Malware Analysis Report

2025-01-19 07:16

Sample ID 240531-hfcllaba88
Target 863a662b0e30bfe45f52a6e911f7a936_JaffaCakes118
SHA256 1146f6b1c44071ec4769bd7129cf63b3dc5475a9bb983ab0145fc0069ec363dc
Tags
ramnit banker spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1146f6b1c44071ec4769bd7129cf63b3dc5475a9bb983ab0145fc0069ec363dc

Threat Level: Known bad

The file 863a662b0e30bfe45f52a6e911f7a936_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ramnit banker spyware stealer trojan upx worm

Ramnit

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-31 06:40

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 06:40

Reported

2024-05-31 06:42

Platform

win7-20240215-en

Max time kernel

117s

Max time network

127s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\863a662b0e30bfe45f52a6e911f7a936_JaffaCakes118.html

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\px1F24.tmp C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\INF\setupapi.app.log C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
File opened for modification C:\Windows\Downloaded Program Files\SET1E1B.tmp C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
File created C:\Windows\Downloaded Program Files\SET1E1B.tmp C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
File opened for modification C:\Windows\Downloaded Program Files\swflash64.inf C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A66575B1-1F18-11EF-B7A6-525094B41941} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423299488" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000057d5c26dfdd484c9d777815dca4173b000000000200000000001066000000010000200000001ff03f63c5aef3c84639c40f0e0e4c8d42fddcdb0481a2edc54c4065c86be017000000000e800000000200002000000012343608ce54a075ace8a050aa2e65391b56eb29375f2aafd6b42d2c133e81fa90000000ac94db09ba961848d79e4d6416ebe04f86622ffb8f157c476d701f98154a43a9d6635017a69aae6c39274ee09cd36940911bb168bfa3f346ffb19582d3a49f600182a79eae8f9233dd969efe7e01a7fc509474fde9be7f87c6275798b35556f062dc7b9c45b28a5ef80eccea92f3bada8d68596cc8eba1e4ec1c3727c9400e1a75e089423cb1d0f4fc61cb5ce9e8227c400000003a41804f89daca62d814f89a1b41e5dd1a672c1da67b92a12a01de59255af5e16818c386c57cbd528243331338f63e15766756d32c2a78a0c5cdabc4cc4b7d3b C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000057d5c26dfdd484c9d777815dca4173b00000000020000000000106600000001000020000000f115809a467584c19717dd9f23966031f2a2ccc75b0c55d7b0d3f7f702980552000000000e800000000200002000000013f548b9276b91d072d2a7e2a60dc4f3096de7ca4a3d1c375f67d115cf306915200000001ac0c097a4fcc6c6d8d911c8e267858bf015bcb95bac0c73944af06623b2bb8e4000000075ae59847467eed940cd883e5b25ef265e6725f948810ba20f051afecda67548752cf30687037dff9e97cacb2dfbccdcd07acd6f6340a7ae4a53774070152015 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 004afe6b25b3da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1512 wrote to memory of 1820 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1512 wrote to memory of 1820 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1512 wrote to memory of 1820 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1512 wrote to memory of 1820 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1820 wrote to memory of 2740 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
PID 1820 wrote to memory of 2740 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
PID 1820 wrote to memory of 2740 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
PID 1820 wrote to memory of 2740 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
PID 1820 wrote to memory of 2740 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
PID 1820 wrote to memory of 2740 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
PID 1820 wrote to memory of 2740 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
PID 2740 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2740 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2740 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2740 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1512 wrote to memory of 2972 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1512 wrote to memory of 2972 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1512 wrote to memory of 2972 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1512 wrote to memory of 2972 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1820 wrote to memory of 2416 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1820 wrote to memory of 2416 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1820 wrote to memory of 2416 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1820 wrote to memory of 2416 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2416 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2416 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2416 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2416 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1968 wrote to memory of 784 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1968 wrote to memory of 784 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1968 wrote to memory of 784 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1968 wrote to memory of 784 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1512 wrote to memory of 828 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1512 wrote to memory of 828 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1512 wrote to memory of 828 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1512 wrote to memory of 828 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\863a662b0e30bfe45f52a6e911f7a936_JaffaCakes118.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1512 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe

C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://get3.adobe.com/flashplayer/update/activex

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1512 CREDAT:275464 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1512 CREDAT:275471 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.raimsing.com udp
US 8.8.8.8:53 download.macromedia.com udp
GB 2.22.133.225:80 download.macromedia.com tcp
GB 2.22.133.225:80 download.macromedia.com tcp
US 8.8.8.8:53 fpdownload2.macromedia.com udp
GB 23.73.139.59:80 fpdownload2.macromedia.com tcp
GB 23.73.139.59:80 fpdownload2.macromedia.com tcp
US 8.8.8.8:53 get3.adobe.com udp
BE 2.17.107.105:443 get3.adobe.com tcp
BE 2.17.107.105:443 get3.adobe.com tcp
US 8.8.8.8:53 api.bing.com udp
BE 2.17.107.105:443 get3.adobe.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab16AE.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar178B.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OOWQLMJV\swflash[1].cab

MD5 b3e138191eeca0adcc05cb90bb4c76ff
SHA1 2d83b50b5992540e2150dfcaddd10f7c67633d2c
SHA256 eea074db3f86fed73a36d9e6c734af8080a4d2364e817eecd5cb37cb9ec9dc0b
SHA512 82b4c76201697d7d25f2e4f454aa0dd8d548cdfd3ebfa0dd91845536f74f470e57d66a73750c56409510d787ee2483839f799fef5d5a77972cd4435a157a21a4

C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\swflash64.inf

MD5 60c0b6143a14467a24e31e887954763f
SHA1 77644b4640740ac85fbb201dbc14e5dccdad33ed
SHA256 97ac49c33b06efc45061441a392a55f04548ee47dc48aa8a916de8d13dabec58
SHA512 7032669715c068de67d85d5d00f201ee84bb6edac895559b2a248509024d6ce07c0494835c8ee802dbdbe1bc0b1fb7f4a07417ef864c04ebfaa556663dfd7c7f

\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe

MD5 47f240e7f969bc507334f79b42b3b718
SHA1 8ec5c3294b3854a32636529d73a5f070d5bcf627
SHA256 c8c8cff5dc0a3f205e59f0bbfe30b6ade490c10b9ecc7043f264ec67ef9b6a11
SHA512 10999161970b874db326becd51d5917f17fece7021e27b2c2dfbee42cb4e992c4d5dbeac41093a345ad098c884f6937aa941ec76fb0c9587e9470405ecb67161

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c600f2f2ac5d0f43b4cf0dd2250da2c7
SHA1 0097fbc598252e5eafd19f56952dd5ca2ece9608
SHA256 d944bb8b0f3c433e7abb14bb8359b83fb9a232191ede57dc05a8c2cfa905cafd
SHA512 2969c5279dc45b2ebefe2935da54bad20272bb3403662c852a55a553d4ad709a4ec05f09fe1d6954f0f5691d1d02a3ef91b7eda317a7238963e3045b76a75732

C:\Users\Admin\AppData\Local\Temp\Tar1EAB.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/2416-139-0x00000000001C0000-0x00000000001CF000-memory.dmp

memory/2416-138-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1968-147-0x0000000000240000-0x0000000000241000-memory.dmp

memory/1968-149-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2416-143-0x0000000000430000-0x000000000045E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0823701985915ad9333e269869ee8a44
SHA1 9107caa2a0588992473671b768adbf1506018cf5
SHA256 89f7b4759404d44fa951319a21dfb96e1781211c9e80e65bfc295d4a4182301b
SHA512 bfe920f8715e9ea71dc77ad3c805fa67125562e0ade74982e7dd3fc2091c6d54717ca3aeb55b2c36dacf6692e1ac430f5203e544dac2098e482a0266ce2080e7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4352d79a5aa4ff3cf50dd9af57163511
SHA1 7d277bd1a30d6818176144c88d8dedb46939ebc5
SHA256 5368402e2451d30c67a222bc9f2ef6c3335504b704437ea17f283abd2e1b099f
SHA512 c36df8a8e904092fed1fad4d0c64e974e81e77c8ba8cfa9c5fe082aeefdf12358eb5321900ec48f346b894e4d5856c72ddabc31a624b56ca77f7acc6bbdd114e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ea37c8d4c115e8d32d629fca7881c9aa
SHA1 bab1f81661bc8d9489bef2222f4de26802749d90
SHA256 e362c8cf0ea596c0cfc4b08dd8acfaa2deb3b6b3167d2e4ad865783f8ba0ed70
SHA512 4cf92879f304ea50d21d049e7d4de96101a6ad60d080399659d48bee923a87bc6d0543210fcd009ca10b01a3678116b4d15382411edaf6a734a16f436c93bfff

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 183b7a70842df2ddfff4451565e106af
SHA1 65ca5c9179db6c3f2d0a939ab69107edd43e2122
SHA256 3a2829a5086ed566b63d84721e87a913cdebec43ffd177b6de5771ae82b58f68
SHA512 6d062c88ca9169a560e3adab3f5fd858cdda27024bb37bb2e6d122b0e6eece456128aff249248bbebe69f5e3bc9aefb757ab8eedb5f816294dc5baa5c833b7f1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 62c730e5fcfc74104b653509f4be4f43
SHA1 ac3c46b71e3e215e26b7644e4e27f1a738c535ba
SHA256 3fdc61276ea750dd6ac9b94f1377ae4d39c1fcd16b4139977b2816286af7f422
SHA512 1f028819441372f5671b91091e3b226d79e7dd5253683244b63fedc3e7758696e25a28f3596c3208d3303b5b0ddccca4f0c55e12a8071e2f9d155125eb2bd6db

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a5fd6b6f370f6bd790d0fc7b10a89930
SHA1 2d9904621af10fe804746b67aead0f8e89401bfe
SHA256 43f4266d68a2e360b3b7a5401e484dbc3b6abf9949d58a6fe24f9c4d3a9274c4
SHA512 835162347efae3ed4f1f8bea5f1ce3043d604f49b2e469bdc4c189bd03c3bbc244fbfbb3c96cade9723f2491f9db09a635ea289a0e6b35f7c34b1eb0fabffc8a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ffc0a46a0f8d743a3f19ed10c496110a
SHA1 9bfad7f9875a1a4c871d2c23a830ec3eb5fd12ee
SHA256 93a85e4308de0ecfde57979ee213da770871e3fada3cd049f796de6927cb0384
SHA512 a324b40697d7355ee506be7811aa027caf5c9bcf232d372169721ed75675530442232abc1cb5ac53b3d74ac5dfa978fce34edbfead850d15067f62357c0eb33c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 830966112b9ff3149fc8c7769e09d576
SHA1 193d61df0f69cf99a0a708b1de4d0879c02de38f
SHA256 1f7fe3b557d5db94782d7999a047e7d29760226aaa8908f6d0331f19b6bc5405
SHA512 d55beb43f84a72ab4c620248648133b1ec2f7dc2edfaea235eeea3d44bd50a39ec138171d333c94d860f3e16b475ce0470f7ee7895fab91bdbd7b70f96bbae98

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6ce0becc0efc113560296bf850cb6e41
SHA1 9a9ce4704c759114d91d022b704369ce82d3a54e
SHA256 964dd750226b0459c8192ae825b5d810939d97f73fba252b9b510176f40c5c34
SHA512 5cdd9630a00446983dd581d7281f392aaf3d55e8709d897e65742070bad6de1a0f58dc62b636775438e7b18a0dc5cad15dac0ac06f7ecf1f88ad7c40b7ff811c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 470486f214d93cc836499ee7a78afc27
SHA1 ca4715b1aff88009c006978c3e295807207899db
SHA256 cdeeaaa992a03a36213cb6dfb239f0f014033699cb10b16fc14331dafdfe0b80
SHA512 3a3cfdc011babdb0f3b7d9976d7e496dd2b03b15cd556f11cd74e43de1514b5299201309dd5d1f4a29a9231dae8904fc02ecae92c1336c64aa6cf990aafc3da0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1a72dc67752a893add24f1714fd1cf24
SHA1 90be79430d4b26b2240e37a231470b53123ec824
SHA256 b02f42b615258ce386ef2a0411386398c07a9ae5bd6a42103f3360e2f0ae4b7b
SHA512 2a91b0aa5a463fca956c9eb497285a54c25dbc2612953bd71bf57d89e6e1b85139f1b6ddb966dd61d3d58536d53e8226d06e612c48ae24e0386aaeb82a7ccc7f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3c02d4e616d7d9a5d48131368fd65b84
SHA1 f3c7baf30b0579f3ff9100457103f552c3700d19
SHA256 1c752a8df21fb301ca663ccb46935b18971b841ed566ebc41e16982e42a6ad6b
SHA512 2bf54464c3291d78b8fa315778b1145d3521d3242aff83ea36c9bde7fb180f03b4b3ae4558c3f74e046c29afbbc008b9061918e22e11f56919aae5b0f24920c7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d8405798dd30ae08f193b7541c245246
SHA1 f66f3d804e9f547385f6f27601edcb7b33c8012b
SHA256 91b8f91a59d3dc2c765a769930494bcb806f2bf41061aa69b42b8c9d1b5993fe
SHA512 a0f6dba9252e05ed5ce66500d63427173eef9186f9e7e30f4489250bf8375a07084faa0f23741f84969c40dd1bac7a1b6630b907917a892fd748d66a639dac86

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 db76c4c781325e1ba061c84f130621e7
SHA1 0324faaee5628ad63119fb26578daf6b1e6a1f00
SHA256 87fa0d90961c01b82059392a6b90ff51e1af2b1c162bdbb0fb7b2a2c4a9527dd
SHA512 bda7e95f058e77e1271e798892e1fe1668d105f0174b9e559029ca352c873bb5db0c686f1774d3476b1012ff2bc66d0746e5e76e6c21b1beb6375ef3793adc19

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8818c6195daa92b8a9c2c5b10bfc2507
SHA1 c71e1e91868f4c4b2ef634bd1388309c3cced737
SHA256 ca14178a8b57947e12531a801a43d580cd29717067152179c016ae1ec9473612
SHA512 7cde6e209580928dae2fb1c25ffbe2ee8f59b5d123499f214d7e7048adf32d122b29f3ebebcbbd534d395488673f2d29bf75174c182512fa37925fdc321de170

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d2afd87f3332eb3da48984fcda432327
SHA1 95def6123b4a57403192901c71cfb307db63f67a
SHA256 e10a1400be15e016365d8496040d725eab19dcb0248eae6a92ddd7bfddee6ad1
SHA512 5078873fc1372c1f429238b75ec5d73870aed6a48ba218bf277a1a9bff24b5253fa7a66766c1e74a4fa024fec1fb5615734c4edc0384cd9446f1d0fdb272c10d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0e3dcfe5c62646ab9cd19b7d8cdfdaa4
SHA1 6a06652816d8362d8fea2a7c9da981b9f75936da
SHA256 1e2d5a3eb33c2dccc230b09e36dfc2796ec5dabea8475a44fc563f07a6c9525e
SHA512 b7b9ded8345df5de3c04cab3c8847561bcf5222438f608becd204ef72d25a0f4f266d67325fe16a063040d6c83a2edb663a6c1b593b3fa4017dae332363c503b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 457c0a014afb9e657605c8ceca0fb3d1
SHA1 f690b52104612da8efa0e9b95eb73d178ce7be17
SHA256 92d84993bac77ccc1b4a0bdee8e20c66e04ca3ddcf59918c705a327d527a8560
SHA512 c23df281249ef2dab70548038eef649014bc0ab8ccea6b8aebaf7c8b143c0de20e17d47a14b946078675dab393b9f8bf622b51f11c63ba05000d3904002069ad

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bef71825727566175f21b2c479a872cf
SHA1 292f6da05da4522a01c5caf15cd4dbfb979e642d
SHA256 98b0797c45b1440ac0b00bef352d58ce7d7b8e6297617314eded0541dd37085b
SHA512 f1a04d134c5aa300394a95c9fbfb358aa1bc8e6bbec9efa922d98ac82f72d8ba63c3a772e2637591e338794bcfa045310411f27344c1be5346ba63271d4422a8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 532c05e99ebc8590ad6a479cc5fefa1f
SHA1 7210955fd01a40768a11baccbade17ff8f0b44db
SHA256 bb5e65428f3061cffb982c0b7abd9dfbfcdbe1b1fb187d685b17ee5aaff787be
SHA512 cc337398b05ae076eff81bbceec44d63d369473abcbeb060f259d9f9d74a318253523c1e00c77c70b6c3f151004b24d1cb1578f443a4c6dc632ed63222ea8839

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4113212996eb8dc7d87061ce28658bb0
SHA1 5237c852783392dd66b4666e92d7e5395bf9d08b
SHA256 bfbc3f669b251a9f68097a8ac8fdd997f87e149a0cc947bb8f7421352fff6881
SHA512 e3feeb2c1a39c63021c526d5d7a21dbbf4509c440e81b170de15bfe8c682dc8e919cae381892d5cdfddf4192a27003950a35dfa793cbb2a39aae5e2a5b6e3659

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 614f851827a616f90b982c25ced7b943
SHA1 6dbaec2aee4a626ead8cfbc184a44f24e1e42de8
SHA256 69ae2e42abbc396727fdaff86d1349618c9e06a4a7b4be414761b528f059a1be
SHA512 d0994de89f5e69e1337f5dc197b1494f9661f44f68c69bc21cf05533eecd8ec13c20700643da69b87353e44178620ea2b68915eebcc7c17d1311b44e9b253e7d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b3c3a56c9139eee6ba08edb82b2d6402
SHA1 8ce3cebe020261612694cb893afbbf0f686d8c5e
SHA256 cb8f1f42c86f0159ecf6abbfb03443e4057862d67c24ad65607e7e62c773f5f1
SHA512 8f5fc008e0c8e2b2febe9f91358e1ab9c0538c52c71e10f3ce0ef5a92daa816b35a6ba4742f714ed89306b8fd15fd143ceb5ea0052ff46fe1e133e8990247670

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 51c07ab96b9847c226132994cba76f21
SHA1 5b9716e57d4c9c353c626b0348a78d6e3b94b5f7
SHA256 00fc340ee4d5ff17d6038f5c0f58ec8f742a6fca6af8e4fe3df604ca0e7f6019
SHA512 e98b100b27d2de942d9682b89a70aca4bae7a1669945195138f46b0be3b5e34cde886b7bc3bf7a18d089bce7bc8208b77f1d61fc9b088175104d0a27de4c6002

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d3cca5fbffe148c2796a76abb2fa3cf5
SHA1 f74425d5be9955e426d76ef8918c42e6e0a0ea22
SHA256 b4bfbfacb203fee9db6568b7545a9a4b3c4cd35c103be7f8377deb8782db470f
SHA512 256ba9a97b6ac9050122a5809b1cdc9c30b80c72ac6be377ac50eda8052a9dde0648d52a397dd96753293b7fdc1534e5cf53c74a6c7ada8f4e5509d9403f6088

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ebd68f0ad16e0c704c5eef2f285d974a
SHA1 8a3974f8beefae692d8de41888f2eb0f8fbf3645
SHA256 9ac7539994d12e14b497b44d620cccd6d6414e5e52a71b5a1469fea88e0921db
SHA512 9b89c1a2be6c8554f440308cb7ec922164b3ed352d206cbf0816031f0907de63d85421ac4a85d9f02330bbcae835614649cc4e7d97e31167ef6d6c2f0025f5e1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cdbcae15846cdaf3edeb7a0d5700eec3
SHA1 ffedaff3de2eed37759febcc3592224c77f005a6
SHA256 e6fa84dee1ebed17344a987b1d44c1748dfe41db1140119bfb32e34421d18d07
SHA512 e12da5853d8b0dd9f26504af4b813d649d128846a12f5d7fe3a2b9aeaea96548d41fb202f8e1bf58eec0989527972f3f88cf41d1b7942d683cd46e314e11abb7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 70ab57b1adbd2927c5c3ae2d9b630e55
SHA1 d259f2a8a9a5031e0c9dc80d288aa5d1174eb453
SHA256 8fd0adeb543aa83e2442137e7a906dc4ef05d8ba71b58e76a28883b0dad78338
SHA512 586cde4a14b88fb07f024295f7afb8cadd77e8cce69ce9e8123bec52928f62e1abc1bd83705b07dece6fef43a289e3b0545a4525ab604cabc17b92680c7cb689

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fee5bbd842b7e27b50e19c14b9a2963a
SHA1 142e2cf07888e6ac011bfbe41ba4204820d21943
SHA256 2931696563001b12eca9eea679a687f811124c3b4a619cc3eb7bdb17f25540ab
SHA512 2167e804abab2cb778c5f1f1b203e33a2cdeb2c18d43d7c6997a583354194ecb017e637194bd89a62286f9cbcf64038bd297a2f60d8ceec40a31d4d660aed007

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b118a6c6fa24d1e7456ebc84e11ec321
SHA1 85351cce20cc110f5721b44e734337d659df7c6d
SHA256 5777800bef90df7e2830af9309a23941399900aa951ccef519ff3991fb9b4c40
SHA512 b4dbca43e6be943492bdd6f9b4aa046304b82a0c9d0599cc349f5ef3d10f40de520ddf73dd536004ba75de7af070a873b141dcabfa0d21c14e3d73f8ce77f4a1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6f19f74e9cefdf4c8517553a53325ad1
SHA1 c44ac9a395e4d49ba31d7ad38d7d70f8114d2bb0
SHA256 6586544f5bdb67a3d1a668775e8995bafaa044f2899798a41ab19400aec77516
SHA512 6eeb53f703ed4782b060a2a9127b34bcd662f4999a9233f2a4acfde2c10fc4f63cf043af95511c8b42b0b517bf7ae622765570038354f3e403d2c548e4a7b3e2

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-31 06:40

Reported

2024-05-31 06:42

Platform

win10v2004-20240426-en

Max time kernel

145s

Max time network

127s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\863a662b0e30bfe45f52a6e911f7a936_JaffaCakes118.html

Signatures

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2640 wrote to memory of 4380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 4380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 5036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 5036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\863a662b0e30bfe45f52a6e911f7a936_JaffaCakes118.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9849246f8,0x7ff984924708,0x7ff984924718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,17685567469046941170,1101640990578389351,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,17685567469046941170,1101640990578389351,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,17685567469046941170,1101640990578389351,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17685567469046941170,1101640990578389351,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17685567469046941170,1101640990578389351,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,17685567469046941170,1101640990578389351,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5088 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,17685567469046941170,1101640990578389351,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5088 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17685567469046941170,1101640990578389351,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17685567469046941170,1101640990578389351,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17685567469046941170,1101640990578389351,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17685567469046941170,1101640990578389351,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,17685567469046941170,1101640990578389351,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5380 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 www.raimsing.com udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f53207a5ca2ef5c7e976cbb3cb26d870
SHA1 49a8cc44f53da77bb3dfb36fc7676ed54675db43
SHA256 19ab4e3c9da6d9cedda7461efdba9a2085e743513ab89f1dd0fd5a8f9486ad23
SHA512 be734c7e8afda19f445912aef0d78f9941add29baebd4a812bff27f10a1d78b52aeb11c551468c8644443c86e1a2a6b2e4aead3d7f81d39925e3c20406ac1499

\??\pipe\LOCAL\crashpad_2640_OOKFICVUQVQHDPWS

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ae54e9db2e89f2c54da8cc0bfcbd26bd
SHA1 a88af6c673609ecbc51a1a60dfbc8577830d2b5d
SHA256 5009d3c953de63cfd14a7d911156c514e179ff07d2b94382d9caac6040cb72af
SHA512 e3b70e5eb7321b9deca6f6a17424a15b9fd5c4008bd3789bd01099fd13cb2f4a2f37fe4b920fb51c50517745b576c1f94df83efd1a7e75949551163985599998

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 78c6870bea8af20ed8344c2f1224d542
SHA1 ee788405860c85866e41b12ac30b6616688c271b
SHA256 3e7bdcbf8f2a4190f04a8ee1513e80199de7acfc1b8fb5502cb399edae568b35
SHA512 b11c60c8581ab8752db98eabe12150598858aa39e9573c2277928dd5cf4979d4306ed3cbedef21fac5df525e5128635fa6e59a7a978c2c69340810d20cef2ec2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 be306785f06b54bae65bb4d9ed940747
SHA1 4c2cc5fdf27f180ab3f3b94158f6370ea1a21545
SHA256 3c3001d6ec2c36a7af5a4f5fd2f9379b2a34c574a63537e09338a47958f61d76
SHA512 deda8636e9cea251775ffe5635e4fafc7f349fbe871735e4faf546e91807fcb5b64f4bd2a6774f1362bfdc12e883b266a091bad9ee309f513ccf9f9d4e265033

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 819b5ab82dc6b4d39f119879f80aa1f7
SHA1 a0547ecb5ba109cb8a7710c6d6947abca113f24f
SHA256 523c6628c57857bf04ee97cf74ad087aff70b8fcacdc9483d933eac63a765eb8
SHA512 cf483ef3f668fa428d17baed1bbee3e3f75cb71834b8c30294eded00e8ad31b44d411abf78c2707eb209af77b0e7a4b3a3d670cca2de908fc7eb3accdff9bebe