9a20113aa03bde2d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4f77e89115c685561ab5fa71b80068bd
SHA1 c56333a33fa16e539b50f67dd887a87a57b9e077
SHA256 9461a1a2ae9915de5ed945d03fa3e2f806e1629e7e4bf9dad2459d7052248868
SHA512 364a92aac849576a68f4cb469716afa62ea529b019d5f20f1c1bb5c4ac8308dd287a361a65f8e9b48c1804964e7f6f0de9c73121840ad78157d599067578274f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1fe860f11e8e0f3e084099058b705db7
SHA1 d13e112c5f3618b40cc4b564ce8457fff6ec60c5
SHA256 2366ae1607e6c2bbb48998343736d499160b2b345dce05c6c011ddd8f5fe0cdc
SHA512 bd129384cabf126d231d165af0d2cfbd514a47160e7a1b1e1f90f77c7a46dc0636a1bac157d5d6e50f7dffc53e7c2fe47f49e5f40ea598b66924a53b5d526d01

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 696584fe1e28fe28dac3234fb7dc399a
SHA1 6e541a8d1a1e87ebba772f65f372aca775757ada
SHA256 2cd3c9cc16ba8036dbca26eef01fd897d65fe4fcda17757c02b90f7259f1794e
SHA512 929d332e46d65f0af26a4cb0fedaaa4a916ef18699b1b0de8d315ed2ebcd7fe86055c641721449618f0bb224c4cd1a6a90e508d0a85f4c1f18a83609e9034b90

\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 cc9104bc71a23e14787188f3634a4d05
SHA1 0b537406933abc1738ef32b96069961d024f1b8e
SHA256 aa797033a44b0ab42e6428552b5e85bc735c84082493f63b4b3ad0843859b28c
SHA512 023b9655cef044082ceb44c6644d834e4ba9af088843674cc8e816cb4f4981bf0958b0c82002c1597c8818e57af0f80d4cf3ab771e68af5a33cff752363c7df3

memory/1644-484-0x0000000077AE0000-0x0000000077AE1000-memory.dmp

memory/1644-483-0x0000000077ADF000-0x0000000077AE0000-memory.dmp

memory/1644-480-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1644-485-0x0000000000240000-0x000000000024F000-memory.dmp

memory/1644-486-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d23b12a9442417bf45d51eb9c0ce1a6f
SHA1 5333fafbaa4837a0d825df5537bd81d0b7379999
SHA256 f97a4e459a56891788273dd6202b98d4bc5ac86449378ff52f788a579ac9086f
SHA512 e8ae19678b51af52507d68773a7d38cbd24d46a48f79445a7e8a538d3f43c9de4fd57fe98b2fff96d8a3d8e238426b9ca8cd530f07dc0eb7a266081e43ea5df3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d4038077d70190817e0fd3438e1c791c
SHA1 4544e84e0fbd46c95486d481e274b701923be880
SHA256 a7e0b7836c288ee425fe0fbde7d8125babd5b64bf8b5d34238205b469a176d23
SHA512 f78c5797eb60255ae360e8b6584870a98ae10bd9c2f1d62e5403f616831fa9515196bfbd90b68dd71c917a4fab9611ff2c25ef3c9953b7f01061d3702eba4104

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fdc03c93d22229c8cf9f0a78a80b6313
SHA1 a801ecaba69a4e9c8976696e5dfcfc673e419f46
SHA256 a44354f746b4330a8b3c1b7bd218c122593d68aa2847c28612ac96ccd5c13f7f
SHA512 b08cbd2a355386b7cf1b5c9c40a6dec9c6456ff383ff6bef2336c3751159c8bf0ba5f05e123683deaf5ef5d28053d453a7e49c24fb6c6fa3a29b2bf03ebedba3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 76ef112882da193d9f847f85206226c4
SHA1 f4d0c724dbd9b15c8ffa117d2c52464ede6b00a7
SHA256 452181bcf58b44fd413f3147e981754655664b9539c101a3a736583687947624
SHA512 1b456185b15c7d57b185c3db097c559116fbd86181a89cc761d0b1fb91994b0578590714d55cf5fd2a71507bd8719476de8bba1158a5f9c60761d947ee1260e5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b7ae09e88befb038e02b48cc63186a5f
SHA1 077c388692db124f9c83122b8a42f26e358c65aa
SHA256 04494a023d6dc99e33d881168879ce443bc5a5d9b3ade3282578f46aad2fa994
SHA512 f4e3e632b975c420104f9b01b5ff3c4e3bf5a05b7aa29ede520b3e7a96e724b11d1b7f8ea9d8e50073d98a8d7d9115f4883ed0e5810645e041158c034fe7d51a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 072b9079217d1d3fe03bfc0f72679dd9
SHA1 0c984dbf80171adad35c38aecb6e20bd680a60e9
SHA256 47950ed9004fcb14470c3af87d3d53f49d7076cb71934d768452604f09c26e4b
SHA512 e1461676fb76638b87e92ac9936fa3290ccce15dc4044fc33cae8c814af6cff7a1bccf85fd1545356259a607d0b07fb890c0c31e145804070252f4aa7ffabe67

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 184cd8050b31fcec5f50a43a3733c218
SHA1 dc7c9738557b83d34edc374aa999608dc1775022
SHA256 d3602a3f12ef089d90350dc070bc1ba143195fca6a252e7c7f97170c288032d8
SHA512 a3688c3ce53f8863e5317d57d32584de1167d272cf7e490982d9e94d2ec0afde9e1202e3649d38d4060145a20661bffa03e55350001e942ad932d32682bdfe69

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 303a237b1a6e8bc179f3b837eb9ac8c1
SHA1 d4fe0ffb832d81237fb92f5136824bcb071cb85c
SHA256 9314ffc5475bc0494894339bb25704d0bda218036aa1edfd51a92562cf1c5e74
SHA512 5c1b371f06e98e7132cb52d8d47ba45854d4c67a0a82ed391227d33ff76c510ddbbdecfb180e28b8caee08313d93b5199cdfe36264767a42d45c8e7c1962c225

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 73833b100e792b4d190481372e992211
SHA1 05693633a814162412db2b98b7b331b3a4c7a0eb
SHA256 22d59a7b32bafcb9d8813156b6bfbd0193f7c66e058596030948c579509f0732
SHA512 38fe356bb5c99d6121a1dab0b270e371d3848cc990077c33a3d5dc6419fd36eafe049350acc84dba87b422fbc890b8f3d132e4f7ef9945a29188d6b67fbf505c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4eea139bc986d9540e53be0bdafb9120
SHA1 62023f01c2509ac36d1d9bc9c90aed1195d16347
SHA256 b4a188323c2dc9eaee66a4895cffe9bdc3c9d1d6b39d876df0efefd7b6f24233
SHA512 6104e2c343419f912bc508f7d5f5710f3021dc5701b99c7e9158e1e7765e4347cb9935c89c5235f55db2a2009197c107c84854a8a37da97a3d5bb48b2ca2df14

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-31 03:23

Reported

2024-05-31 03:26

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\85d903398d6034bc8feaab55ad02031d_JaffaCakes118.html

Signatures

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5036 wrote to memory of 4040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 4040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 3792 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 3792 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 2968 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 2968 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 2968 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 2968 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 2968 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 2968 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 2968 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 2968 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 2968 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 2968 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 2968 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 2968 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 2968 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 2968 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 2968 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 2968 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 2968 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 2968 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 2968 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 2968 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\85d903398d6034bc8feaab55ad02031d_JaffaCakes118.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffef95246f8,0x7ffef9524708,0x7ffef9524718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,18160035836769869677,8330377625986289851,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2280 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,18160035836769869677,8330377625986289851,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,18160035836769869677,8330377625986289851,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,18160035836769869677,8330377625986289851,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2292 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,18160035836769869677,8330377625986289851,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,18160035836769869677,8330377625986289851,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4896 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 bdimg.share.baidu.com udp
CN 112.34.113.148:80 bdimg.share.baidu.com tcp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
CN 112.34.113.148:80 bdimg.share.baidu.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
CN 163.177.17.97:80 bdimg.share.baidu.com tcp
CN 163.177.17.97:80 bdimg.share.baidu.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
CN 180.101.212.103:80 bdimg.share.baidu.com tcp
CN 180.101.212.103:80 bdimg.share.baidu.com tcp
US 8.8.8.8:53 16.24.18.2.in-addr.arpa udp
CN 182.61.201.93:80 bdimg.share.baidu.com tcp
CN 182.61.201.93:80 bdimg.share.baidu.com tcp
CN 182.61.201.94:80 bdimg.share.baidu.com tcp
CN 182.61.201.94:80 bdimg.share.baidu.com tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
CN 182.61.244.229:80 bdimg.share.baidu.com tcp
CN 182.61.244.229:80 bdimg.share.baidu.com tcp
CN 14.215.182.161:80 bdimg.share.baidu.com tcp
CN 14.215.182.161:80 bdimg.share.baidu.com tcp
CN 39.156.68.163:80 bdimg.share.baidu.com tcp
CN 39.156.68.163:80 bdimg.share.baidu.com tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4158365912175436289496136e7912c2
SHA1 813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59
SHA256 354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1
SHA512 74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

\??\pipe\LOCAL\crashpad_5036_UHUCQSCMFARTSLTP

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ce4c898f8fc7601e2fbc252fdadb5115
SHA1 01bf06badc5da353e539c7c07527d30dccc55a91
SHA256 bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa
SHA512 80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 71be3695aa937f27be429e4ee05d879a
SHA1 7be100eac2e32eed5bd4f294c849b7b486b61a4e
SHA256 fc2754e16df8ccb72eaa2fdb63c3d37408d8fa766a4dff0f2ed9582d4f57e059
SHA512 39e777b917fe07cd28f19ee88b4bb4324d00fb850fa0339f4bd2480c133578e489334470666a813f2cca445cce32609b6886f278f5039c1b4e1a8e6645807340

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 20f65e64a15696dd51d18b3aea10ad64
SHA1 80a2035e53c350ba00b7dd2312dfe40955af406a
SHA256 9363bebd2229d6d0ff7f9f4b45e8b61c2e62bc49d87a1da0a2217c0cac6a39ea
SHA512 beaf5d38106e8b7f1616fa7df132f5a36c9c092d2e725920dafc6adfb28315d32395648e4310b3d813bc9fb9cae1af798734d9720920b56abf7118813c34ac4e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b5835fe5af5e67cd4f63b5824d31a9f9
SHA1 cb69b0186caedf95e6faf25b261bbb7e374134ca
SHA256 c931b55677b997900eae72e4bb032b80872aea8d2c199b9f2a5f28a71337c9e0
SHA512 2495872f4806eb184b61820dd195e3be437ea865e3e3ad6e14e6da5fb0a4155bcbdd2944f898a1b929c66ed14ff9b53d8c27eb4ceec4850e87137d3050036a78