Malware Analysis Report

2025-01-19 07:21

Sample ID 240531-wt6y9ahb52
Target 87e27f533c7169f4a8643437b9cc5702_JaffaCakes118
SHA256 57a546f3ac5d18e6e6f8a5fd731249564ae36fe435c75094a51f83dc4cdc5cd9
Tags
ramnit banker spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

57a546f3ac5d18e6e6f8a5fd731249564ae36fe435c75094a51f83dc4cdc5cd9

Threat Level: Known bad

The file 87e27f533c7169f4a8643437b9cc5702_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ramnit banker spyware stealer trojan upx worm

Ramnit

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Program Files directory

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Enumerates system info in registry

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-31 18:13

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 18:13

Reported

2024-05-31 18:16

Platform

win7-20240508-en

Max time kernel

135s

Max time network

135s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\87e27f533c7169f4a8643437b9cc5702_JaffaCakes118.html

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\pxD3A.tmp C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8917C151-1F79-11EF-AE65-4658C477BD5D} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423341100" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 616 wrote to memory of 2220 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 616 wrote to memory of 2220 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 616 wrote to memory of 2220 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 616 wrote to memory of 2220 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2220 wrote to memory of 2968 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2220 wrote to memory of 2968 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2220 wrote to memory of 2968 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2220 wrote to memory of 2968 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2968 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2968 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2968 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2968 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2104 wrote to memory of 1844 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2104 wrote to memory of 1844 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2104 wrote to memory of 1844 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2104 wrote to memory of 1844 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 616 wrote to memory of 2964 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 616 wrote to memory of 2964 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 616 wrote to memory of 2964 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 616 wrote to memory of 2964 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\87e27f533c7169f4a8643437b9cc5702_JaffaCakes118.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:616 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:616 CREDAT:209940 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 wpa.qq.com udp
US 8.8.8.8:53 www.jinfeng-hotel.cn udp
US 8.8.8.8:53 lvt.zoosnet.net udp
US 8.8.8.8:53 wpa.b.qq.com udp
CN 101.91.33.148:80 wpa.b.qq.com tcp
CN 121.41.84.215:80 lvt.zoosnet.net tcp
CN 101.91.33.148:80 wpa.b.qq.com tcp
CN 121.41.84.215:80 lvt.zoosnet.net tcp
HK 43.159.234.172:80 wpa.qq.com tcp
HK 43.159.234.172:80 wpa.qq.com tcp
HK 43.159.234.172:80 wpa.qq.com tcp
HK 43.159.234.172:80 wpa.qq.com tcp
HK 43.159.234.172:80 wpa.qq.com tcp
HK 43.159.234.172:80 wpa.qq.com tcp
HK 43.159.234.172:80 wpa.qq.com tcp
HK 43.159.234.172:80 wpa.qq.com tcp
HK 43.159.234.172:443 wpa.qq.com tcp
HK 43.159.234.172:443 wpa.qq.com tcp
HK 43.159.234.172:443 wpa.qq.com tcp
HK 43.159.234.172:443 wpa.qq.com tcp
HK 43.159.234.172:443 wpa.qq.com tcp
HK 43.159.234.172:443 wpa.qq.com tcp
HK 43.159.234.172:443 wpa.qq.com tcp
HK 43.159.234.172:443 wpa.qq.com tcp
US 8.8.8.8:53 ocsp.digicert.cn udp
US 8.8.8.8:53 ocsp.digicert.cn udp
US 8.8.8.8:53 ocsp.digicert.cn udp
US 8.8.8.8:53 ocsp.digicert.cn udp
US 8.8.8.8:53 ocsp.digicert.cn udp
US 8.8.8.8:53 ocsp.digicert.cn udp
US 163.181.154.235:80 ocsp.digicert.cn tcp
US 163.181.154.237:80 ocsp.digicert.cn tcp
US 163.181.154.233:80 ocsp.digicert.cn tcp
US 163.181.154.235:80 ocsp.digicert.cn tcp
US 163.181.154.234:80 ocsp.digicert.cn tcp
US 163.181.154.238:80 ocsp.digicert.cn tcp
US 8.8.8.8:53 pub.idqqimg.com udp
HK 203.205.136.81:80 pub.idqqimg.com tcp
HK 203.205.136.81:80 pub.idqqimg.com tcp
HK 203.205.136.81:80 pub.idqqimg.com tcp
HK 203.205.136.81:80 pub.idqqimg.com tcp
HK 203.205.136.81:80 pub.idqqimg.com tcp
HK 203.205.136.81:80 pub.idqqimg.com tcp
HK 203.205.136.81:80 pub.idqqimg.com tcp
HK 203.205.136.81:443 pub.idqqimg.com tcp
HK 203.205.136.81:443 pub.idqqimg.com tcp
HK 203.205.136.81:443 pub.idqqimg.com tcp
HK 203.205.136.81:443 pub.idqqimg.com tcp
HK 203.205.136.81:443 pub.idqqimg.com tcp
HK 203.205.136.81:443 pub.idqqimg.com tcp
US 8.8.8.8:53 ocsp.dcocsp.cn udp
HK 203.205.136.81:443 pub.idqqimg.com tcp
US 8.8.8.8:53 ocsp.dcocsp.cn udp
US 8.8.8.8:53 ocsp.dcocsp.cn udp
US 8.8.8.8:53 ocsp.dcocsp.cn udp
US 8.8.8.8:53 ocsp.dcocsp.cn udp
US 8.8.8.8:53 ocsp.dcocsp.cn udp
US 8.8.8.8:53 ocsp.dcocsp.cn udp
GB 79.133.176.223:80 ocsp.dcocsp.cn tcp
GB 79.133.176.211:80 ocsp.dcocsp.cn tcp
GB 79.133.176.224:80 ocsp.dcocsp.cn tcp
GB 79.133.176.223:80 ocsp.dcocsp.cn tcp
GB 79.133.176.224:80 ocsp.dcocsp.cn tcp
GB 79.133.176.211:80 ocsp.dcocsp.cn tcp
GB 79.133.176.211:80 ocsp.dcocsp.cn tcp
CN 121.41.84.215:80 lvt.zoosnet.net tcp
CN 101.91.33.243:80 wpa.b.qq.com tcp
CN 101.91.33.243:80 wpa.b.qq.com tcp
CN 101.91.33.148:80 wpa.b.qq.com tcp
CN 101.91.33.243:80 wpa.b.qq.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 s4.cnzz.com udp
CN 220.185.168.234:80 s4.cnzz.com tcp
CN 220.185.168.234:80 s4.cnzz.com tcp
CN 220.185.168.234:80 s4.cnzz.com tcp
US 8.8.8.8:53 api.bing.com udp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

MD5 418a15b6a3cd7f919143947b0ac54a69
SHA1 858080189dc01c08e9a5640747e2fc6d60937e5b
SHA256 6b5e47fad3bbf5d215d0454e82e090bf7f0e92a56602ebbd6429cd18873e237b
SHA512 b682be4672946af345860a46aefde321b0ba2c44986a253682592eb3038e903425aaaca61dbea49fed21d65fb3a64d1c88957c62ead16a45a00808872e2e19b7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FA0A17BC17FF10008872A7205D0D43E2_5FE90E28A5C4F66460B6A36ECFF82C5E

MD5 b1200381ee354d9627b1834aad351bd6
SHA1 7d2d8e9f636c8aabe593b2c1f305ce35b2f988a5
SHA256 64f8eecfc50a8e206e9e7250bfcf0555674e05317a5f06bd14f6f21de24281af
SHA512 d889b093e88a36c8851cb22fc6520ef725cd37a7a1b907c4dde294b2ca4367c22e8ec0ea9d197dc6fec106467a1adb84a4b5cdd627429ad3488b54293db6be9f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f3e9287ac61b17030e3a439c86177abd
SHA1 ca4ab589dcc170a547c7b34b3cb866752385090e
SHA256 cf326d8ff134a35c2e575bf38a944b3ece3afa3608f8b9722b54330b40474d84
SHA512 10f4984911dd9d4f4308db6414a1daf8d38b4fd965188a4e9529ea5983984ed74068f4ed7ff038c9063366d110efee3d234a768d3a336f9138a961d14b3684b0

C:\Users\Admin\AppData\Local\Temp\Cab1813.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar1816.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\Local\Temp\Cab1894.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar18A8.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d3c302e3717fe74e53775114816bfb6d
SHA1 1420aa79b6b54503f5a518357a1a6958c97292e5
SHA256 c48ca0af9224fc106f126da3dfb953cead50bdf1bacf3bd289a7d6ccd2da3742
SHA512 5bd872a1b5142ad92d9430c24899daaafe45d3110e9dd9e3832a97a9aeb3232ff29b3f7c326dd990884543967922033bff626b1a4c67b0db0f298850c1580de4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4be5b2d9abb8f14d66aa7230f55a2ee6
SHA1 3c2b6df00635fc2ea95ca2c4700a0bd160253559
SHA256 13a03406675647c395c4afb9af458d3557bf049dc66bb8f7f3e99a37319fcb63
SHA512 73d3a313beb5280c91f13c58d444ac9c41c7394d6470b13a7e38df809107f8448f93a18cea20048b6343d2ac3bc7166a6d57b8ab9aede7a39b83b42aae68729f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8f6e232abf81cf94aa2e2d53a56909fa
SHA1 d18ad1b4fc0ec3ef4fb8d00989cec98acba101fa
SHA256 350d961c9cd81f372c4be6afa3e3b2706cb5a3931048fd0cec77dcc621b55830
SHA512 832fcd5c4b324a73641dfd75d89b3b9b7fbe4dc2ab82f27f6ca359a0fa52c5611f31babbbdd0d331a97d918580b318182c64069681f2a60b30b0445ce61dc36e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 584ff8bae9ae1669feece1946c90b2b0
SHA1 54fe4276b42b27da82c09d5dfb071b8a1a546c94
SHA256 3e72ffb5943a9ddfca6e3c49b412b6f58c25cc7dcc51a54504ede0322e06be71
SHA512 490bc3f77efe6bdd2ccaeedf989c951b634e51b7f8abfb7db2cf4a71079e266fa5541e07be0c5955f8ee2f83422a9bde23abf3e5771f1c5e77d716ab2dd3d2a8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 00c1ccf9071e1e8777f68a400e99026d
SHA1 ee8b54388e698719c36a8c04f91276b51aabfbfd
SHA256 6a4954cc531f9b16fafb85e73c2db06c084faf770087057d530d562df7553811
SHA512 cde7f0dc65e3b2b35845ab36feb23dcd723d0c6cceab34cf8f16a3a460e823b93beae6d8389e5f197eaa1e878382985eeba0f8a0e4370a99630b961e069c9aa1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5d798af35b71a53d505a04376db2190e
SHA1 6920c39dbbd69a6d00eac822aa31b5b92a8abe8a
SHA256 956872615a8887cb5d6e9e0c1d5c46f3f353e2a43d68b227651712eefc5e4834
SHA512 eaccb0ee54f83763f61e36a5d2010f0560efbc16d8fc862862f54a2dd3115fdf2cfc640f7d40d4dfe4d4d5912b1a393cb5d2f6d497e6e983de7f6c5c46ee1e1a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 14544f5c9a1d70b4f99e52fd52749d55
SHA1 8e508c61767cf290eab993e4519f29382a45e7a1
SHA256 4b48ebd9103436feaf3c09e2c35640e5038c0b6bdc8db3ac5eee1707b9222a20
SHA512 5e35b36b31f2a81c178d740bfb0d27ed31c9a7c6677a75bae9585ead1e3c2cae188c387e436cb63b2e16a2ab4582cedfa02256e6e993d52ad1729ea53a74425b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 37feb484c7e7a1e9cf20ed59a2fdf742
SHA1 b87d95d53ed1f852b4fa60e21098f00c56b025e5
SHA256 6cfd61e862ecb89a7fd672c33df05aa644b8e450741c4577b4f6b280980c2a86
SHA512 75c43531dc98a7977abf9882da17416368de67e13db41821315fdc4e454cb9d7ed4cc7b98e467154d20ae1d9f7d010ab6f2ec1032a05b4ad812e437a285d6da6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ae79728aed345d63df15ec0b4163ab92
SHA1 dbae1b7ace3dc8712a0f5895f7d651ed44e6844a
SHA256 0976208f41756abf283691a22e8c773e1084a15a0dfdcd72b5fc5282a5075bcd
SHA512 6f34012d0a2b0a76e9f9bc2f3cea96d9bc1bac42ecf125211414df938cece9e7fecb2b61ec294238d4df3c8d34be15ccea51b96b20ea34a6fdd283f66c756093

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e5a1297e70d64dac6a80aac6b5f48f04
SHA1 4f93ee6bed845a045a7fab34e754171306b95642
SHA256 2cd08a0a141d173332cb08c614e29dbc251b1b184dd7883140d9c2b94a15168d
SHA512 44bd75f4a190e78f76f4a8de39784f74b6385ce503d0ed07437806406e62ce77b4d74e38b9742fcc6f3ba1a715741b1c1b472e66364497846079d27ebc9f6a96

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f8e7ee61b340500b8b8d7a19e3d63a98
SHA1 b8d1143e36d3bac27baeedbc82f0818d0fd54919
SHA256 fe5911532e0fb4eceb584f5119b103d9265f1acece0c62dbb6d4e5cd07e40149
SHA512 e7f4a654ab7c28b14aacfc192776fa2ed65d9d3a36d50c451b39d9cd3f756df96200b6133f453505ecaae4b2372219d7149cb73a54378e7f1c9483c88af4b30f

\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/2968-553-0x0000000000230000-0x000000000023F000-memory.dmp

memory/2968-552-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2104-560-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2104-562-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2104-563-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2104-564-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7416ad86d786f7a8805bac662ad0e61f
SHA1 fbe8555232c6211f2847188c49a48605c97e51e7
SHA256 a7e374ecc8925e39ee090b83da95549604a65350d2d79105f5a5f4b0df96d275
SHA512 3f066518f2ef5a6053f0cb66f049779e5d28205ee56ed37bb908f9b3512eadc2806a0b03f061a9d215dec27e1de4e8e9f0978ce6c578fc136ec571fe4838047f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a135109b2bffe8168e3c22dcbfd78970
SHA1 f36fb6006f051b486bccce4156261a7796cc8ba2
SHA256 7eccc65cb915a6f3040f6f3b7611f56636a9fe81d72413726f584d2d55ac3d76
SHA512 4cf431bf11b122bd2e02b153923404e8b653fd856657f43c96caed3426992417604280a98015d440e6cbbdc71f3f118e7f36908d611cd8d812eba23499458160

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2531c8662f96454b2627e2ab8e15eb68
SHA1 aa7253e8899c8e40f99f4aa69c76abfe77008e63
SHA256 5704e82db6ab2acaf7612993a3b88b85b0a9c1b45a65863454410e697195a74e
SHA512 6f1f1b5837f032dd721505e884b182b0c3c5f91e5d8075bd7f915133e12110a45bd08a8d3a99278d7280ed47d9d316a284e86d765a46625352a212f1e4fe03eb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d3e550a61e84fdc07edc857c65cc9179
SHA1 45fab3ed62ca628ee6017acf8b72c412a656a227
SHA256 d843a365acc63c8a571788c3d2239e84f937f2f40c4ef64496ce7e178ba6b13c
SHA512 054c075a41c8067a835808b400409e8eef0ba1901bc71496e1b8968079e4142881623c4731cc67f6ecfd62e836b13d79d17301e67067aa5d71106ba1431a2284

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2da7808b8a4405bb0d9dec24d26810f7
SHA1 639319262dcc4890ba0e83c5b1c934898e3eac09
SHA256 e640ee18480d3198e7e4b2dbc953171cce5996d6b0cea43d861f69d17b97d227
SHA512 6a7eee8f46798c584df33cc120ae79523b5690e5e8c480d7cdb458316ab7df4259aca751b3b46e84f0940cd4aacdb4d69b4545bcfd17b452772adc43d80f16f9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f4cd6c67d788d5690b7bccd3bec3e995
SHA1 d011542bcdbde70d1c3043fc51d8792d05a584b9
SHA256 0bd197fe2efcd794ab8c8f473c18f853e550b11df8aae9f71b98264d5f4898c0
SHA512 a341f791e1ede4c77f851be7b9b61c1a21c0d8a1a355fc656c02339d512de44b43136e857f8d7f9150c4fd62fbc925ce59cbdfa4e849439e85564494021d5103

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9b7acc2f2dd5d73996fbce8c2141b2cc
SHA1 33a0a09eb9d3099900d05a4353ae027b069c9e19
SHA256 9b3d005b74073d4fb6a6bdfaf55d58c07e824dc2d1c2cec78015d6c182e0d619
SHA512 292b3355307993ba010dec3c5bd1264441dfb0ab8f19f16596c90cc02b5517aa697282110bf4dce351d36f10e4f616bdff49a891aebda9ae38421e1d1677bc03

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 da55642c16bb1a7fc68bb9a9c86679a4
SHA1 4ddeccd8df73a39833373d2f9dd359b966b28c66
SHA256 60416c0b16ed4186d748cb3ccf705c8c21f6f5601a5a0ed7bef65ec74444cf71
SHA512 96493134a9e4eb79002a663c9169da3afb4bf86a19f20f949eb1767bcc6e2d91cd62db3ee9fc5bb834e81f80cf3e7ddcc59f1edb9f34ef22588cbdd4b880c2bf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9f29e049d1c85e3c80b98c844312bc0d
SHA1 176631adcbff256debc2491fc383f5a8344b94cb
SHA256 c41516edf6a16a126f361bf841ea18129720bfc0f40c3581a6087df6fc37622d
SHA512 bc10ede2b0add765a11e8df2d59228168d856d534cf0cf87807d7353f5186d17ebeed300936cb9c466097c14112b5e634197147a77327618a479c9a0da9dc0d6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ac7cc43ba8d05ac3deef9294869a1be4
SHA1 9c19b6070738ecad6d2c6546fbad67932b8f8622
SHA256 e58688ab5b1494737ed4917be531c04ff34cf2f82d15b7601f68c66b9cfc464e
SHA512 124c1383a1d507a9a96962c28505824f409391e37668406f27d6f43e269c85be33827775fa16380a365b525ac52a1cb26a567f39ca4bc3c74c4a533f66a1896e

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-31 18:13

Reported

2024-05-31 18:16

Platform

win10v2004-20240508-en

Max time kernel

137s

Max time network

144s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\87e27f533c7169f4a8643437b9cc5702_JaffaCakes118.html

Signatures

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2636 wrote to memory of 2476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2636 wrote to memory of 2476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2636 wrote to memory of 3340 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2636 wrote to memory of 3340 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2636 wrote to memory of 3340 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2636 wrote to memory of 3340 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2636 wrote to memory of 3340 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2636 wrote to memory of 3340 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2636 wrote to memory of 3340 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2636 wrote to memory of 3340 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2636 wrote to memory of 3340 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2636 wrote to memory of 3340 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2636 wrote to memory of 3340 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2636 wrote to memory of 3340 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2636 wrote to memory of 3340 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2636 wrote to memory of 3340 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2636 wrote to memory of 3340 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2636 wrote to memory of 3340 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2636 wrote to memory of 3340 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2636 wrote to memory of 3340 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2636 wrote to memory of 3340 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2636 wrote to memory of 3340 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2636 wrote to memory of 3340 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2636 wrote to memory of 3340 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2636 wrote to memory of 3340 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2636 wrote to memory of 3340 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2636 wrote to memory of 3340 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2636 wrote to memory of 3340 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2636 wrote to memory of 3340 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2636 wrote to memory of 3340 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2636 wrote to memory of 3340 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2636 wrote to memory of 3340 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2636 wrote to memory of 3340 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2636 wrote to memory of 3340 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2636 wrote to memory of 3340 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2636 wrote to memory of 3340 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2636 wrote to memory of 3340 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2636 wrote to memory of 3340 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2636 wrote to memory of 3340 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2636 wrote to memory of 3340 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2636 wrote to memory of 3340 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2636 wrote to memory of 3340 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2636 wrote to memory of 3372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2636 wrote to memory of 3372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2636 wrote to memory of 1004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2636 wrote to memory of 1004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2636 wrote to memory of 1004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2636 wrote to memory of 1004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2636 wrote to memory of 1004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2636 wrote to memory of 1004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2636 wrote to memory of 1004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2636 wrote to memory of 1004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2636 wrote to memory of 1004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2636 wrote to memory of 1004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2636 wrote to memory of 1004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2636 wrote to memory of 1004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2636 wrote to memory of 1004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2636 wrote to memory of 1004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2636 wrote to memory of 1004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2636 wrote to memory of 1004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2636 wrote to memory of 1004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2636 wrote to memory of 1004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2636 wrote to memory of 1004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2636 wrote to memory of 1004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\87e27f533c7169f4a8643437b9cc5702_JaffaCakes118.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe676e46f8,0x7ffe676e4708,0x7ffe676e4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,17054004699631621834,15699587688806163712,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,17054004699631621834,15699587688806163712,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,17054004699631621834,15699587688806163712,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,17054004699631621834,15699587688806163712,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,17054004699631621834,15699587688806163712,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,17054004699631621834,15699587688806163712,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,17054004699631621834,15699587688806163712,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,17054004699631621834,15699587688806163712,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3376 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,17054004699631621834,15699587688806163712,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3376 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,17054004699631621834,15699587688806163712,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,17054004699631621834,15699587688806163712,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2252 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,17054004699631621834,15699587688806163712,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5280 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 wpa.qq.com udp
US 8.8.8.8:53 lvt.zoosnet.net udp
US 8.8.8.8:53 wpa.b.qq.com udp
US 8.8.8.8:53 www.jinfeng-hotel.cn udp
CN 121.41.84.215:80 lvt.zoosnet.net tcp
CN 101.91.33.243:80 wpa.b.qq.com tcp
CN 121.41.84.215:80 lvt.zoosnet.net tcp
CN 101.91.33.243:80 wpa.b.qq.com tcp
HK 43.129.2.11:80 wpa.qq.com tcp
HK 43.129.2.11:80 wpa.qq.com tcp
HK 43.129.2.11:80 wpa.qq.com tcp
HK 43.129.2.11:80 wpa.qq.com tcp
HK 43.129.2.11:80 wpa.qq.com tcp
HK 43.129.2.11:80 wpa.qq.com tcp
HK 43.129.2.11:443 wpa.qq.com tcp
HK 43.129.2.11:443 wpa.qq.com tcp
HK 43.129.2.11:443 wpa.qq.com tcp
HK 43.129.2.11:443 wpa.qq.com tcp
HK 43.129.2.11:443 wpa.qq.com tcp
HK 43.129.2.11:443 wpa.qq.com tcp
US 8.8.8.8:53 11.2.129.43.in-addr.arpa udp
US 8.8.8.8:53 pub.idqqimg.com udp
HK 203.205.137.184:80 pub.idqqimg.com tcp
HK 203.205.137.184:80 pub.idqqimg.com tcp
HK 203.205.137.184:443 pub.idqqimg.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 184.137.205.203.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
CN 101.91.33.148:80 wpa.b.qq.com tcp
CN 101.91.33.148:80 wpa.b.qq.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 32.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 s4.cnzz.com udp
CN 220.185.168.234:80 s4.cnzz.com tcp
CN 220.185.168.234:80 s4.cnzz.com tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 lvt.zoosnet.net udp
CN 121.41.84.215:80 lvt.zoosnet.net tcp
CN 121.41.84.215:80 lvt.zoosnet.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 hm.baidu.com udp
CN 14.215.182.140:445 hm.baidu.com tcp
CN 14.215.183.79:445 hm.baidu.com tcp
CN 111.45.3.198:445 hm.baidu.com tcp
CN 111.45.11.83:445 hm.baidu.com tcp
CN 183.240.98.228:445 hm.baidu.com tcp
US 8.8.8.8:53 hm.baidu.com udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4158365912175436289496136e7912c2
SHA1 813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59
SHA256 354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1
SHA512 74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

\??\pipe\LOCAL\crashpad_2636_ZSVDCCESAPHFEIQK

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ce4c898f8fc7601e2fbc252fdadb5115
SHA1 01bf06badc5da353e539c7c07527d30dccc55a91
SHA256 bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa
SHA512 80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 355d17de67d3e0e5a502a4775fb90cf8
SHA1 6b1868918aab202a09d23deed6112331822d7f5c
SHA256 bc84ebe67c94ee708aa23f88c60a76e4a0f2db75621b62c3a6978ba1d055f484
SHA512 a18387821333f6cf11dadb7e8e4690bbedebde9c1ade2c71b1d39863644766ea25d33e02306e0a0fadaba865222c102cb7de9ba89faf0a29b34ee6960e78b1d2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\e89f7077-0966-43f8-b956-5e592b94615d.tmp

MD5 2398c625e1cc75ed06ba46486c1436fd
SHA1 2a5ca8a8af0dea118f233288a4eea47362589074
SHA256 14190682666a16c5538b16c26e21c0369ba786ae602ddeaff331108fc28a2f54
SHA512 431b26de71896a7f20c7e42161a832cd834992015cb766ece5af0f3d0f3a2c5deffbef19d7b7c3b4035a7fb323ed4a999a002b139c30caf3acc08412bde39559

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c2b8275831c670a4d1890856caf4f947
SHA1 afc26e27c7c44851dd8c3c1befcab16a7b0b1098
SHA256 4dc2196c44067c248b602487e8911bc9ebece53ded83b7ced54e5300fc386be6
SHA512 7c8e339c4c7af0d1d75ea519dcfae646f722adcc68812c6fd6b8786e4b106fa8542fe2b2846a94ae8345690b7f98d2e93b594af3fc734be1719401b4e667cf63

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 a28fc8c7b408c9fec7eb29ba72319a1a
SHA1 2b1815d04fb077e076a7c078db984304b82cf50e
SHA256 1d26a34f3b686ef9b0f4402fd77dbbf4e517c3a60d31f19751f038953abe9e65
SHA512 6a6f10e0011b2e2f335d65b2b5da07e47e06aa5eeb22ac8950f63928c18242952d216526c8a2ba909ad04fdaf073215c4277272c6de2a28c7cb39a211f0a78bb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c1b55d3789b4ae3c37d5618806632f5d
SHA1 a9d90ca4e02df959a5602ae11cdd304e5ac8db3f
SHA256 05bb6420f35c54fbedee68556e09f3144e6641e6d96f6f056871103a037a74c1
SHA512 3ee7d0b1e0a492fad4dc5f8424be7a1e05eeebe3172997bb8714c89e4fe1e0b2131431d9b7f696dceb415bcafa8bf8b676d435c220c16290e835b8a993906683

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389