Malware Analysis Report

2025-01-19 07:14

Sample ID 240531-pp6z5ahe96
Target 8703adaf2d4c691d12a03f3c74bcae17_JaffaCakes118
SHA256 5832e463c06b4f4ac0e7bd1aed2371e881a1bfd674fc288933046a7aaf9c8161
Tags
ramnit banker spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5832e463c06b4f4ac0e7bd1aed2371e881a1bfd674fc288933046a7aaf9c8161

Threat Level: Known bad

The file 8703adaf2d4c691d12a03f3c74bcae17_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ramnit banker spyware stealer trojan upx worm

Ramnit

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Program Files directory

Enumerates system info in registry

Suspicious use of SendNotifyMessage

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: GetForegroundWindowSpam

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-31 12:31

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 12:31

Reported

2024-05-31 12:33

Platform

win7-20240221-en

Max time kernel

137s

Max time network

119s

Command Line

wininit.exe

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\pxBF2A.tmp C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423320548" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60a131c356b3da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d1867406cf887458494431743a1a2c6000000000200000000001066000000010000200000003a4e0e05c30bbe3451b7d66d951a207db77b4652c8c39f2395edf71b2919e726000000000e80000000020000200000002e154632c116c590cca74e79febd15974f3cd6226f057737aae78d972fdb9df090000000356b00a96b04f45c2fe4e7af496bc6f8e4fd24eb86d7d20ce13d86758ddf00d2c07fa554a0620e9c163f04a7b48ecca6f9215cc580a2bcb659fc0de2b2a12652a840122cb8e493d47d8db381123ac46f3c6b67ee87e4b3ecf359f34b38e1cc523825f40cb83f0cbef2414c80ec8ba3c929f5b7f49da95bdadf18f186e5b797659ec4721b876554aa9a37d172758a2d7e400000004c96773d8254237e9ff72e18b98e2f2df757fa3558b3dedbe697544af0739e34e1276ad48d55f7a483892f66c4e45285ee8d032d6080f609d9d6e9d3d6b7d5b9 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AF28A971-1F49-11EF-A8CB-6EAD7206CC74} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d1867406cf887458494431743a1a2c6000000000200000000001066000000010000200000003bfcbfeb3b2f18b5d9ca91264ab5f7b5bf4880b9599dceabd24a7cbea3e5040e000000000e80000000020000200000008069766757827086f2e7cd52928bccff5c6a1c8d46328d855cffd0381b0ee0852000000076d29e87c0bb348128b49422ffd910851faf18fcb740943aa55e402b77a48851400000001eca19d359dc6f1b304f9f58b2c5bfffc1ea06e2e9a136625857e1e95b6f681e23958ee30dfcc7e93576ac4028bd46059bf27efcc6e69cf214aa7819980d54ed C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2020 wrote to memory of 1160 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2020 wrote to memory of 1160 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2020 wrote to memory of 1160 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2020 wrote to memory of 1160 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1160 wrote to memory of 1040 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1160 wrote to memory of 1040 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1160 wrote to memory of 1040 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1160 wrote to memory of 1040 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1040 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\wininit.exe
PID 1040 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\wininit.exe
PID 1040 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\wininit.exe
PID 1040 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\wininit.exe
PID 1040 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\wininit.exe
PID 1040 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\wininit.exe
PID 1040 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\wininit.exe
PID 1040 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\csrss.exe
PID 1040 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\csrss.exe
PID 1040 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\csrss.exe
PID 1040 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\csrss.exe
PID 1040 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\csrss.exe
PID 1040 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\csrss.exe
PID 1040 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\csrss.exe
PID 1040 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\winlogon.exe
PID 1040 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\winlogon.exe
PID 1040 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\winlogon.exe
PID 1040 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\winlogon.exe
PID 1040 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\winlogon.exe
PID 1040 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\winlogon.exe
PID 1040 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\winlogon.exe
PID 1040 wrote to memory of 480 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\services.exe
PID 1040 wrote to memory of 480 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\services.exe
PID 1040 wrote to memory of 480 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\services.exe
PID 1040 wrote to memory of 480 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\services.exe
PID 1040 wrote to memory of 480 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\services.exe
PID 1040 wrote to memory of 480 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\services.exe
PID 1040 wrote to memory of 480 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\services.exe
PID 1040 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsass.exe
PID 1040 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsass.exe
PID 1040 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsass.exe
PID 1040 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsass.exe
PID 1040 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsass.exe
PID 1040 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsass.exe
PID 1040 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsass.exe
PID 1040 wrote to memory of 504 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsm.exe
PID 1040 wrote to memory of 504 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsm.exe
PID 1040 wrote to memory of 504 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsm.exe
PID 1040 wrote to memory of 504 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsm.exe
PID 1040 wrote to memory of 504 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsm.exe
PID 1040 wrote to memory of 504 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsm.exe
PID 1040 wrote to memory of 504 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsm.exe
PID 1040 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 1040 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 1040 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 1040 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 1040 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 1040 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 1040 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 1040 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 1040 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 1040 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 1040 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 1040 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 1040 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 1040 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe

Processes

C:\Windows\system32\wininit.exe

wininit.exe

C:\Windows\system32\csrss.exe

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\services.exe

C:\Windows\system32\services.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\sppsvc.exe

C:\Windows\system32\sppsvc.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\8703adaf2d4c691d12a03f3c74bcae17_JaffaCakes118.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2020 CREDAT:275457 /prefetch:2

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 hermes.sogou.com udp
US 8.8.8.8:53 hm.baidu.com udp
CN 183.240.98.228:80 hm.baidu.com tcp
CN 183.240.98.228:80 hm.baidu.com tcp
CN 14.215.182.140:80 hm.baidu.com tcp
CN 14.215.182.140:80 hm.baidu.com tcp
CN 14.215.183.79:80 hm.baidu.com tcp
CN 14.215.183.79:80 hm.baidu.com tcp
CN 111.45.3.198:80 hm.baidu.com tcp
CN 111.45.3.198:80 hm.baidu.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
CN 111.45.11.83:80 hm.baidu.com tcp
CN 111.45.11.83:80 hm.baidu.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab1C38.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar1D59.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bf48361e4cab105d9816a268b791330b
SHA1 27a7854d9716afe4dcf574eb0e343ac6a60a7c4b
SHA256 79aa82184e95cfc2ea3924ac113d41a63aa60afd3d0310cefeec6405b2ca762d
SHA512 54adf85b46c7eb5122c96e0fd86b117e1a06b4a955d1febc9833c1e59e5109047978543f08861e1944b1992d64de14c85897e49ef63b891089f4fb40e67b40b4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 85d1948a3c09ee4caaa8c87669a73d41
SHA1 db8ce33482e24bb0b7f37ecb0bd7920a9b1ce4f1
SHA256 255967debb65b62bdf12647734dac24680341890d3c31e2fb0886c161571a087
SHA512 abca916c620e0bf89b454963ef30f93c320758a6febc54014722dcf1a902f9024b1544ca764cabc42a319548ee6edcc8d54052c97ca2e50ac45e834489f1887e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fccfaeb6654c4905ebc8f2f86dda8048
SHA1 56856ca26064b267396a14bcd1e47472736a30eb
SHA256 6b85b923f2f4edeed65f18e302fc6ed1dd74896dcffa27fba39158e48430de2d
SHA512 1383a83292bf324d68fb0856430a34bfd14997b811eeac9a1bb766d7d0722150958ba0339ebc58e34ef1d968b8ec251d6d4d255fc0118b41abe7ac758360d3c8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3ceb267f7b2432af75cc4a9c734dfc18
SHA1 103f23a44947d06ef720d0d1957f5981be281cb1
SHA256 51635e7a3a021d1f7f0c4ad97cf55852864a3a81d1cfbd15bfe66b6bc60f9a73
SHA512 5cf54d76b56b5569a488a32d13b9f1d938871bf982b098bab5d591e89ca0d8b06082aad7adee6e51ccf7a3ffa0bfa26ebd2394b28b0334b4db6ad300b030d9ff

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b2bb33c66ab8ff1d83034524ba23beca
SHA1 1cf4aef80be003c298e1854f187e7082d06e271f
SHA256 48470514d5ac9fb2e98875139acb9d29b92ab19b3188cbfed685b3f3e88795cd
SHA512 99b9d1fd3526ac6bcc1ecafa09ef306036c3fee62b2e23b3334f6815fb7db83f8c93b7a6e659275c6e758103f1b2956642a52f590c10aaabfd6c4e592eea77a0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6249aec9d955646a897fdc2630c191b0
SHA1 ad54d4e52286654062db1066be654ab43c014aab
SHA256 a376727e8b90fc03208cd6b47f7af1a6c0268e8567ec26a646f00e2dda4a64d5
SHA512 5d22b4a4789acee283a09ae323a37f3a98506fad5cf7915278d79ae5df8aba0e6c205e23b7fba429b5af9553d0572c8f094aff7c478c1cdedf72dcdf40b83f74

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2b17b60bd1940219d56813d0b3d17a3f
SHA1 94abce51a2ddc01184cfdf9e9e10004c7d4cb340
SHA256 c76ca4e6d1588f571b420685177dcd81d5d0bdb95fad350b03b51d0b0cd4dc19
SHA512 07fdd049e955d9262356a92647a6c69704a1b57109485ff15f4a7cf1b8e161e61559e82f8ab65556f15f067fcc79f1ef609903a7f58693f73cf1bfcb26f1f484

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 754b01587972763e9dd5be22a0d2e133
SHA1 21a0624b8c1230af0ccdf3aa90783446fd806057
SHA256 6177e7a5570a845f961cc8942935630137c99b80a5908d1c190229f5469fde71
SHA512 0bb9ce02ed44d6b6212b43e5b4dfa7abd653837c3279093b8b46d44d106d3cf887c333660edb4b635e66a4c523b8e188688be344326a0beb0cc9c0a392d75395

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 110d9e28f5b2551f31557d20994880a4
SHA1 b33fcbbc3dc7c1ef65c689dc425bd8cf07cf6739
SHA256 ce94be9e67a713bc58b66ab344714bd1981f3ce30c132b53907a1b7e079fcba8
SHA512 13ed8bcd5b36d29650266650e604e5caf8d964fab9b1476949221485171b82204ce81d7ae1c21c95578e4effdf5ca1bf3dbd22ef36479de49bb486d1c508131b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 682e3137388c836c96eac4ba349e4e9f
SHA1 9a3389f9e7e6d2f12c0b350a4910fd59dd9b1edb
SHA256 5a254675709a39b4f95a9a11ebff5448959172084afc60dde258b13bfd1551f9
SHA512 9519c8a0dbd952c5d7b5ec695fc30e266d2d1f8cb0e0c5dabc9193521a913c9753720a60be216a4b419fa23a3882a41c4150b7e61c2e37e823d454006cc2fb43

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 491c378210dc5dc561f0630405422476
SHA1 7eba1afedbaccc6d4e8c584c64bebf99144c55ae
SHA256 18780143f120be69a2e2aeb46f2901710eae3ab7967f3f69ff7157d59ff19848
SHA512 4cc3e638717c3c7c5b54d1f107b9a32a9e107c114156cdf12cd5b2975cc9f861322d069be1500ec86533dbaf3375c0f8f2a20d3d3483f3a7d866dbee081d4b59

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ed5fcae8afbb9f618e4c53ed40440e81
SHA1 10f9f8bad993ce2d99fe1fe15649ee92fc6a894d
SHA256 e572d0453c7f293b740ed9c694d0ad251c261a8c59f105d3057e782c67327592
SHA512 d74249bb8b1fd9b543b117322611ba3bce50fbc90f46a980d6cd37267bdcea7a8ccbd3f03a6edd591a94aaa1bd08ff0a076678d0e37bcd42d487d39f2ee18675

\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 df455f0fa8fb3fa4e6699ad57ef54db6
SHA1 51a06248c251d614d3a81ac9d842ba807204d17c
SHA256 15068b86edc0473a4f96f109830318e0540af348197e2b65f2e90ff32cfb14a1
SHA512 f69dea5b68e4fc8737fc0e6ef48476d3ed0a5ebd2f9dccc9d966df137f9ffdbb51e413a0852c22399afab53ea8a2755664afdcee6897a1cf387a9a620481b2a6

memory/1040-483-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1040-487-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 afe178763cf40ce3c4b8f223e1a70b17
SHA1 145a8d42ab9bf143fb1b96ba21f48428449a7b56
SHA256 7c9f86f9f41e1940b7d0b2c2bbf8fb4d5407b2c45a78d60f1736c7a912022c36
SHA512 e21b2de697383454d1aa36c99d367089d5683534119efc536f4a21b89b5f945908c3e08058baef499e836eb0fb8d4e84faeeaef2729d698c48bd1b398b15b8e9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5226ebbe53d99576d997d02677a36594
SHA1 9faac1f054778a1f77d31ff7a94c33dc9648c8de
SHA256 b279daf03ab33870e1d2b849676491d18c9f736f223a98176201ac9060bac3f2
SHA512 0fcb6406549c427e12f4e1e8681e674494d8b348422243b7de1d705e453452c5ec1caa6fadf0e81e98bfd95907be30b0fb90a7a6f000240a4324d8fac4d47631

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a9a776e4b833eb32c73227376f47ae1b
SHA1 9b5d220e7888c958daf3ba860f352b44ded15019
SHA256 1f3da91fc6417f1408dcc25204f29d9c9f4cad51c17ed391e74dc87c8b53efbb
SHA512 ed2a1c0ab888326b3ce5351a35a6344106cb69f3b9a5c832694684381ffbee906617ba17c898dcb1d90dbfc86f41a8a08c03542e8a5eabea3034fa1c25ab4217

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fdea6fdf69c3313625f5822458f9c40f
SHA1 a5dffb5b188ebd02c82c3d35e28c467cb33f90d7
SHA256 3dd5218e6ba3d0cf316acf613be0ba01fd31d09641175170fd604e77cbc0bbe1
SHA512 ce7a05b973688c17e76aa142f9acaed505d36b8b0e7e8b86f0b58afca33401a7d0bb6ee2f5a1b3ebbc8e8708428fc090f47f2e81ea3ccba0858f24d954b3c25d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a6387611491e1cb775fbe2da46c637fa
SHA1 45616d5d348f688e86951e8b828167522eba9d75
SHA256 2c966a94f8255b20e3026735c153d4b73e975dfe50b7af03c7da9daa1e797335
SHA512 04c75e33024623a2392a86a039f62d7327a7fa167cb61a432c2707df45038c79a0346f19cdb0baa18dfd5030a1859703c449868cc18880885cd624710eeafeaf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ceb85e894c11b222be89aca9122c00ac
SHA1 4c9cf88352af8e10a337fc9cccf29118bc3fa50f
SHA256 6a24372892db848fbd1d10c34ae55240702205bc5060306d461244ab6dab3150
SHA512 2c2cf28a19259fe1316c00fc3c1714e080b6c661ee8ee3082db793c989c4750b2b70f17259aac9b6fa1ae63bd67888eff29c9d3fb87e524f4f3f313248d07fad

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1ea07828d06adc1664a83d7a84733009
SHA1 879a274a26b6d08fcb18bd0977a24b94b63f6d03
SHA256 56ab065eac0070ad825de28f6a4b0e64684584f5ea17f3797012a21a1e9a967d
SHA512 f409a99ee8d78b0afd01f3d3ca8914dacdf999c3f5c6255efb7ab79896d38c7c80c2ab69e07a66c9b74615270c9aec605d71d83c6f679e1ef96e64a3b0a16f83

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0084cfd108f749f0b2cbfd48ff8b34c5
SHA1 931965102ea3f6762ba2e29a2ef3ebca5f16e8c2
SHA256 60ee3f3f59bae9d662c2a8bc760b70fe83ffc6fe96761a7099d5086d5415320a
SHA512 3f8ac578aff94b4f1b8e796956f0a72c4d31a4a51db6d377e2683dbad725abf5519fa2d2576b5c1e482c27cf4d03d1d3a6a7fa84e0cd732044ce3d34e40e7bc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 82399207409d74e3f2dea22d2d6f3b98
SHA1 da8ffcf6adf1c6c79dc0463e08ee6cb05827594a
SHA256 a2fba17726bc3fcbad4dbe6c905582fdf047bbfda4cdcd82a1b19baf6d827f8d
SHA512 e2b2d5ab8d8c14f6e9fbd2abb2d8b57ffca5a3354175c61bfa1d107f94e953e39c6cf81e17035a30be129981de4d5661c4db3b0c165782521449e35ef5a0401c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a9aaddacae57be5255c0b836973127f4
SHA1 5f96d082e9210675808ac838c9bf8a61c1f485ee
SHA256 a9675d6a811f2d72596dd3a0e6e84d1035de84fdccbad09dec46920f38beb63f
SHA512 88658c93b954e2c93d4a3e23950a04e257be67f701300879767274b4cbc88556839131a37ad91e723583429bbc81b12503b067a118b975bc1aadf11aa2dac1c0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d1cba18120195e2f5791040e84f77932
SHA1 6fb7c18f3b2b7d82981c53ad36a89e448fc1aea2
SHA256 a8de56c96ee6663aad1a244b784fdfff3c870981e667a1166d26fd7cc5d020da
SHA512 5866642aa94382200b8b715fa465a36d3c1d45dc871b0ca171626641d042c1dc51ce75bbdf68cae9549cadb2b483b49eec918e5b929f12982b1b4ae5b4f9323f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ddc04ff8f865e89ef0ab6caee8065f46
SHA1 b269ab07de5db65d22caab37b39e2261cb63493c
SHA256 f08c0368dcff0c380a06bfe7e3036ae4859a3ddf30ef3ef8c8155760d32d24c7
SHA512 5118b133ef012105173cc245b46a0cee49e1f3e7538923e7886d7ff4910e1ff5962dc2d1c3e9c16aee4d9bbb0ab8cc8948dedb774845f6c84e0d1c7970fd5829

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-31 12:31

Reported

2024-05-31 12:33

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

137s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\8703adaf2d4c691d12a03f3c74bcae17_JaffaCakes118.html

Signatures

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4984 wrote to memory of 1908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 1908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 2912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 2912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 2912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 2912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 2912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 2912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 2912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 2912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 2912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 2912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 2912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 2912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 2912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 2912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 2912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 2912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 2912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 2912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 2912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 2912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 2912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 2912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 2912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 2912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 2912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 2912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 2912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 2912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 2912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 2912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 2912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 2912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 2912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 2912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 2912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 2912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 2912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 2912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 2912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 2912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 3612 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 3612 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 3068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 3068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 3068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 3068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 3068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 3068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 3068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 3068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 3068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 3068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 3068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 3068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 3068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 3068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 3068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 3068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 3068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 3068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 3068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4984 wrote to memory of 3068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\8703adaf2d4c691d12a03f3c74bcae17_JaffaCakes118.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb552146f8,0x7ffb55214708,0x7ffb55214718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,9980512534572898524,6808890858770297139,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,9980512534572898524,6808890858770297139,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2572 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,9980512534572898524,6808890858770297139,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2972 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,9980512534572898524,6808890858770297139,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3108 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,9980512534572898524,6808890858770297139,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3136 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,9980512534572898524,6808890858770297139,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1260 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,9980512534572898524,6808890858770297139,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1260 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,9980512534572898524,6808890858770297139,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1336 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,9980512534572898524,6808890858770297139,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,9980512534572898524,6808890858770297139,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4368 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,9980512534572898524,6808890858770297139,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,9980512534572898524,6808890858770297139,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5652 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 hermes.sogou.com udp
US 8.8.8.8:53 hm.baidu.com udp
CN 111.45.11.83:80 hm.baidu.com tcp
CN 111.45.11.83:80 hm.baidu.com tcp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 149.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
CN 183.240.98.228:80 hm.baidu.com tcp
CN 183.240.98.228:80 hm.baidu.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
CN 14.215.182.140:80 hm.baidu.com tcp
CN 14.215.182.140:80 hm.baidu.com tcp
US 8.8.8.8:53 160.144.22.2.in-addr.arpa udp
CN 14.215.183.79:80 hm.baidu.com tcp
CN 14.215.183.79:80 hm.baidu.com tcp
IE 52.111.236.23:443 tcp
CN 111.45.3.198:80 hm.baidu.com tcp
CN 111.45.3.198:80 hm.baidu.com tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ecdc2754d7d2ae862272153aa9b9ca6e
SHA1 c19bed1c6e1c998b9fa93298639ad7961339147d
SHA256 a13d791473f836edcab0e93451ce7b7182efbbc54261b2b5644d319e047a00a7
SHA512 cd4fb81317d540f8b15f1495a381bb6f0f129b8923a7c06e4b5cf777d2625c30304aee6cc68aa20479e08d84e5030b43fbe93e479602400334dfdd7297f702f2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 2daa93382bba07cbc40af372d30ec576
SHA1 c5e709dc3e2e4df2ff841fbde3e30170e7428a94
SHA256 1826d2a57b1938c148bf212a47d947ed1bfb26cfc55868931f843ee438117f30
SHA512 65635cb59c81548a9ef8fdb0942331e7f3cd0c30ce1d4dba48aed72dbb27b06511a55d2aeaadfadbbb4b7cb4b2e2772bbabba9603b3f7d9c8b9e4a7fbf3d6b6b

\??\pipe\LOCAL\crashpad_4984_MDULCLWLWBKFIYTS

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 ae7fa3df77b31d4b7ae5985878edec0f
SHA1 d9b67a3c7ad7ee70dea85791809bb29f952b44b0
SHA256 1a268730364070ed1872828c518ac8904dfc6497d1227113331936dbe0dbc26b
SHA512 7f97f35a3a36d1e382c1b6f08bef5ae700e06d373b4c6d30430f7f8226c69a22532ba6467140effab0e05a6b6d664c4bde563718b3386722eaa8ba9fdf83c08c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 c40d78bcbf949a328caf952171d540bd
SHA1 e440ac9b7540b4456963bfb5ff6c040cb1ab92a0
SHA256 16404316cdd1c37df030cf5f492fa82a860cc7f4efc9c4d5025a9e5e75ecf757
SHA512 e058b0762f1796c6b8606fe0d152390deedd126967d711d2c387722f4e1a3e32969489be22c74a68838345c044d9bdd101e2502b4913f41a183725da02de4f4b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9cc756efc37c73ea950005080c5cbfe5
SHA1 33b8ec07e2b74c1db807fd56e9e0ccf66ccd0727
SHA256 dbae133fbc5abb057b487563b2fb34a6308ef43448c2e20da51bb9532a574c2c
SHA512 ff36b036c5ec261d5c5d5872e4ceb49656dcbaee98482a2a1f481ec8968368fd8963ef6f4609cfe325033f9fcdb2920e5968b5bf60e27e90c2ece725a8048a44

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 016dfe25aaacc59d9c556d75241e6869
SHA1 8858f48752e57a72d2bdcbd3aeddb854d0674f32
SHA256 442ceb879e01c5e04e02d6f887b13a0c1d8f287b0de45b5acd0151196de368bf
SHA512 2e399e73acfb4df6e63fa9ef9340271237d1f8aaf92cbbc0e35599723f5af09d5f2e127f866ebf179a261aeeb4627978fd121ced0072a3d95af0aac825ed647e